[GH-ISSUE #7086] Unable to automatically register and log in to accounts via SSO after versions 1.35.5/1.35.6 #30098

Closed
opened 2026-06-17 09:49:20 -05:00 by GiteaMirror · 22 comments
Owner

Originally created by @TacKana on GitHub (Apr 13, 2026).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7086

Prerequisites

Vaultwarden Support String

`### Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.35.6
  • Web-vault version: v2026.2.0
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: PostgreSQL
  • Database version: PostgreSQL 18.3 (Debian 18.3-1.pgdg13+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 14.2.0-19) 14.2.0, 64-bit
  • Uses config.json: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Forwarded-For)
  • Internet access: false
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: n/a
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: false
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: ADMIN_TOKEN

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "**********://*************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://***********************",
  "domain_origin": "*****://***********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": true,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "BitwardenFee计划",
  "invitations_allowed": true,
  "ip_header": "X-Forwarded-For",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": 200000,
  "org_creation_users": "****",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.eu",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://api.bitwarden.eu",
  "reload_templates": false,
  "require_device_email": true,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "LOGIN",
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*****************",
  "smtp_from_name": "***************",
  "smtp_host": "********************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "*****************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://****************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://****************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "********************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "openid profile email",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 90,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": 100000,
  "user_send_limit": 100000,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.35.6

Deployment method

Official Container Image

Custom deployment method

services:
postgres:
container_name: ${SERVER_NAME}-postgres
image: postgres:18
restart: always
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
interval: 10s
timeout: 5s
retries: 5
start_period: 30s
environment:
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
POSTGRES_DB: ${POSTGRES_DB}
POSTGRES_USER: ${POSTGRES_USER}
volumes:
- pg_data:/var/lib/postgresql
- /etc/localtime:/etc/localtime:ro
ports:
- "${POSTGRES_PORT}:5432"
networks:
- vaultwarden_net # 使用固定名称
labels:
createdBy: "Apps"
vaultwarden:
container_name: ${SERVER_NAME}
image: vaultwarden/server:latest
depends_on:
postgres:
condition: service_healthy
environment:
- ROCKET_PORT=8080
- DATABASE_URL=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres/${POSTGRES_DB}
- ADMIN_TOKEN=${ADMIN_TOKEN}
- PUSH_ENABLED=true
- PUSH_INSTALLATION_ID=${PUSH_INSTALLATION_ID}
- PUSH_INSTALLATION_KEY=${PUSH_INSTALLATION_KEY}
- PUSH_RELAY_URI=https://api.bitwarden.eu
- PUSH_IDENTITY_URI=https://identity.bitwarden.eu
ports:
- 127.0.0.1:${VAULTWARDEN_PORT}:8080
volumes:
- vw_data:/data
restart: always
networks:
- vaultwarden_net

networks:
vaultwarden_net:
driver: bridge
name: ${SERVER_NAME}_net #

volumes:
pg_data:
name: ${SERVER_NAME}_pg_data
vw_data:
name: ${SERVER_NAME}_vw_data

Reverse Proxy

1panel/openresty:1.27.1.2-5-1-focal

Host/Server Operating System

Linux

Operating System Version

Debian GNU/Linux 13

Clients

Web Vault

Client Version

Web Installed 2026.2.0

Steps To Reproduce

I don't know

Expected Result

Normal login and registration via SSO

Actual Result

Before version 1.35.5, users were able to register and log in to their accounts via SSO on their own. However, after version 1.35.5, when users log in or register an account through SSO, an error prompt without detailed information briefly appears in the upper right corner of the page after redirection, and then the page redirects to the login page. I consider this a BUG, as I did not make any configuration changes from version 1.35.4 to 1.35.5/6; I only updated the Vaultwarden version to 1.35.5/6.
The detailed information generated is as follows

Logs

`[2026-04-13 03:52:58.841][vaultwarden][INFO] Vaultwarden process exited!
/--------------------------------------------------------------------\
|                        Starting Vaultwarden                        |
|                           Version 1.35.6                           |
|--------------------------------------------------------------------|
| This is an *unofficial* Bitwarden implementation, DO NOT use the   |
| official channels to report bugs/features, regardless of client.   |
| Send usage/configuration questions or feature requests to:         |
|   https://github.com/dani-garcia/vaultwarden/discussions or        |
|   https://vaultwarden.discourse.group/                             |
| Report suspected bugs/issues in the software itself at:            |
|   https://github.com/dani-garcia/vaultwarden/issues/new            |
\--------------------------------------------------------------------/

[INFO] Using saved config from `data/config.json` for configuration.

[WARNING] The following environment variables are being overridden by the config.json file.
[WARNING] Please use the admin panel to make changes to them:
[WARNING] ADMIN_TOKEN

