mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-18 18:02:47 -05:00
SSO: error with Authentik #2368
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @tugdualenligne on GitHub (Aug 26, 2025).
Prerequisites
Vaultwarden Support String
Your environment (Generated via diagnostics page)
Config & Details (Generated via diagnostics page)
Show Config & Details
Environment settings which are overridden: SIGNUPS_ALLOWED, ADMIN_TOKEN
Failed HTTP Checks:
Config:
Vaultwarden Build Version
testing
Deployment method
Official Container Image
Custom deployment method
I get the following error while lauching the TEsting docker image and coupling it with an Authentik instance:
Failed to contact token endpoint: Parse(Error { path: Path { segments: [] }, original: Error("Invalid JSON web token: found 5 parts (expected 3)", line: 1, column: 6990) }, [123, 34, 97, 99, 99, 101, 115, 115, 95, 116, 111, 107, 101, 110, 34, 58, 32, 34, 101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, 116, 84, 48, 70, 70, 85, 67, 48, 121, 78, 84, 89, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66, 77, 106, 85, 50, 81, 48, 74, 68, 76, 85, 104, 84, 78, 84, 69, 121, 73, 105, 119, 105, 97, 50, 108, 107, 73, 106, 111, 105, 78, 122, 73, 48, 78, 87, 81, 52, 78, 106, 99, 48, 77, 50, 81, 51, 77, 68, 73, 52, 90, 68, 82, 107, 79, 87, 85, 121, 77, 68, 81, 50, 78, 84, 85, 119, 79, 87, 70, 104, 90, 71, 77, 105, 76, 67, 74, 48, 101, 88, 65, 105, 79, 105, 74, 75, 86, 48, 85, 105, 102, 81, 46, 104, 86, 103, 66, 120, 51, 86, 101, 50, 53, 68, 118, 71, 101, 103, 85, 76, 51, 77, 107, 65, 120, 56, 98, 88, 78, 73, 49, 55, 74, 104, 95, 82, 83, 68, 106, 102, 118, 122, 66, 115, 100, 57, 80, 83, 48, 50, 51, 97, 112, 54, 112, 105, 115, 99, 90, 77, 117,
Reverse Proxy
traefik latest version (3.5 if my memory's good)
Host/Server Operating System
Linux
Operating System Version
Debian Trixie is a VM where the Docker daemon is running
Clients
Web Vault
Client Version
No response
Steps To Reproduce
I follow this guide: https://integrations.goauthentik.io/security/vaultwarden/
and set up like this within the docker-compose:
## SSO with Authentik
SSO_ENABLED: 'true'
SSO_AUTHORITY: https://auth.domain.fr/application/o/vaultwarden/
SSO_CLIENT_ID: XXXX
SSO_CLIENT_SECRET: XXXXX
SSO_SCOPES: "openid email profile offline_access"
SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION: 'false'
SSO_CLIENT_CACHE_EXPIRATION: 0
SSO_ONLY: 'false'
SSO_SIGNUPS_MATCH_EMAIL: 'true'
Expected Result
I should login using Authentik SSO
Actual Result
Error msg:
Failed to contact token endpoint: Parse(Error { path: Path { segments: [] }, original: Error("Invalid JSON web token: found 5 parts (expected 3)", line: 1, column: 6990) }, [123, 34, 97, 99, 99, 101, 115, 115, 95, 116, 111, 107, 101, 110, 34, 58, 32, 34, 101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, 116, 84, 48, 70, 70, 85, 67, 48, 121, 78, 84, 89, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66, 77, 106, 85, 50, 81, 48, 74, 68, 76, 85, 104, 84, 78, 84, 69, 121, 73, 105, 119, 105, 97, 50, 108, 107, 73, 106, 111, 105, 78, 122, 73, 48, 78, 87, 81, 52, 78, 106, 99, 48, 77, 50, 81, 51, 77, 68, 73, 52, 90, 68, 82, 107, 79, 87, 85, 121, 77, 68, 81, 50, 78, 84, 85, 119, 79, 87, 70, 104, 90, 71, 77, 105, 76, 67, 74, 48, 101, 88, 65, 105, 79, 105, 74, 75, 86, 48, 85, 105, 102, 81, 46, 104, 86, 103, 66, 120, 51, 86, 101, 50, 53, 68, 118, 71, 101, 103, 85, 76, 51, 77, 107, 65, 120, 56, 98, 88, 78, 73, 49, 55, 74, 104, 95, 82, 83, 68, 106, 102, 118, 122, 66, 115, 100, 57, 80, 83, 48, 50, 51, 97, 112, 54, 112, 105, 115, 99, 90, 77, 117,
Logs
Screenshots or Videos
No response
Additional Context
No response
@AdriSchmi commented on GitHub (Aug 29, 2025):
Authentik works i have it running but when i change the username in Vaultwarden and have the toggle SSO_SIGNUPS_MATCH_EMAIL on false the user is after the change no longer a sso user. @tugdualenligne did you set this in authentik?
@tugdualenligne commented on GitHub (Aug 29, 2025):
Thx for your msg
Yes, sir, I do have this setting in my Authentik provider for Vaultwarden
Not sure though of your 1st part of comment: I never changed from true to false, it is and has always been set at true
Would you mind sharing screen shots of your Authentik config for Vaultwarden? (Obfuscating the ID and secret of course)
@Timshel commented on GitHub (Sep 1, 2025):
Hey,
Can you check that you can access the
https://auth.domain.fr/application/o/vaultwarden/.well-known/openid-configurationfrom inside the container ?Other issue which was encountered is that in the configuration the
id_token_signing_alg_values_supportedreturn onlyHS256(RS256is mandatory per the spec). If that's the case you can edit the signing key and save it again: https://github.com/Timshel/vaultwarden/issues/107#issuecomment-3200007338@tugdualenligne commented on GitHub (Sep 1, 2025):
Thanks for your message
I get an HTTP 200 so it works within the container
I have already a signing key affected, I tried with another one, doesn't change anything
Any other idea welcome! Many thanks
@jankirsten commented on GitHub (Sep 2, 2025):
I got stuck at the exact same error message. It can be also fixed by changing the provider config in Authentik:
Explanation:
Vaultwarden/the underlying library seems to expect a 3 part JSON Web Token. The error message contains the token Vaultwarden obtains from Authentik. When you decode the complete token (decimal -> ASCII) you can see the access token provided by Authentik consists of five parts (delimited by .). This format format is used for encrypted tokens (JWE). When you deselect the Encryption Key in Authenik, JWTs are only signed (JWS) and can be processed by Vaultwarden.
@tugdualenligne commented on GitHub (Sep 2, 2025):
U're the man! It works. I can now authenticate through Authentik and then
open my vault, many thanks.
We'll need to update the Vaultwarden and Authentik configurations
documentation about that specificity (I'll try contact the Authentik team)
@Timshel commented on GitHub (Sep 2, 2025):
Sorry for the previous message I had missed that the parse error was not on the discovery but on the parsing of the token itself 😅.
I have updated the wiki with both troubleshooting tips: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#troubleshooting