mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-18 01:49:32 -05:00
[PR #7163] [MERGED] Several SSO Fixes #37028
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/dani-garcia/vaultwarden/pull/7163
Author: @BlackDex
Created: 4/29/2026
Status: ✅ Merged
Merged: 4/29/2026
Merged by: @dani-garcia
Base:
main← Head:sso-fixes📝 Commits (4)
9296b24Ensure SSO token is only usable on the same client45c2611Check email-verified on SSO login/create40beb2ePrevent data disclosure via SSO endpoints9393f94Adjust admin layout to fix issues when SSO is enabled📊 Changes
20 files changed (+125 additions, -47 deletions)
View changed files
➕
migrations/mysql/2026-04-25-120000_sso_auth_binding/down.sql(+1 -0)➕
migrations/mysql/2026-04-25-120000_sso_auth_binding/up.sql(+1 -0)➕
migrations/postgresql/2026-04-25-120000_sso_auth_binding/down.sql(+1 -0)➕
migrations/postgresql/2026-04-25-120000_sso_auth_binding/up.sql(+1 -0)➕
migrations/sqlite/2026-04-25-120000_sso_auth_binding/down.sql(+1 -0)➕
migrations/sqlite/2026-04-25-120000_sso_auth_binding/up.sql(+1 -0)📝
src/api/core/organizations.rs(+12 -30)📝
src/api/identity.rs(+66 -5)📝
src/crypto.rs(+7 -0)📝
src/db/models/sso_auth.rs(+9 -1)📝
src/db/schema.rs(+1 -0)📝
src/sso.rs(+2 -1)📝
src/sso_client.rs(+2 -1)📝
src/static/scripts/admin.css(+13 -2)📝
src/static/templates/admin/base.hbs(+1 -1)📝
src/static/templates/admin/diagnostics.hbs(+1 -1)📝
src/static/templates/admin/login.hbs(+1 -1)📝
src/static/templates/admin/organizations.hbs(+1 -1)📝
src/static/templates/admin/settings.hbs(+1 -1)📝
src/static/templates/admin/users.hbs(+2 -2)📄 Description
Several SSO fixes
Ensure SSO token is only usable on the same client
This commit adds an extra check via cookies to ensure the same browser/client is used to request and provide the SSO token.
Previously it would be able to provide a custom link which attackers could use to steal data.
While an attacker would still need the Master Password to be able to decrypt or execute specific actions, they were able to fetch encrypted data.
Check email-verified on SSO login/create
This commit prevents possible account takeover via SSO which doesn't check/validate or provide validated status of the email.
It was checked at other locations, but was skipped here.
Prevent data disclosure via SSO endpoints
This commit prevents some data disclosure and user enumeration by only returning the fake SSO identifier.
Since we do not check the identifier anywhere useful, returning the fake one is just fine.
During an invite to an org, that link contains the correct UUID and will be used for the master password requirements.
For anything else, server admins should set the
SSO_MASTER_PASSWORD_POLICYenv variable.Misc
Adjust admin layout to fix issues when SSO is enabled
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.