[2026-04-13 03:53:20.975][vaultwarden::util][WARN] Can't connect to database, retrying: DieselCon.
[CAUSE] BadConnection(
    "connection to server at \"postgres\" (172.19.0.3), port 5432 failed: Connection refused\n\tIs the server running on that host and accepting TCP/IP connections?\n",
)
[2026-04-13 03:53:22.667][start][INFO] Rocket has launched from http://0.0.0.0:8080
[2026-04-13 03:53:32.077][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2026-04-13 03:53:32.077][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 82.152.160.7
[2026-04-13 03:53:32.079][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2026-04-13 03:53:41.983][request][INFO] GET /api/config
[2026-04-13 03:53:41.985][response][INFO] (config) GET /api/config => 200 OK
[2026-04-13 03:53:42.040][request][INFO] GET /api/accounts/revision-date
[2026-04-13 03:53:42.077][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK
[2026-04-13 03:53:43.121][request][INFO] GET /icons/111.170.14.12/icon.png
[2026-04-13 03:53:43.124][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK
[2026-04-13 03:53:48.886][request][INFO] GET /admin
[2026-04-13 03:53:48.897][response][INFO] (admin_page) GET /admin/ => 200 OK
[2026-04-13 03:54:22.271][request][INFO] GET /api/devices/knowndevice
[2026-04-13 03:54:22.274][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2026-04-13 03:54:25.854][request][INFO] GET /icons/bitwarden-free.xuxo.top/icon.png
[2026-04-13 03:54:25.856][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK
[2026-04-13 03:54:25.904][request][INFO] GET /icons/puff.xuxo.top/icon.png
[2026-04-13 03:54:25.905][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK
[2026-04-13 03:54:26.267][request][INFO] GET /icons/blog.xuxo.top/icon.png
[2026-04-13 03:54:26.269][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK
[2026-04-13 03:54:26.298][request][INFO] GET /icons/casdoor.xuxo.top/icon.png
[2026-04-13 03:54:26.298][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK
[2026-04-13 03:54:26.320][request][INFO] GET /icons/n8n.xuxo.top/icon.png
[2026-04-13 03:54:26.321][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK
[2026-04-13 03:54:57.886][request][INFO] GET /api/config
[2026-04-13 03:54:57.886][response][INFO] (config) GET /api/config => 200 OK
[2026-04-13 03:55:08.236][request][INFO] GET /api/config
[2026-04-13 03:55:08.236][response][INFO] (config) GET /api/config => 200 OK
[2026-04-13 03:55:19.200][request][INFO] GET /api/config
[2026-04-13 03:55:19.200][response][INFO] (config) GET /api/config => 200 OK
[2026-04-13 03:55:27.790][request][INFO] GET /api/devices/knowndevice
[2026-04-13 03:55:27.796][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2026-04-13 03:55:31.073][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2026-04-13 03:55:31.073][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 174.172.133.78
[2026-04-13 03:55:31.073][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2026-04-13 03:55:31.729][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2026-04-13 03:55:31.730][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 216.98.252.249
[2026-04-13 03:55:31.730][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2026-04-13 03:55:31.785][request][INFO] POST /api/organizations/domain/sso/verified
[2026-04-13 03:55:31.795][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK
[2026-04-13 03:55:31.871][request][INFO] GET /identity/sso/prevalidate?domainHint=VW_DUMMY_IDENTIFIER
[2026-04-13 03:55:31.877][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK
[2026-04-13 03:55:31.979][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt
[2026-04-13 03:55:42.221][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect
[2026-04-13 03:55:49.419][request][INFO] POST /api/organizations/domain/sso/verified
[2026-04-13 03:55:49.420][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK
[2026-04-13 03:55:49.778][request][INFO] GET /identity/sso/prevalidate?domainHint=VW_DUMMY_IDENTIFIER
[2026-04-13 03:55:49.782][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK
[2026-04-13 03:55:50.170][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt
[2026-04-13 03:56:07.108][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect
[2026-04-13 03:56:20.855][request][INFO] GET /identity/connect/oidc-signin?code=89bf9bf37156852e0c5b&stat
[2026-04-13 03:56:20.859][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect
[2026-04-13 03:56:26.599][request][INFO] POST /identity/connect/token
[2026-04-13 03:56:35.522][vaultwarden::api::notifications][INFO] Closing WS connection from 216.98.252.249
[2026-04-13 03:56:36.838][vaultwarden::api::identity][INFO] User tausak logged in successfully. IP: 82.152.160.7
[2026-04-13 03:56:36.838][response][INFO] (login) POST /identity/connect/token => 200 OK
[2026-04-13 03:56:37.065][request][INFO] GET /api/sync?excludeDomains=true
[2026-04-13 03:56:37.113][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2026-04-13 03:56:37.671][request][INFO] POST /identity/connect/token
[2026-04-13 03:56:38.644][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2026-04-13 03:56:38.644][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 82.152.160.7
[2026-04-13 03:56:38.645][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2026-04-13 03:56:42.296][response][INFO] (login) POST /identity/connect/token => 200 OK
[2026-04-13 03:56:42.525][request][INFO] GET /api/sync?excludeDomains=true
[2026-04-13 03:56:42.542][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2026-04-13 03:56:42.772][request][INFO] GET /api/organizations/VW_DUMMY_IDENTIFIER_FOR_OIDC/auto-enroll-status
[2026-04-13 03:56:42.775][response][INFO] (get_auto_enroll_status) GET /api/organizations/<identifier>/auto-enroll-status => 200 OK
[2026-04-13 03:56:42.983][request][INFO] GET /api/organizations/5ef59563-ae98-4b48-ba62-097a3eeecc61/policies/master-password
[2026-04-13 03:56:42.986][auth][ERROR] Unauthorized Error: The current user isn't member of the organization
[2026-04-13 03:56:42.986][vaultwarden::api::core::organizations::_][WARN] Request guard `OrgMemberHeaders` failed: "The current user isn't member of the organization".
[2026-04-13 03:56:42.986][response][INFO] (get_master_password_policy) GET /api/organizations/<org_id>/policies/master-password => 401 Unauthorized
[2026-04-13 03:56:43.195][request][INFO] GET /api/organizations/5ef59563-ae98-4b48-ba62-097a3eeecc61/policies/master-password
[2026-04-13 03:56:43.197][auth][ERROR] Unauthorized Error: The current user isn't member of the organization
[2026-04-13 03:56:43.197][vaultwarden::api::core::organizations::_][WARN] Request guard `OrgMemberHeaders` failed: "The current user isn't member of the organization".
