[GH-ISSUE #7112] [Regression 1.35.5+] New SSO user without org membership: 401 on placeholder org policy redirects to /#/login instead of /#/set-initial-password #19390

Closed
opened 2026-04-25 21:56:20 -05:00 by GiteaMirror · 2 comments
Owner

Originally created by @loldark22 on GitHub (Apr 20, 2026).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7112

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.35.7
  • Web-vault version: v2026.2.0
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: PostgreSQL
  • Database version: PostgreSQL 16.3 (Debian 16.3-1.pgdg120+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit
  • Uses config.json: false
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: false
  • Internet access via a proxy: false
  • DNS Check: true
  • TZ environment: Asia/Seoul
  • Browser/Server Time Check: true
  • Server/NTP Time Check: n/a
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 5,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "**********://**********************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://********************",
  "domain_origin": "*****://********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": false,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": 1825,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/vaultwarden.log",
  "log_level": "debug",
  "log_timestamp_format": "\"%Y-%m-%d %H:%M:%S.%3f%z\"",
  "login_ratelimit_max_burst": 20,
  "login_ratelimit_seconds": 15,
  "org_attachment_limit": null,
  "org_creation_users": "**********************",
  "org_events_enabled": true,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "***********",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": true,
  "sso_authority": "*****://***********************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://*************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "**********",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": true,
  "sso_pkce": true,
  "sso_scopes": "email profile roles",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.35.7 (regression) / v1.35.4 (last known good)

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Caddy 2.10

Host/Server Operating System

Linux

Operating System Version

Ubuntu 24

Clients

Web Vault, Desktop

Client Version

Web-Vault 2026.2.0 (broken) / 2026.1.1 (last known good) — bundled in the respective server images

Steps To Reproduce

  1. Run vaultwarden/server:1.35.7 (Web-Vault 2026.2.0) with SSO enabled against a Keycloak realm. Relevant env:
    SSO_ENABLED=true
    SSO_ONLY=true
    SSO_AUTHORITY=https://auth.example.local/realms/test
    SSO_AUTHORITY_DISCOVERY=http://keycloak:8080/realms/test
    SSO_ORGANIZATIONS_ENABLED=true
    SSO_ORGANIZATIONS_INVITE_ENABLED=true
    ORGANIZATION_INVITE_AUTO_ACCEPT=true
    SIGNUPS_ALLOWED=false
    SSO_SIGNUPS_MATCH_EMAIL=true
  2. In Keycloak, create a brand-new user who is NOT a member of any Vaultwarden organization and has no pre-existing invitations.
  3. Open an Incognito/Private browser window and go to the web vault.
  4. Click "Enterprise single sign-on", enter the new user's email, authenticate at Keycloak.
  5. Observe: the browser bounces back to /#/login after a brief redirect sequence.
  6. For comparison, downgrade the server image to vaultwarden/server:1.35.4 (Web-Vault 2026.1.1), delete the users + sso_users rows for the test user, and repeat steps 3-4. The browser now correctly lands on /#/set-initial-password?identifier=VW_DUMMY_IDENTIFIER_FOR_OIDC — master password registration screen, as expected.

Expected Result

After successful Keycloak authentication, a new SSO user with no pre-existing organization membership should land on /#/set-initial-password?identifier=VW_DUMMY_IDENTIFIER_FOR_OIDC so they can register their master password and enter their empty vault. This is the behavior on 1.35.4 (Web-Vault 2026.1.1). An admin can then assign them to organizations afterward.

Actual Result

On 1.35.7 (Web-Vault 2026.2.0), after Keycloak auth the web client performs an unauthenticated-like redirect sequence and ends up back at /#/login, making first-time SSO signup impossible. The users row is created in the DB but the user cannot complete master-password setup or enter the vault.

Server-side get_auto_enroll_status returns a random placeholder UUID (via get_uuid()) when the user has no org — unchanged between 1.35.4 and 1.35.7. The subsequent GET /api/organizations/<random-uuid>/policies/master-password returns 401 because the user isn't a member of that (nonexistent) org. The 1.35.4 web-vault client tolerated this and proceeded to /#/set-initial-password; the 2026.2.0 client appears to treat the 401 as a session failure and redirects to login.

