[PR #7163] [MERGED] Several SSO Fixes #37028

Closed
opened 2026-07-13 21:32:36 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/7163
Author: @BlackDex
Created: 4/29/2026
Status: Merged
Merged: 4/29/2026
Merged by: @dani-garcia

Base: mainHead: sso-fixes


📝 Commits (4)

  • 9296b24 Ensure SSO token is only usable on the same client
  • 45c2611 Check email-verified on SSO login/create
  • 40beb2e Prevent data disclosure via SSO endpoints
  • 9393f94 Adjust admin layout to fix issues when SSO is enabled

📊 Changes

20 files changed (+125 additions, -47 deletions)

View changed files

migrations/mysql/2026-04-25-120000_sso_auth_binding/down.sql (+1 -0)
migrations/mysql/2026-04-25-120000_sso_auth_binding/up.sql (+1 -0)
migrations/postgresql/2026-04-25-120000_sso_auth_binding/down.sql (+1 -0)
migrations/postgresql/2026-04-25-120000_sso_auth_binding/up.sql (+1 -0)
migrations/sqlite/2026-04-25-120000_sso_auth_binding/down.sql (+1 -0)
migrations/sqlite/2026-04-25-120000_sso_auth_binding/up.sql (+1 -0)
📝 src/api/core/organizations.rs (+12 -30)
📝 src/api/identity.rs (+66 -5)
📝 src/crypto.rs (+7 -0)
📝 src/db/models/sso_auth.rs (+9 -1)
📝 src/db/schema.rs (+1 -0)
📝 src/sso.rs (+2 -1)
📝 src/sso_client.rs (+2 -1)
📝 src/static/scripts/admin.css (+13 -2)
📝 src/static/templates/admin/base.hbs (+1 -1)
📝 src/static/templates/admin/diagnostics.hbs (+1 -1)
📝 src/static/templates/admin/login.hbs (+1 -1)
📝 src/static/templates/admin/organizations.hbs (+1 -1)
📝 src/static/templates/admin/settings.hbs (+1 -1)
📝 src/static/templates/admin/users.hbs (+2 -2)

📄 Description

Several SSO fixes

Ensure SSO token is only usable on the same client

This commit adds an extra check via cookies to ensure the same browser/client is used to request and provide the SSO token.
Previously it would be able to provide a custom link which attackers could use to steal data.
While an attacker would still need the Master Password to be able to decrypt or execute specific actions, they were able to fetch encrypted data.

Check email-verified on SSO login/create

This commit prevents possible account takeover via SSO which doesn't check/validate or provide validated status of the email.
It was checked at other locations, but was skipped here.

Prevent data disclosure via SSO endpoints

This commit prevents some data disclosure and user enumeration by only returning the fake SSO identifier.
Since we do not check the identifier anywhere useful, returning the fake one is just fine.

During an invite to an org, that link contains the correct UUID and will be used for the master password requirements.
For anything else, server admins should set the SSO_MASTER_PASSWORD_POLICY env variable.

Misc

Adjust admin layout to fix issues when SSO is enabled


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/7163 **Author:** [@BlackDex](https://github.com/BlackDex) **Created:** 4/29/2026 **Status:** ✅ Merged **Merged:** 4/29/2026 **Merged by:** [@dani-garcia](https://github.com/dani-garcia) **Base:** `main` ← **Head:** `sso-fixes` --- ### 📝 Commits (4) - [`9296b24`](https://github.com/dani-garcia/vaultwarden/commit/9296b24c434eedac61a3154c32750d42a11674ea) Ensure SSO token is only usable on the same client - [`45c2611`](https://github.com/dani-garcia/vaultwarden/commit/45c26113ffe9bc07e2a30ec23a3c3702c93922f5) Check email-verified on SSO login/create - [`40beb2e`](https://github.com/dani-garcia/vaultwarden/commit/40beb2e695568052e1a4b8ad4459ab2321dd3fad) Prevent data disclosure via SSO endpoints - [`9393f94`](https://github.com/dani-garcia/vaultwarden/commit/9393f946f89c6fe68362d459475e421b164c7ef8) Adjust admin layout to fix issues when SSO is enabled ### 📊 Changes **20 files changed** (+125 additions, -47 deletions) <details> <summary>View changed files</summary> ➕ `migrations/mysql/2026-04-25-120000_sso_auth_binding/down.sql` (+1 -0) ➕ `migrations/mysql/2026-04-25-120000_sso_auth_binding/up.sql` (+1 -0) ➕ `migrations/postgresql/2026-04-25-120000_sso_auth_binding/down.sql` (+1 -0) ➕ `migrations/postgresql/2026-04-25-120000_sso_auth_binding/up.sql` (+1 -0) ➕ `migrations/sqlite/2026-04-25-120000_sso_auth_binding/down.sql` (+1 -0) ➕ `migrations/sqlite/2026-04-25-120000_sso_auth_binding/up.sql` (+1 -0) 📝 `src/api/core/organizations.rs` (+12 -30) 📝 `src/api/identity.rs` (+66 -5) 📝 `src/crypto.rs` (+7 -0) 📝 `src/db/models/sso_auth.rs` (+9 -1) 📝 `src/db/schema.rs` (+1 -0) 📝 `src/sso.rs` (+2 -1) 📝 `src/sso_client.rs` (+2 -1) 📝 `src/static/scripts/admin.css` (+13 -2) 📝 `src/static/templates/admin/base.hbs` (+1 -1) 📝 `src/static/templates/admin/diagnostics.hbs` (+1 -1) 📝 `src/static/templates/admin/login.hbs` (+1 -1) 📝 `src/static/templates/admin/organizations.hbs` (+1 -1) 📝 `src/static/templates/admin/settings.hbs` (+1 -1) 📝 `src/static/templates/admin/users.hbs` (+2 -2) </details> ### 📄 Description ## Several SSO fixes ### Ensure SSO token is only usable on the same client This commit adds an extra check via cookies to ensure the same browser/client is used to request and provide the SSO token. Previously it would be able to provide a custom link which attackers could use to steal data. While an attacker would still need the Master Password to be able to decrypt or execute specific actions, they were able to fetch encrypted data. ### Check email-verified on SSO login/create This commit prevents possible account takeover via SSO which doesn't check/validate or provide validated status of the email. It was checked at other locations, but was skipped here. ### Prevent data disclosure via SSO endpoints This commit prevents some data disclosure and user enumeration by only returning the fake SSO identifier. Since we do not check the identifier anywhere useful, returning the fake one is just fine. During an invite to an org, that link contains the correct UUID and will be used for the master password requirements. For anything else, server admins should set the `SSO_MASTER_PASSWORD_POLICY` env variable. ### Misc Adjust admin layout to fix issues when SSO is enabled --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-07-13 21:32:36 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#37028