[2026-04-13 03:56:43.197][response][INFO] (get_master_password_policy) GET /api/organizations/<org_id>/policies/master-password => 401 Unauthorized
[2026-04-13 03:56:43.428][vaultwarden::api::notifications][INFO] Closing WS connection from 82.152.160.7
[2026-04-13 03:56:46.601][vaultwarden::api::notifications][INFO] Closing WS connection from 174.172.133.78
[2026-04-13 03:56:47.437][request][INFO] GET /api/config
[2026-04-13 03:56:47.437][response][INFO] (config) GET /api/config => 200 OK
[2026-04-13 03:56:48.393][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2026-04-13 03:56:48.393][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 174.172.133.78
[2026-04-13 03:56:48.394][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2026-04-13 03:56:50.089][request][INFO] GET /api/devices/knowndevice
[2026-04-13 03:56:50.091][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2026-04-13 03:56:56.045][request][INFO] GET /admin
[2026-04-13 03:56:56.045][response][INFO] (admin_page_login) GET /admin/ [2] => 200 OK
[2026-04-13 03:56:56.885][vaultwarden::api::web][ERROR] Static file not found: bootstrap.css.map
[2026-04-13 03:56:56.889][vaultwarden::api::web][ERROR] Static file not found: bootstrap.bundle.js.map
[2026-04-13 03:56:58.411][request][INFO] GET /icons/puff.xuxo.top/icon.png
[2026-04-13 03:56:58.412][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK
[2026-04-13 03:56:58.561][request][INFO] GET /icons/bitwarden-free.xuxo.top/icon.png
[2026-04-13 03:56:58.561][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK
[2026-04-13 03:56:58.608][request][INFO] GET /icons/blog.xuxo.top/icon.png
[2026-04-13 03:56:58.612][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK
[2026-04-13 03:56:58.801][request][INFO] GET /icons/n8n.xuxo.top/icon.png
[2026-04-13 03:56:58.801][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK
[2026-04-13 03:56:58.873][request][INFO] GET /icons/casdoor.xuxo.top/icon.png
[2026-04-13 03:56:58.873][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK
[2026-04-13 03:57:00.332][request][INFO] POST /admin
[2026-04-13 03:57:00.529][response][INFO] (post_admin_login) POST /admin/ application/x-www-form-urlencoded => 200 OK
[2026-04-13 03:57:04.095][request][INFO] GET /api/config
[2026-04-13 03:57:04.095][response][INFO] (config) GET /api/config => 200 OK
[2026-04-13 03:57:04.724][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2026-04-13 03:57:04.724][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 103.142.140.227
[2026-04-13 03:57:04.724][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2026-04-13 03:57:55.675][vaultwarden::api::notifications][INFO] Closing WS connection from 174.172.133.78
[2026-04-13 03:58:09.369][vaultwarden::api::notifications][INFO] Closing WS connection from 103.142.140.227
[2026-04-13 03:59:37.125][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2026-04-13 03:59:37.126][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 216.98.252.249
[2026-04-13 03:59:37.128][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2026-04-13 03:59:57.635][request][INFO] GET /admin/diagnostics
[2026-04-13 04:00:00.914][vaultwarden::api::notifications][INFO] Closing WS connection from 216.98.252.249
[2026-04-13 04:00:07.676][vaultwarden::api::admin][WARN] Unable to parse latest web-vault version '-': unexpected character '-' while parsing major version number
[2026-04-13 04:00:07.678][response][INFO] (diagnostics) GET /admin/diagnostics => 200 OK
[2026-04-13 04:00:14.562][request][INFO] GET /api/config
[2026-04-13 04:00:14.562][response][INFO] (config) GET /api/config => 200 OK
[2026-04-13 04:00:14.876][request][INFO] GET /admin/does-not-exist
[2026-04-13 04:00:14.877][response][INFO] (web_files) GET /<p..> [10] => 404 Not Found
[2026-04-13 04:00:15.046][request][INFO] GET /admin/diagnostics/http?code=404
[2026-04-13 04:00:15.047][vaultwarden::api::admin][ERROR] Testing error 404 response
[2026-04-13 04:00:15.047][response][INFO] (get_diagnostics_http) GET /admin/diagnostics/http?<code> => 404 Not Found
[2026-04-13 04:00:15.217][request][INFO] GET /admin/diagnostics/http?code=400
[2026-04-13 04:00:15.217][vaultwarden::api::admin][ERROR] Testing error 400 response
[2026-04-13 04:00:15.217][response][INFO] (get_diagnostics_http) GET /admin/diagnostics/http?<code> => 400 Bad Request
[2026-04-13 04:00:15.391][request][INFO] GET /admin/diagnostics/http?code=401
[2026-04-13 04:00:15.391][vaultwarden::api::admin][ERROR] Testing error 401 response
[2026-04-13 04:00:15.391][response][INFO] (get_diagnostics_http) GET /admin/diagnostics/http?<code> => 401 Unauthorized
[2026-04-13 04:00:15.560][request][INFO] GET /admin/diagnostics/http?code=403
[2026-04-13 04:00:15.561][vaultwarden::api::admin][ERROR] Testing error 403 response
[2026-04-13 04:00:15.561][response][INFO] (get_diagnostics_http) GET /admin/diagnostics/http?<code> => 403 Forbidden
[2026-04-13 04:00:21.645][request][INFO] GET /admin/diagnostics/config
[2026-04-13 04:00:21.646][response][INFO] (get_diagnostics_config) GET /admin/diagnostics/config application/json => 200 OK
[2026-04-13 04:01:20.350][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2026-04-13 04:01:20.350][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 174.172.133.78
[2026-04-13 04:01:20.350][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2026-04-13 04:01:30.110][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2026-04-13 04:01:30.110][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 216.98.252.249
[2026-04-13 04:01:30.111][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2026-04-13 04:02:36.620][vaultwarden::api::notifications][INFO] Closing WS connection from 216.98.252.249
[2026-04-13 04:02:40.587][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2026-04-13 04:02:40.587][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 103.142.140.227
[2026-04-13 04:02:40.587][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2026-04-13 04:03:45.251][request][INFO] GET /api/config
[2026-04-13 04:03:45.251][response][INFO] (config) GET /api/config => 200 OK
[2026-04-13 04:04:28.048][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2026-04-13 04:04:28.048][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 216.98.252.249
[2026-04-13 04:04:28.049][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2026-04-13 04:06:08.193][request][INFO] GET /api/config
[2026-04-13 04:06:08.193][response][INFO] (config) GET /api/config => 200 OK
[2026-04-13 04:06:22.894][request][INFO] GET /api/config
[2026-04-13 04:06:22.894][response][INFO] (config) GET /api/config => 200 OK`

