[PR #7127] Add SSO cookie vendor endpoint for native apps behind auth proxies #23416

New Issue

Open

opened 2026-05-16 06:00:02 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-05-16 06:00:02 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/7127
Author: @nathanmoreton
Created: 4/24/2026
Status: 🔄 Open

Base: main ← Head: feat/sso-cookie-vendor

---

📝 Commits (6)

• 2b79525 Add SSO cookie vendor endpoint for native apps behind authenticating proxies
• 88b0ba0 Merge branch 'dani-garcia:main' into feat/sso-cookie-vendor
• 1fce93b Merge branch 'main' into feat/sso-cookie-vendor
• a2d60c3 Fix fmt and clippy on Rust 1.95
• 6b3d834 Merge branch 'main' into feat/sso-cookie-vendor
• 44e6a21 Merge branch 'main' into feat/sso-cookie-vendor

📊 Changes

5 files changed (+489 additions, -0 deletions)

View changed files

📝 .env.template (+22 -0)
➕ docs/sso-cookie-vendor.md (+180 -0)
📝 src/api/core/mod.rs (+19 -0)
➕ src/api/core/sso_cookie_vendor.rs (+248 -0)
📝 src/config.rs (+20 -0)

📄 Description

Native Bitwarden apps cannot complete login when Vaultwarden sits behind an authenticating reverse proxy (Cloudflare Access, Authentik, Authelia, oauth2-proxy). The proxy redirects API requests to a browser-based IdP flow, which the apps' HTTP clients cannot follow.

Bitwarden addressed this upstream in February 2026 with a flow called SSO cookie vending. The server publishes, through /api/config, a communication.bootstrap block naming the IdP login URL and the cookie the proxy sets. The app opens a system browser for the IdP step, the browser hits /api/sso-cookie-vendor, and the server 302-redirects to bitwarden://sso-cookie-vendor?<name>=<value>&d=1. The app captures the cookie from the deep link and attaches it to every future API request.

Vaultwarden v2026.2.0 shipped the web-vault connector page from clients#18476, but the server side has not landed. This PR adds it.

Changes

• New config section sso_cookie_vendor through the existing make_config! macro: SSO_COOKIE_VENDOR_ENABLED, SSO_COOKIE_VENDOR_IDP_LOGIN_URL, SSO_COOKIE_VENDOR_COOKIE_NAME, SSO_COOKIE_VENDOR_COOKIE_DOMAIN. Startup validation refuses to run when the flag is on but the three string fields are empty.
• GET /api/sso-cookie-vendor reads the proxy auth cookie from the request jar and 302-redirects to the bitwarden:// deep link. Handles sharded cookies (<name>-0 through <name>-19, which Cloudflare Access uses when the JWT exceeds single-cookie size limits), with a non-sharded cookie taking precedence. Missing cookie returns the upstream 404 HTML page; URIs over 8192 bytes return 400. Registered only when the flag is on.
• communication.bootstrap object added to /api/config, matching the shape from upstream PR #6892 so clients pick it up unpatched.
• Unit tests cover single-cookie, sharded-cookie, precedence, URL-encoding, oversize URI, missing-cookie 404, and error HTML format.
• docs/sso-cookie-vendor.md covers the end-to-end flow, security notes, and per-proxy configuration.

Default behavior

SSO_COOKIE_VENDOR_ENABLED defaults to false. Installs without the four env vars set are byte-identical to current behavior.

Upstream references

• bitwarden/server#6880: config infrastructure
• bitwarden/server#6892: expose config in /api/config
• bitwarden/server#6903: endpoint implementation
• bitwarden/clients#18476: web-vault connector page (already in Vaultwarden v2026.2.0)
• bitwarden/clients#19392: client-side cookie acquisition