The random UUID changes every request (e.g. 0eb7714a-237b-4ce1-bd5f-20bed4137a55 on one attempt, f3abcc31-02fd-4934-9ed5-f1e4136e2281 on the next), confirming it's a placeholder rather than a real-but-inaccessible org.

Logs

# 1.35.7 — failing attempt, test0420@example.com is a brand-new Keycloak user, no DB artifacts
["..."][request] POST /identity/connect/token
["..."][vaultwarden::sso][DEBUG] Authenticated user OIDCAuthenticatedUser { email: "test0420@example.com", email_verified: Some(true), ... }
["..."][vaultwarden::api::identity][INFO] User test0420 logged in successfully. IP: ...
["..."][response] (login) POST /identity/connect/token => 200 OK
["..."][request] GET /api/sync?excludeDomains=true
["..."][response] (sync) GET /api/sync => 200 OK
["..."][request] POST /identity/connect/token
["..."][request] GET /notifications/hub?access_token=...
["..."][response] (websockets_hub) GET /notifications/hub => 200 OK
["..."][response] (login) POST /identity/connect/token => 200 OK
["..."][request] GET /api/sync?excludeDomains=true
["..."][response] (sync) GET /api/sync => 200 OK
["..."][request] GET /api/organizations/VW_DUMMY_IDENTIFIER_FOR_OIDC/auto-enroll-status
["..."][response] (get_auto_enroll_status) => 200 OK
["..."][request] GET /api/organizations/f3abcc31-02fd-4934-9ed5-f1e4136e2281/policies/master-password
["..."][auth][ERROR] Unauthorized Error: The current user isn't member of the organization
["..."][vaultwarden::api::core::organizations::_][WARN] Request guard `OrgMemberHeaders` failed: "The current user isn't member of the organization".
["..."][rocket::server::_][WARN] No 401 catcher registered. Using Rocket default.
["..."][response] (get_master_password_policy) GET /api/organizations/<org_id>/policies/master-password => 401 Unauthorized
["..."][request] GET /api/organizations/f3abcc31-02fd-4934-9ed5-f1e4136e2281/policies/master-password  # retry
["..."][response] (get_master_password_policy) => 401 Unauthorized
["..."][request] GET /                                                                # redirect to /#/login
["..."][response] (web_index) GET / => 200 OK