Screenshots or Videos

No response

Additional Context

主机名称: localhost
发行版本: Debian GNU/Linux 13
内核版本: 6.12.74+deb13+1-cloud-amd64
系统类型: x86_64
主机地址: *********
启动时间: 2026-04-13 11:53:07
运行时间: 15分钟 49秒

Originally created by @TacKana on GitHub (Apr 13, 2026). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7086 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String `### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.35.6 * Web-vault version: v2026.2.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: PostgreSQL * Database version: PostgreSQL 18.3 (Debian 18.3-1.pgdg13+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 14.2.0-19) 14.2.0, 64-bit * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Forwarded-For) * Internet access: false * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: n/a * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: false * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** ADMIN_TOKEN **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "**********://*************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://***********************", "domain_origin": "*****://***********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": true, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "BitwardenFee计划", "invitations_allowed": true, "ip_header": "X-Forwarded-For", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": 200000, "org_creation_users": "****", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.eu", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://api.bitwarden.eu", "reload_templates": false, "require_device_email": true, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": "LOGIN", "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*****************", "smtp_from_name": "***************", "smtp_host": "********************", "smtp_password": "***", "smtp_port": 465, "smtp_security": "force_tls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "*****************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://****************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://****************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "********************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "openid profile email", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 90, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": 100000, "user_send_limit": 100000, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.35.6 ### Deployment method Official Container Image ### Custom deployment method services: postgres: container_name: ${SERVER_NAME}-postgres image: postgres:18 restart: always healthcheck: test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"] interval: 10s timeout: 5s retries: 5 start_period: 30s environment: POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} POSTGRES_DB: ${POSTGRES_DB} POSTGRES_USER: ${POSTGRES_USER} volumes: - pg_data:/var/lib/postgresql - /etc/localtime:/etc/localtime:ro ports: - "${POSTGRES_PORT}:5432" networks: - vaultwarden_net # 使用固定名称 labels: createdBy: "Apps" vaultwarden: container_name: ${SERVER_NAME} image: vaultwarden/server:latest depends_on: postgres: condition: service_healthy environment: - ROCKET_PORT=8080 - DATABASE_URL=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres/${POSTGRES_DB} - ADMIN_TOKEN=${ADMIN_TOKEN} - PUSH_ENABLED=true - PUSH_INSTALLATION_ID=${PUSH_INSTALLATION_ID} - PUSH_INSTALLATION_KEY=${PUSH_INSTALLATION_KEY} - PUSH_RELAY_URI=https://api.bitwarden.eu - PUSH_IDENTITY_URI=https://identity.bitwarden.eu ports: - 127.0.0.1:${VAULTWARDEN_PORT}:8080 volumes: - vw_data:/data restart: always networks: - vaultwarden_net networks: vaultwarden_net: driver: bridge name: ${SERVER_NAME}_net # volumes: pg_data: name: ${SERVER_NAME}_pg_data vw_data: name: ${SERVER_NAME}_vw_data ### Reverse Proxy 1panel/openresty:1.27.1.2-5-1-focal ### Host/Server Operating System Linux ### Operating System Version Debian GNU/Linux 13 ### Clients Web Vault ### Client Version Web Installed 2026.2.0 ### Steps To Reproduce I don't know ### Expected Result Normal login and registration via SSO ### Actual Result Before version 1.35.5, users were able to register and log in to their accounts via SSO on their own. However, after version 1.35.5, when users log in or register an account through SSO, an error prompt without detailed information briefly appears in the upper right corner of the page after redirection, and then the page redirects to the login page. I consider this a BUG, as I did not make any configuration changes from version 1.35.4 to 1.35.5/6; I only updated the Vaultwarden version to 1.35.5/6. The detailed information generated is as follows ### Logs ```text `[2026-04-13 03:52:58.841][vaultwarden][INFO] Vaultwarden process exited! /--------------------------------------------------------------------\ | Starting Vaultwarden | | Version 1.35.6 | |--------------------------------------------------------------------| | This is an *unofficial* Bitwarden implementation, DO NOT use the | | official channels to report bugs/features, regardless of client. | | Send usage/configuration questions or feature requests to: | | https://github.com/dani-garcia/vaultwarden/discussions or | | https://vaultwarden.discourse.group/ | | Report suspected bugs/issues in the software itself at: | | https://github.com/dani-garcia/vaultwarden/issues/new | \--------------------------------------------------------------------/ [INFO] Using saved config from `data/config.json` for configuration. [WARNING] The following environment variables are being overridden by the config.json file. [WARNING] Please use the admin panel to make changes to them: [WARNING] ADMIN_TOKEN [2026-04-13 03:53:20.975][vaultwarden::util][WARN] Can't connect to database, retrying: DieselCon. [CAUSE] BadConnection( "connection to server at \"postgres\" (172.19.0.3), port 5432 failed: Connection refused\n\tIs the server running on that host and accepting TCP/IP connections?