Test plan

• cargo fmt --check
• cargo clippy --features sqlite -- -D warnings
• cargo test --features sqlite -- sso_cookie_vendor
• Manual: running behind Cloudflare Access with the four env vars set; web vault and native iOS/Android/desktop apps all complete login.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/7127 **Author:** [@nathanmoreton](https://github.com/nathanmoreton) **Created:** 4/24/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `feat/sso-cookie-vendor` --- ### 📝 Commits (6) - [`2b79525`](https://github.com/dani-garcia/vaultwarden/commit/2b79525441a4e2376bde9ebdef850c835e21bc9b) Add SSO cookie vendor endpoint for native apps behind authenticating proxies - [`88b0ba0`](https://github.com/dani-garcia/vaultwarden/commit/88b0ba060ea9f932e1cadd57c602e0aa70aa82c0) Merge branch 'dani-garcia:main' into feat/sso-cookie-vendor - [`1fce93b`](https://github.com/dani-garcia/vaultwarden/commit/1fce93bb682a2f4cf055cbb3a755872dce72bea1) Merge branch 'main' into feat/sso-cookie-vendor - [`a2d60c3`](https://github.com/dani-garcia/vaultwarden/commit/a2d60c352b14d3e2c5f00b06006c95db3c23d495) Fix fmt and clippy on Rust 1.95 - [`6b3d834`](https://github.com/dani-garcia/vaultwarden/commit/6b3d834f5d5188230ef0f9c239df333b5f37a8de) Merge branch 'main' into feat/sso-cookie-vendor - [`44e6a21`](https://github.com/dani-garcia/vaultwarden/commit/44e6a211c11edfa1c8c9b512f2d60d06b4562a79) Merge branch 'main' into feat/sso-cookie-vendor ### 📊 Changes **5 files changed** (+489 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `.env.template` (+22 -0) ➕ `docs/sso-cookie-vendor.md` (+180 -0) 📝 `src/api/core/mod.rs` (+19 -0) ➕ `src/api/core/sso_cookie_vendor.rs` (+248 -0) 📝 `src/config.rs` (+20 -0) </details> ### 📄 Description Native Bitwarden apps cannot complete login when Vaultwarden sits behind an authenticating reverse proxy (Cloudflare Access, Authentik, Authelia, oauth2-proxy). The proxy redirects API requests to a browser-based IdP flow, which the apps' HTTP clients cannot follow. Bitwarden addressed this upstream in February 2026 with a flow called SSO cookie vending. The server publishes, through `/api/config`, a `communication.bootstrap` block naming the IdP login URL and the cookie the proxy sets. The app opens a system browser for the IdP step, the browser hits `/api/sso-cookie-vendor`, and the server 302-redirects to `bitwarden://sso-cookie-vendor?<name>=<value>&d=1`. The app captures the cookie from the deep link and attaches it to every future API request. Vaultwarden v2026.2.0 shipped the web-vault connector page from `clients#18476`, but the server side has not landed. This PR adds it. ## Changes - New config section `sso_cookie_vendor` through the existing `make_config!` macro: `SSO_COOKIE_VENDOR_ENABLED`, `SSO_COOKIE_VENDOR_IDP_LOGIN_URL`, `SSO_COOKIE_VENDOR_COOKIE_NAME`, `SSO_COOKIE_VENDOR_COOKIE_DOMAIN`. Startup validation refuses to run when the flag is on but the three string fields are empty. - `GET /api/sso-cookie-vendor` reads the proxy auth cookie from the request jar and 302-redirects to the `bitwarden://` deep link. Handles sharded cookies (`<name>-0` through `<name>-19`, which Cloudflare Access uses when the JWT exceeds single-cookie size limits), with a non-sharded cookie taking precedence. Missing cookie returns the upstream 404 HTML page; URIs over 8192 bytes return 400. Registered only when the flag is on. - `communication.bootstrap` object added to `/api/config`, matching the shape from upstream PR #6892 so clients pick it up unpatched. - Unit tests cover single-cookie, sharded-cookie, precedence, URL-encoding, oversize URI, missing-cookie 404, and error HTML format. - `docs/sso-cookie-vendor.md` covers the end-to-end flow, security notes, and per-proxy configuration. ## Default behavior `SSO_COOKIE_VENDOR_ENABLED` defaults to `false`. Installs without the four env vars set are byte-identical to current behavior. ## Upstream references - bitwarden/server#6880: config infrastructure - bitwarden/server#6892: expose config in `/api/config` - bitwarden/server#6903: endpoint implementation - bitwarden/clients#18476: web-vault connector page (already in Vaultwarden v2026.2.0) - bitwarden/clients#19392: client-side cookie acquisition ## Test plan - `cargo fmt --check` - `cargo clippy --features sqlite -- -D warnings` - `cargo test --features sqlite -- sso_cookie_vendor` - Manual: running behind Cloudflare Access with the four env vars set; web vault and native iOS/Android/desktop apps all complete login. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-05-16 06:00:02 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.36.0

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#23416