Screenshots or Videos

No response

Additional Context

Relevant server source (unchanged between 1.35.4 and 1.35.7) from `src/api/core/organizations.rs`:

```rust
let (id, identifier, rp_auto_enroll) = match org {
    None => (get_uuid(), identifier.to_string(), false),   // <-- random UUID placeholder for pre-signup users
    Some(org) => (org.uuid.to_string(), org.uuid.to_string(),
                  OrgPolicy::org_is_reset_password_auto_enroll(&org.uuid, &conn).await),
};

Since the server returns a random placeholder UUID, the client's subsequent GET /api/organizations/<id>/policies/master-password is guaranteed to 401. The 2026.1.1 web-vault evidently treated this as "no policy applicable, continue to master-password setup," but 2026.2.0 treats it as a session failure and logs the user out.

Suspected fix direction: either

  • server-side: get_master_password_policy should return a default (disabled) policy with 200 OK when the caller is an authenticated session but not a member of the target org, specifically for the pre-signup placeholder UUID case; OR
  • client-side (web-vault): treat 401 on /api/organizations/<id>/policies/master-password as "no policy to apply, continue" rather than a terminal session failure; OR
  • server-side: return null/empty id in get_auto_enroll_status when no org is found, so the client doesn't attempt the doomed policy lookup.

Related but distinct: #7072 (invited-user stuck in status=0 on 1.35.4). #7072 affects users who ARE invited; this one affects users who are NOT invited to any org. Both are in the broader SSO first-time signup area.

No timshel fork variables (SSO_FRONTEND=override, etc.) are used; pure upstream config.

Originally created by @loldark22 on GitHub (Apr 20, 2026). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7112 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.35.7 * Web-vault version: v2026.2.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: PostgreSQL * Database version: PostgreSQL 16.3 (Debian 16.3-1.pgdg120+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit * Uses config.json: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: false * Internet access via a proxy: false * DNS Check: true * TZ environment: Asia/Seoul * Browser/Server Time Check: true * Server/NTP Time Check: n/a * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 5, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "**********://**********************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://********************", "domain_origin": "*****://********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": false, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": 1825, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/data/vaultwarden.log", "log_level": "debug", "log_timestamp_format": "\"%Y-%m-%d %H:%M:%S.%3f%z\"", "login_ratelimit_max_burst": 20, "login_ratelimit_seconds": 15, "org_attachment_limit": null, "org_creation_users": "**********************", "org_events_enabled": true, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "", "smtp_from_name": "***********", "smtp_host": null, "smtp_password": null, "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": true, "sso_authority": "*****://***********************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://*************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "**********", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": true, "sso_pkce": true, "sso_scopes": "email profile roles", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.35.7 (regression) / v1.35.4 (last known good) ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy Caddy 2.10 ### Host/Server Operating System Linux ### Operating System Version Ubuntu 24 ### Clients Web Vault, Desktop ### Client Version Web-Vault 2026.2.0 (broken) / 2026.1.1 (last known good) — bundled in the respective server images ### Steps To Reproduce 1. Run `vaultwarden/server:1.35.7` (Web-Vault 2026.2.0) with SSO enabled against a Keycloak realm. Relevant env: SSO_ENABLED=true SSO_ONLY=true SSO_AUTHORITY=https://auth.example.local/realms/test SSO_AUTHORITY_DISCOVERY=http://keycloak:8080/realms/test SSO_ORGANIZATIONS_ENABLED=true SSO_ORGANIZATIONS_INVITE_ENABLED=true ORGANIZATION_INVITE_AUTO_ACCEPT=true SIGNUPS_ALLOWED=false SSO_SIGNUPS_MATCH_EMAIL=true 2. In Keycloak, create a brand-new user who is NOT a member of any Vaultwarden organization and has no pre-existing invitations. 3. Open an Incognito/Private browser window and go to the web vault. 4. Click "Enterprise single sign-on", enter the new user's email, authenticate at Keycloak. 5. Observe: the browser bounces back to `/#/login` after a brief redirect sequence. 