\n", ) [2026-04-13 03:53:22.667][start][INFO] Rocket has launched from http://0.0.0.0:8080 [2026-04-13 03:53:32.077][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL [2026-04-13 03:53:32.077][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 82.152.160.7 [2026-04-13 03:53:32.079][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2026-04-13 03:53:41.983][request][INFO] GET /api/config [2026-04-13 03:53:41.985][response][INFO] (config) GET /api/config => 200 OK [2026-04-13 03:53:42.040][request][INFO] GET /api/accounts/revision-date [2026-04-13 03:53:42.077][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK [2026-04-13 03:53:43.121][request][INFO] GET /icons/111.170.14.12/icon.png [2026-04-13 03:53:43.124][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK [2026-04-13 03:53:48.886][request][INFO] GET /admin [2026-04-13 03:53:48.897][response][INFO] (admin_page) GET /admin/ => 200 OK [2026-04-13 03:54:22.271][request][INFO] GET /api/devices/knowndevice [2026-04-13 03:54:22.274][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK [2026-04-13 03:54:25.854][request][INFO] GET /icons/bitwarden-free.xuxo.top/icon.png [2026-04-13 03:54:25.856][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK [2026-04-13 03:54:25.904][request][INFO] GET /icons/puff.xuxo.top/icon.png [2026-04-13 03:54:25.905][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK [2026-04-13 03:54:26.267][request][INFO] GET /icons/blog.xuxo.top/icon.png [2026-04-13 03:54:26.269][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK [2026-04-13 03:54:26.298][request][INFO] GET /icons/casdoor.xuxo.top/icon.png [2026-04-13 03:54:26.298][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK [2026-04-13 03:54:26.320][request][INFO] GET /icons/n8n.xuxo.top/icon.png [2026-04-13 03:54:26.321][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK [2026-04-13 03:54:57.886][request][INFO] GET /api/config [2026-04-13 03:54:57.886][response][INFO] (config) GET /api/config => 200 OK [2026-04-13 03:55:08.236][request][INFO] GET /api/config [2026-04-13 03:55:08.236][response][INFO] (config) GET /api/config => 200 OK [2026-04-13 03:55:19.200][request][INFO] GET /api/config [2026-04-13 03:55:19.200][response][INFO] (config) GET /api/config => 200 OK [2026-04-13 03:55:27.790][request][INFO] GET /api/devices/knowndevice [2026-04-13 03:55:27.796][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK [2026-04-13 03:55:31.073][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL [2026-04-13 03:55:31.073][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 174.172.133.78 [2026-04-13 03:55:31.073][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2026-04-13 03:55:31.729][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL [2026-04-13 03:55:31.730][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 216.98.252.249 [2026-04-13 03:55:31.730][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2026-04-13 03:55:31.785][request][INFO] POST /api/organizations/domain/sso/verified [2026-04-13 03:55:31.795][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK [2026-04-13 03:55:31.871][request][INFO] GET /identity/sso/prevalidate?domainHint=VW_DUMMY_IDENTIFIER [2026-04-13 03:55:31.877][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK [2026-04-13 03:55:31.979][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt [2026-04-13 03:55:42.221][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect [2026-04-13 03:55:49.419][request][INFO] POST /api/organizations/domain/sso/verified [2026-04-13 03:55:49.420][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK [2026-04-13 03:55:49.778][request][INFO] GET /identity/sso/prevalidate?domainHint=VW_DUMMY_IDENTIFIER [2026-04-13 03:55:49.782][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK [2026-04-13 03:55:50.170][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt [2026-04-13 03:56:07.108][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect [2026-04-13 03:56:20.855][request][INFO] GET /identity/connect/oidc-signin?code=89bf9bf37156852e0c5b&stat [2026-04-13 03:56:20.859][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect [2026-04-13 03:56:26.599][request][INFO] POST /identity/connect/token [2026-04-13 03:56:35.522][vaultwarden::api::notifications][INFO] Closing WS connection from 216.98.252.249 [2026-04-13 03:56:36.838][vaultwarden::api::identity][INFO] User tausak logged in successfully. IP: 82.152.160.7 [2026-04-13 03:56:36.838][response][INFO] (login) POST /identity/connect/token => 200 OK [2026-04-13 03:56:37.065][request][INFO] GET /api/sync?excludeDomains=true [2026-04-13 03:56:37.113][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2026-04-13 03:56:37.671][request][INFO] POST /identity/connect/token [2026-04-13 03:56:38.644][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL [2026-04-13 03:56:38.644][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 82.152.160.7 [2026-04-13 03:56:38.645][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2026-04-13 03:56:42.296][response][INFO] (login) POST /identity/connect/token => 200 OK [2026-04-13 03:56:42.525][request][INFO] GET /api/sync?excludeDomains=true [2026-04-13 03:56:42.542][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2026-04-13 03:56:42.772][request][INFO] GET /api/organizations/VW_DUMMY_IDENTIFIER_FOR_OIDC/auto-enroll-status [2026-04-13 03:56:42.775][response][INFO] (get_auto_enroll_status) GET /api/organizations/<identifier>/auto-enroll-status => 200 OK [2026-04-13 03:56:42.983][request][INFO] GET /api/organizations/5ef59563-ae98-4b48-ba62-097a3eeecc61/policies/master-password [2026-04-13 03:56:42.986][auth][ERROR] Unauthorized Error: The current user isn't member of the organization [2026-04-13 03:56:42.986][vaultwarden::api::core::organizations::_][WARN] Request guard `OrgMemberHeaders` failed: "The current user isn't member of the organization". [2026-04-13 03:56:42.986][response][INFO] (get_master_password_policy) GET /api/organizations/<org_id>/policies/master-password => 401 Unauthorized [2026-04-13 03:56:43.195][request][INFO] GET /api/organizations/5ef59563-ae98-4b48-ba62-097a3eeecc61/policies/master-password [2026-04-13 03:56:43.197][auth][ERROR] Unauthorized Error: The current user isn't member of the organization [2026-04-13 03:56:43.197][vaultwarden::api::core::organizations::_][WARN] Request guard `OrgMemberHeaders` failed: "The current user isn't member of the organization". [2026-04-13 03:56:43.197][response][INFO] (get_master_password_policy) GET /api/organizations/<org_id>/policies/master-password => 401 Unauthorized [2026-04-13 03:56:43.428][vaultwarden::api::notifications][INFO] Closing WS connection from 82.152.160.7 [2026-04-13 03:56:46.601][vaultwarden::api::notifications][INFO] Closing WS connection from 174.172.133.78 [2026-04-13 03:56:47.437][request][INFO] GET /api/config [2026-04-13 03:56:47.437][response][INFO] (config) GET /api/config => 200 OK [2026-04-13 03:56:48.393][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL [2026-04-13 03:56:48.393][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 174.172.133.78 [2026-04-13 03:56:48.394][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2026-04-13 03:56:50.089][request][INFO] GET /api/devices/knowndevice [2026-04-13 03:56:50.091][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK [2026-04-13 03:56:56.045][request][INFO] GET /admin [2026-04-13 03:56:56.045][response][INFO] (admin_page_login) GET /admin/ [2] => 200 OK [2026-04-13 03:56:56.885][vaultwarden::api::web][ERROR] Static file not found: bootstrap.css.map [2026-04-13 03:56:56.889][vaultwarden::api::web][ERROR] Static file not found: bootstrap.bundle.js.map [2026-04-13 03:56:58.411][request][INFO] GET /icons/puff.xuxo.top/icon.png [2026-04-13 03:56:58.412][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK [2026-04-13 03:56:58.561][request][INFO] GET /icons/bitwarden-free.xuxo.top/icon.png [2026-04-13 03:56:58.561][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK [2026-04-13 03:56:58.608][request][INFO] GET /icons/blog.xuxo.top/icon.png [2026-04-13 03:56:58.612][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK [2026-04-13 03:56:58.801][request][INFO] GET /icons/n8n.xuxo.top/icon.png [2026-04-13 03:56:58.801][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK [2026-04-13 03:56:58.873][request][INFO] GET /icons/casdoor.xuxo.top/icon.png [2026-04-13 03:56:58.873][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK [2026-04-13 03:57:00.332][request][INFO] POST /admin [2026-04-13 03:57:00.529][response][INFO] (post_admin_login) POST /admin/ application/x-www-form-urlencoded => 200 OK [2026-04-13 03:57:04.095][request][INFO] GET /api/config [2026-04-13 03:57:04.095][response][INFO] (config) GET /api/config => 200 OK [2026-04-13 03:57:04.724][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL [2026-04-13 03:57:04.724][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 103.142.140.227 [2026-04-13 03:57:04.724][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2026-04-13 03:57:55.675][vaultwarden::api::notifications][INFO] Closing WS connection from 174.172.133.78 [2026-04-13 03:58:09.369][vaultwarden::api::notifications][INFO] Closing WS connection from 103.142.140.227 [2026-04-13 03:59:37.125][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL [2026-04-13 03:59:37.126][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 216.98.252.249 [2026-04-13 03:59:37.128][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2026-04-13 03:59:57.635][request][INFO] GET /admin/diagnostics [2026-04-13 04:00:00.914][vaultwarden::api::notifications][INFO] Closing WS connection from 216.98.252.249 [2026-04-13 04:00:07.676][vaultwarden::api::admin][WARN] Unable to parse latest web-vault version '-': unexpected character '-' while parsing major version number [2026-04-13 04:00:07.678][response][INFO] (diagnostics) GET /admin/diagnostics => 200 OK [2026-04-13 04:00:14.562][request][INFO] GET /api/config [2026-04-13 04:00:14.562][response][INFO] (config) GET /api/config => 200 OK [2026-04-13 04:00:14.876][request][INFO] GET /admin/does-not-exist [2026-04-13 04:00:14.877][response][INFO] (web_files) GET /<p..> [10] => 404 Not Found [2026-04-13 04:00:15.046][request][INFO] GET /admin/diagnostics/http?code=404 [2026-04-13 04:00:15.047][vaultwarden::api::admin][ERROR] Testing error 404 response [2026-04-13 04:00:15.047][response][INFO] (get_diagnostics_http) GET /admin/diagnostics/http?<code> => 404 Not Found [2026-04-13 04:00:15.217][request][INFO] GET /admin/diagnostics/http?code=400 [2026-04-13 04:00:15.217][vaultwarden::api::admin][ERROR] Testing error 400 response [2026-04-13 04:00:15.217][response][INFO] (get_diagnostics_http) GET /admin/diagnostics/http?<code> => 400 Bad Request [2026-04-13 04:00:15.391][request][INFO] GET /admin/diagnostics/http?code=401 [2026-04-13 04:00:15.391][vaultwarden::api::admin][ERROR] Testing error 401 response [2026-04-13 04:00:15.391][response][INFO] (get_diagnostics_http) GET /admin/diagnostics/http?<code> => 401 Unauthorized [2026-04-13 04:00:15.560][request][INFO] GET /admin/diagnostics/http?code=403 [2026-04-13 04:00:15.561][vaultwarden::api::admin][ERROR] Testing error 403 response [2026-04-13 04:00:15.561][response][INFO] (get_diagnostics_http) GET /admin/diagnostics/http?<code> => 403 Forbidden [2026-04-13 04:00:21.645][request][INFO] GET /admin/diagnostics/config [2026-04-13 04:00:21.646][response][INFO] (get_diagnostics_config) GET /admin/diagnostics/config application/json => 200 OK [2026-04-13 04:01:20.350][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL [2026-04-13 04:01:20.350][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 174.172.133.78 [2026-04-13 04:01:20.350][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2026-04-13 04:01:30.110][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL [2026-04-13 04:01:30.110][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 216.98.252.249 [2026-04-13 04:01:30.111][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2026-04-13 04:02:36.620][vaultwarden::api::notifications][INFO] Closing WS connection from 216.98.252.249 [2026-04-13 04:02:40.587][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL [2026-04-13 04:02:40.587][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 103.142.140.227 [2026-04-13 04:02:40.587][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2026-04-13 04:03:45.251][request][INFO] GET /api/config [2026-04-13 04:03:45.251][response][INFO] (config) GET /api/config => 200 OK [2026-04-13 04:04:28.048][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL [2026-04-13 04:04:28.048][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 216.98.252.249 [2026-04-13 04:04:28.049][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2026-04-13 04:06:08.193][request][INFO] GET /api/config [2026-04-13 04:06:08.193][response][INFO] (config) GET /api/config => 200 OK [2026-04-13 04:06:22.894][request][INFO] GET /api/config [2026-04-13 04:06:22.894][response][INFO] (config) GET /api/config => 200 OK` ``` ### Screenshots or Videos _No response_ ### Additional Context 主机名称: localhost 发行版本: Debian GNU/Linux 13 内核版本: 6.12.74+deb13+1-cloud-amd64 系统类型: x86_64 主机地址: ********* 启动时间: 2026-04-13 11:53:07 运行时间: 15分钟 49秒
GiteaMirror added the bug label 2026-06-17 09:49:20 -05:00
Author
Owner