6. For comparison, downgrade the server image to `vaultwarden/server:1.35.4` (Web-Vault 2026.1.1), delete the `users` + `sso_users` rows for the test user, and repeat steps 3-4. The browser now correctly lands on `/#/set-initial-password?identifier=VW_DUMMY_IDENTIFIER_FOR_OIDC` — master password registration screen, as expected. ### Expected Result After successful Keycloak authentication, a new SSO user with no pre-existing organization membership should land on `/#/set-initial-password?identifier=VW_DUMMY_IDENTIFIER_FOR_OIDC` so they can register their master password and enter their empty vault. This is the behavior on 1.35.4 (Web-Vault 2026.1.1). An admin can then assign them to organizations afterward. ### Actual Result On 1.35.7 (Web-Vault 2026.2.0), after Keycloak auth the web client performs an unauthenticated-like redirect sequence and ends up back at `/#/login`, making first-time SSO signup impossible. The `users` row is created in the DB but the user cannot complete master-password setup or enter the vault. Server-side `get_auto_enroll_status` returns a random placeholder UUID (via `get_uuid()`) when the user has no org — unchanged between 1.35.4 and 1.35.7. The subsequent `GET /api/organizations/<random-uuid>/policies/master-password` returns 401 because the user isn't a member of that (nonexistent) org. The 1.35.4 web-vault client tolerated this and proceeded to `/#/set-initial-password`; the 2026.2.0 client appears to treat the 401 as a session failure and redirects to login. The random UUID changes every request (e.g. `0eb7714a-237b-4ce1-bd5f-20bed4137a55` on one attempt, `f3abcc31-02fd-4934-9ed5-f1e4136e2281` on the next), confirming it's a placeholder rather than a real-but-inaccessible org. ### Logs ```text # 1.35.7 — failing attempt, test0420@example.com is a brand-new Keycloak user, no DB artifacts ["..."][request] POST /identity/connect/token ["..."][vaultwarden::sso][DEBUG] Authenticated user OIDCAuthenticatedUser { email: "test0420@example.com", email_verified: Some(true), ... } ["..."][vaultwarden::api::identity][INFO] User test0420 logged in successfully. IP: ... ["..."][response] (login) POST /identity/connect/token => 200 OK ["..."][request] GET /api/sync?excludeDomains=true ["..."][response] (sync) GET /api/sync => 200 OK ["..."][request] POST /identity/connect/token ["..."][request] GET /notifications/hub?access_token=... ["..."][response] (websockets_hub) GET /notifications/hub => 200 OK ["..."][response] (login) POST /identity/connect/token => 200 OK ["..."][request] GET /api/sync?excludeDomains=true ["..."][response] (sync) GET /api/sync => 200 OK ["..."][request] GET /api/organizations/VW_DUMMY_IDENTIFIER_FOR_OIDC/auto-enroll-status ["..."][response] (get_auto_enroll_status) => 200 OK ["..."][request] GET /api/organizations/f3abcc31-02fd-4934-9ed5-f1e4136e2281/policies/master-password ["..."][auth][ERROR] Unauthorized Error: The current user isn't member of the organization ["..."][vaultwarden::api::core::organizations::_][WARN] Request guard `OrgMemberHeaders` failed: "The current user isn't member of the organization". ["..."][rocket::server::_][WARN] No 401 catcher registered. Using Rocket default. ["..."][response] (get_master_password_policy) GET /api/organizations/<org_id>/policies/master-password => 401 Unauthorized ["..."][request] GET /api/organizations/f3abcc31-02fd-4934-9ed5-f1e4136e2281/policies/master-password # retry ["..."][response] (get_master_password_policy) => 401 Unauthorized ["..."][request] GET / # redirect to /#/login ["..."][response] (web_index) GET / => 200 OK ``` ### Screenshots or Videos _No response_ ### Additional Context ``` Relevant server source (unchanged between 1.35.4 and 1.35.7) from `src/api/core/organizations.rs`: ```rust let (id, identifier, rp_auto_enroll) = match org { None => (get_uuid(), identifier.to_string(), false), // <-- random UUID placeholder for pre-signup users Some(org) => (org.uuid.to_string(), org.uuid.to_string(), OrgPolicy::org_is_reset_password_auto_enroll(&org.uuid, &conn).await), }; ``` Since the server returns a random placeholder UUID, the client's subsequent `GET /api/organizations/<id>/policies/master-password` is guaranteed to 401. The 2026.1.1 web-vault evidently treated this as "no policy applicable, continue to master-password setup," but 2026.2.0 treats it as a session failure and logs the user out. Suspected fix direction: either - server-side: `get_master_password_policy` should return a default (disabled) policy with 200 OK when the caller is an authenticated session but not a member of the target org, specifically for the pre-signup placeholder UUID case; OR - client-side (web-vault): treat 401 on `/api/organizations/<id>/policies/master-password` as "no policy to apply, continue" rather than a terminal session failure; OR - server-side: return null/empty `id` in `get_auto_enroll_status` when no org is found, so the client doesn't attempt the doomed policy lookup. Related but distinct: #7072 (invited-user stuck in status=0 on 1.35.4). #7072 affects users who ARE invited; this one affects users who are NOT invited to any org. Both are in the broader SSO first-time signup area. No timshel fork variables (`SSO_FRONTEND=override`, etc.) are used; pure upstream config. ```
GiteaMirror added the bug label 2026-04-25 21:56:20 -05:00
Author
Owner

@BlackDex commented on GitHub (Apr 20, 2026):

Already fixed via #7097 currently in :testing

<!-- gh-comment-id:4279228573 --> @BlackDex commented on GitHub (Apr 20, 2026): Already fixed via #7097 currently in `:testing`
Author
Owner

@loldark22 commented on GitHub (Apr 20, 2026):

Thank you for your quick confirmation.
If it is released later, we will test it additionally.
Thank you.

<!-- gh-comment-id:4279277975 --> @loldark22 commented on GitHub (Apr 20, 2026): Thank you for your quick confirmation. If it is released later, we will test it additionally. Thank you.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#19390