@BlackDex commented on GitHub (Apr 13, 2026):

Can you provide logs of Vaultwarden when these issues happen? The current logs do not provide these information.

What i see currently is that your Vaultwarden isn't able to connect to the internet. That might also prevent Vaultwarden from connecting to your SSO provider and cause your issues.

<!-- gh-comment-id:4233849078 --> @BlackDex commented on GitHub (Apr 13, 2026): Can you provide logs of Vaultwarden when these issues happen? The current logs do not provide these information. What i see currently is that your Vaultwarden isn't able to connect to the internet. That might also prevent Vaultwarden from connecting to your SSO provider and cause your issues.
Author
Owner

@TacKana commented on GitHub (Apr 13, 2026):

Hello, do you have an email address? I will send the logs to you. I am worried that sending them here will leak sensitive information. Also, my server can access the Internet, but due to its physical location in Chinese Mainland, it sometimes fails to connect to the vaultwarden update server.

<!-- gh-comment-id:4233929287 --> @TacKana commented on GitHub (Apr 13, 2026): Hello, do you have an email address? I will send the logs to you. I am worried that sending them here will leak sensitive information. Also, my server can access the Internet, but due to its physical location in Chinese Mainland, it sometimes fails to connect to the vaultwarden update server.
Author
Owner

@TacKana commented on GitHub (Apr 13, 2026):

bitwardenFree-20260413124929.log

<!-- gh-comment-id:4233950484 --> @TacKana commented on GitHub (Apr 13, 2026): [bitwardenFree-20260413124929.log](https://github.com/user-attachments/files/26666001/bitwardenFree-20260413124929.log)
Author
Owner

@TacKana commented on GitHub (Apr 13, 2026):

@BlackDex

<!-- gh-comment-id:4233951385 --> @TacKana commented on GitHub (Apr 13, 2026): @BlackDex
Author
Owner

@BlackDex commented on GitHub (Apr 13, 2026):

Maybe @Timshel can see what a possible issue could be here?
It mentions invalid grant/token. Not sure if that could also be an issue on the SSO Provider side.

<!-- gh-comment-id:4234569145 --> @BlackDex commented on GitHub (Apr 13, 2026): Maybe @Timshel can see what a possible issue could be here? It mentions invalid grant/token. Not sure if that could also be an issue on the SSO Provider side.
Author
Owner

@Timshel commented on GitHub (Apr 13, 2026):

@BlackDex looking at it, I can reproduce similar scenario but with a different error.

The guard on get_master_password_policy fail when it's called with a dummy org uuid given by get_auto_enroll_status when called with the FAKE_IDENTIFIER. This was used to return a global MasterPassword policy which could be set in config.

The guard was added in 787822854c, but I'm unsure how critical it is to protect this endpoint.

<!-- gh-comment-id:4235189501 --> @Timshel commented on GitHub (Apr 13, 2026): @BlackDex looking at it, I can reproduce similar scenario but with a different error. The guard on `get_master_password_policy` fail when it's called with a dummy org `uuid` given by `get_auto_enroll_status` when called with the `FAKE_IDENTIFIER`. This was used to return a global MasterPassword policy which could be set in config. The guard was added in https://github.com/dani-garcia/vaultwarden/commit/787822854cb73aeb8375a4e69ea188aa5f02db02, but I'm unsure how critical it is to protect this endpoint.
Author
Owner

@BlackDex commented on GitHub (Apr 13, 2026):

The reason for the Guard is that you could be able to extract the policy set by the organization and then use that for a brute-force tool to have a better understanding of what to the range or chars are they can use.

Seeing the comments in the get_auto_enroll_status, that it will be mainly ignored does that mean it will never return anything useful for the FAKE_IDENTIFIER, in that case we might be able to detect specific identifier, and act upon that, so, that call still goes through, but then later just returns something different. Or, not sure if that is an option, create a different endpoint-function for this specific use-case?

<!-- gh-comment-id:4235753430 --> @BlackDex commented on GitHub (Apr 13, 2026): The reason for the Guard is that you could be able to extract the policy set by the organization and then use that for a brute-force tool to have a better understanding of what to the range or chars are they can use. Seeing the comments in the `get_auto_enroll_status`, that it will be mainly ignored does that mean it will never return anything useful for the `FAKE_IDENTIFIER`, in that case we might be able to detect specific identifier, and act upon that, so, that call still goes through, but then later just returns something different. Or, not sure if that is an option, create a different endpoint-function for this specific use-case?
Author
Owner

@Timshel commented on GitHub (Apr 13, 2026):

@BlackDex yes it does make brute force a little bit simpler but at the same time password policies are often public.

Alternatively I was thinking just removing the guard but checking membership in get_master_password_policy.
And if it does not match returning the default for SSO or otherwise nothing intead of a 401.

<!-- gh-comment-id:4235809347 --> @Timshel commented on GitHub (Apr 13, 2026): @BlackDex yes it does make brute force a little bit simpler but at the same time password policies are often public. Alternatively I was thinking just removing the guard but checking membership in `get_master_password_policy`. And if it does not match returning the default for SSO or otherwise nothing intead of a `401`.
Author
Owner

@BlackDex commented on GitHub (Apr 13, 2026):

Wouldn't it be that simple as creating a custom endpoint /organizations/VW_DUMMY_IDENTIFIER_FOR_OIDC/policies/master-password with fn get_master_password_policy_dummy_oidc or something like this?

That should still provide the security for real organizations and still working for SSO stuff.

<!-- gh-comment-id:4235842007 --> @BlackDex commented on GitHub (Apr 13, 2026): Wouldn't it be that simple as creating a custom endpoint `/organizations/VW_DUMMY_IDENTIFIER_FOR_OIDC/policies/master-password` with fn `get_master_password_policy_dummy_oidc` or something like this? That should still provide the security for real organizations and still working for SSO stuff.
Author
Owner

@Timshel commented on GitHub (Apr 13, 2026):

@BlackDex the issue is the endpoint use an org uuid (get_auto_enroll_status return a random value), so it would mean hardcoding another uuid.

Edit: I'll remark that for org we are using the uuid as Identifier so converting the dummy identifier to an uuid would make sense.

<!-- gh-comment-id:4235908676 --> @Timshel commented on GitHub (Apr 13, 2026): @BlackDex the issue is the endpoint use an org uuid (`get_auto_enroll_status` return a random value), so it would mean hardcoding another `uuid`. Edit: I'll remark that for org we are using the `uuid` as Identifier so converting the dummy identifier to an `uuid` would make sense.
Author
Owner

@TacKana commented on GitHub (Apr 13, 2026):

也许能帮你看看可能出在哪里?它提到了无效的授予/代币。不确定这是否也是SSO提供商端的问题。

The SSO provider I use is Casdoor with version: v2.400.0

<!-- gh-comment-id:4237340445 --> @TacKana commented on GitHub (Apr 13, 2026): > 也许能帮你看看可能出在哪里?它提到了无效的授予/代币。不确定这是否也是SSO提供商端的问题。 The SSO provider I use is Casdoor with version: [v2.400.0](https://github.com/casdoor/casdoor/releases/tag/v2.400.0)
Author
Owner

@TacKana commented on GitHub (Apr 14, 2026):

@Timshel @BlackDex
Could you please tell me what caused the problem? It seems that version 1.35.7 hasn't fixed it either, and I want to know if there is a way to restore normal functionality now.

<!-- gh-comment-id:4244916483 --> @TacKana commented on GitHub (Apr 14, 2026): @Timshel @BlackDex Could you please tell me what caused the problem? It seems that version 1.35.7 hasn't fixed it either, and I want to know if there is a way to restore normal functionality now.
Author
Owner

@ghost commented on GitHub (Apr 14, 2026):

Just to chime in, we are experiencing a the same issue with this update.
New users created via SSO get stuck in an "Invited" status and are unable to "Join the organization" despite not actually attempting to join any organization.

<!-- gh-comment-id:4244949545 --> @ghost commented on GitHub (Apr 14, 2026): Just to chime in, we are experiencing a the same issue with this update. New users created via SSO get stuck in an "Invited" status and are unable to "Join the organization" despite not actually attempting to join any organization.
Author
Owner

@Timshel commented on GitHub (Apr 14, 2026):

@BlackDex I'll prepare a patch with the custom endpoint and change the dummy identifier.

<!-- gh-comment-id:4245132728 --> @Timshel commented on GitHub (Apr 14, 2026): @BlackDex I'll prepare a patch with the custom endpoint and change the dummy identifier.
Author
Owner

@JoeBiboche commented on GitHub (Apr 14, 2026):

Same issue here on a newly created Vaultwarden instance connected to Zitadel SSO. New users are unable to finalize the signup process. Tested with 1.35.5 and 1.35.7 version. 1.35.4 is working fine.

<!-- gh-comment-id:4245433803 --> @JoeBiboche commented on GitHub (Apr 14, 2026): Same issue here on a newly created Vaultwarden instance connected to Zitadel SSO. New users are unable to finalize the signup process. Tested with 1.35.5 and 1.35.7 version. 1.35.4 is working fine.
Author
Owner

@MogCH commented on GitHub (Apr 20, 2026):

Hello, i have the same error on 1.35.7.
When will a fix be available, or is there a manual workaround ?

@BlackDex @Jeanot38 ?

<!-- gh-comment-id:4280601326 --> @MogCH commented on GitHub (Apr 20, 2026): Hello, i have the same error on 1.35.7. When will a fix be available, or is there a manual workaround ? @BlackDex @Jeanot38 ?
Author
Owner

@BlackDex commented on GitHub (Apr 20, 2026):

It's available in :testing right now. We do not have specific ETA's for releases.

<!-- gh-comment-id:4280766728 --> @BlackDex commented on GitHub (Apr 20, 2026): It's available in `:testing` right now. We do not have specific ETA's for releases.
Author
Owner

@manduted commented on GitHub (Apr 22, 2026):

It's available in :testing right now. We do not have specific ETA's for releases.

Then we need to temporarily roll back and use version 1.35.4 or the current :testing version, right?

<!-- gh-comment-id:4293303382 --> @manduted commented on GitHub (Apr 22, 2026): > It's available in `:testing` right now. We do not have specific ETA's for releases. Then we need to temporarily roll back and use version 1.35.4 or the current :testing version, right?
Author
Owner

@Timshel commented on GitHub (Apr 22, 2026):

@manduted Since 1.35.5 contains multiple security fixes and depending on testing is unstable, I would use a sha256 ref from the testing release built on Apr 16, 2026.

<!-- gh-comment-id:4297399956 --> @Timshel commented on GitHub (Apr 22, 2026): @manduted Since `1.35.5` contains multiple security fixes and depending on `testing` is unstable, I would use a sha256 ref from the `testing` release built on `Apr 16, 2026`.
Author
Owner

@JoeBiboche commented on GitHub (Apr 22, 2026):

Working fine on a newly created instance with :testing version (Docker image). What about production instances ? Would be nice to have a way to patch security fixes related to 1.35.5 version and dealing with SSO issue fixed through this issue.
Thanks a lot !

<!-- gh-comment-id:4299838215 --> @JoeBiboche commented on GitHub (Apr 22, 2026): Working fine on a newly created instance with :testing version (Docker image). What about production instances ? Would be nice to have a way to patch security fixes related to 1.35.5 version and dealing with SSO issue fixed through this issue. Thanks a lot !
Author
Owner

@manduted commented on GitHub (Apr 23, 2026):

@manduted Since 1.35.5 contains multiple security fixes and depending on testing is unstable, I would use a sha256 ref from the testing release built on Apr 16, 2026.

Oh, I remember you now. Back when Vaultwarden didn’t support OIDC, you created a branch to add that feature, and I’ve been using your Docker image ever since. Unfortunately, I had to completely reinstall my system and lost track of you. I only realized a couple of days ago that Vaultwarden now supports OIDC officially, but I still really appreciate what you did.

Since you’ve said that, I’ll go with :testing.

<!-- gh-comment-id:4301503060 --> @manduted commented on GitHub (Apr 23, 2026): > [@manduted](https://github.com/manduted) Since `1.35.5` contains multiple security fixes and depending on `testing` is unstable, I would use a sha256 ref from the `testing` release built on `Apr 16, 2026`. Oh, I remember you now. Back when Vaultwarden didn’t support OIDC, you created a branch to add that feature, and I’ve been using your Docker image ever since. Unfortunately, I had to completely reinstall my system and lost track of you. I only realized a couple of days ago that Vaultwarden now supports OIDC officially, but I still really appreciate what you did. Since you’ve said that, I’ll go with :testing.
Author
Owner

@Timshel commented on GitHub (Apr 24, 2026):

@manduted still around ;), still maintaining a soft fork waiting for additional features to be merged (roles + groups).

<!-- gh-comment-id:4311728623 --> @Timshel commented on GitHub (Apr 24, 2026): @manduted still around ;), still maintaining a soft fork waiting for additional features to be merged (roles + groups).
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#30098