github-starred/vaultwarden
2
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-03-09 12:45:33 -05:00
Code Issues 79 Packages Projects Releases 78 Wiki Activity

SSO User can bypass organisation two-step login requirement #6176

New Issue
Closed
opened 2026-03-07 20:53:38 -06:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-03-07 20:53:38 -06:00
Owner
Copy Link

Originally created by @exu-g on GitHub (Feb 2, 2026).

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.35.2
  • Web-vault version: v2025.12.1+build.3
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: PostgreSQL
  • Database version: PostgreSQL 16.10 (OnGres 16.10-build-6.44) on x86_64-pc-linux-gnu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-28), 64-bit
  • Uses config.json: true
  • Uses a reverse proxy: true
  • IP Header check: false (X-Forwarded-For)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, ADMIN_TOKEN, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD, SMTP_TIMEOUT

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "config/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "config",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "********://*********************************************************************************************************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://*************************",
  "domain_origin": "*****://*************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "config/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "config/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "config/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "****************************",
  "smtp_from_name": "***********",
  "smtp_host": "***********************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "****************************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://***************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://******************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "*******************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "email profile offline_access",
  "sso_signups_match_email": true,
  "templates_folder": "config/templates",
  "tmp_folder": "config/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.35.2

Deployment method

Official Container Image

Custom deployment method

Deployed on Kubernetes

Reverse Proxy

haproxy

Host/Server Operating System

Linux

Operating System Version

Kubernetes

Clients

Web Vault

Client Version

Firefox 147 - v2025.12.1

Steps To Reproduce

  1. Enable SSO
  2. Create account with SSO
  3. Set master password
  4. Join organisation with enforced two-step login
  5. Log out
  6. Log in using email and master password. Button "Other", not SSO

Expected Result

The login with email & password should not be allowed as it is missing two-step verification.

Actual Result

Login succeeds using email & master password only

Logs

[2026-02-02 09:11:39.863][request][INFO] GET /api/devices/knowndevice
[2026-02-02 09:11:39.869][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2026-02-02 09:11:48.914][request][INFO] POST /identity/accounts/prelogin
[2026-02-02 09:11:48.919][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2026-02-02 09:11:49.635][request][INFO] POST /identity/connect/token
[2026-02-02 09:11:49.805][vaultwarden::api::identity][INFO] User futffu logged in successfully. IP: 10.128.10.103
[2026-02-02 09:11:49.805][response][INFO] (login) POST /identity/connect/token => 200 OK
[2026-02-02 09:11:49.824][request][INFO] GET /api/config
[2026-02-02 09:11:49.824][response][INFO] (config) GET /api/config => 200 OK
[2026-02-02 09:11:49.828][request][INFO] GET /api/sync?excludeDomains=true
[2026-02-02 09:11:49.844][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2026-02-02 09:11:49.844][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 10.128.10.103
[2026-02-02 09:11:49.845][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2026-02-02 09:11:50.156][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2026-02-02 09:11:50.186][request][INFO] GET /api/accounts/profile
[2026-02-02 09:11:50.196][response][INFO] (profile) GET /api/accounts/profile => 200 OK
[2026-02-02 09:11:50.352][request][INFO] GET /api/accounts/revision-date
[2026-02-02 09:11:50.374][request][INFO] GET /api/accounts/revision-date
[2026-02-02 09:11:50.377][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK
[2026-02-02 09:11:50.382][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK
[2026-02-02 09:11:50.437][request][INFO] GET /api/auth-requests/pending
[2026-02-02 09:11:50.451][response][INFO] (get_auth_requests_pending) GET /api/auth-requests/pending => 200 OK

Screenshots or Videos

Organisation two-step policy is active
Image

The policy is applied to a user that was invited without SSO, but not the SSO user (futffu)
Image

Additional Context

No response

Originally created by @exu-g on GitHub (Feb 2, 2026). ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.35.2 * Web-vault version: v2025.12.1+build.3 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: PostgreSQL * Database version: PostgreSQL 16.10 (OnGres 16.10-build-6.44) on x86_64-pc-linux-gnu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-28), 64-bit * Uses config.json: true * Uses a reverse proxy: true * IP Header check: false (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, ADMIN_TOKEN, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD, SMTP_TIMEOUT **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "config/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "config", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "********://*********************************************************************************************************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://*************************", "domain_origin": "*****://*************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "config/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "config/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "config/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "****************************", "smtp_from_name": "***********", "smtp_host": "***********************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "****************************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://***************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://******************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "*******************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "email profile offline_access", "sso_signups_match_email": true, "templates_folder": "config/templates", "tmp_folder": "config/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.35.2 ### Deployment method Official Container Image ### Custom deployment method Deployed on Kubernetes ### Reverse Proxy haproxy ### Host/Server Operating System Linux ### Operating System Version Kubernetes ### Clients Web Vault ### Client Version Firefox 147 - v2025.12.1 ### Steps To Reproduce 1. Enable SSO 2. Create account with SSO 3. Set master password 4. Join organisation with enforced two-step login 5. Log out 6. Log in using email and master password. Button "Other", **not SSO** ### Expected Result The login with email & password should not be allowed as it is missing two-step verification. ### Actual Result Login succeeds using email & master password only ### Logs ```text [2026-02-02 09:11:39.863][request][INFO] GET /api/devices/knowndevice [2026-02-02 09:11:39.869][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK [2026-02-02 09:11:48.914][request][INFO] POST /identity/accounts/prelogin [2026-02-02 09:11:48.919][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK [2026-02-02 09:11:49.635][request][INFO] POST /identity/connect/token [2026-02-02 09:11:49.805][vaultwarden::api::identity][INFO] User futffu logged in successfully. IP: 10.128.10.103 [2026-02-02 09:11:49.805][response][INFO] (login) POST /identity/connect/token => 200 OK [2026-02-02 09:11:49.824][request][INFO] GET /api/config [2026-02-02 09:11:49.824][response][INFO] (config) GET /api/config => 200 OK [2026-02-02 09:11:49.828][request][INFO] GET /api/sync?excludeDomains=true [2026-02-02 09:11:49.844][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL [2026-02-02 09:11:49.844][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 10.128.10.103 [2026-02-02 09:11:49.845][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2026-02-02 09:11:50.156][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2026-02-02 09:11:50.186][request][INFO] GET /api/accounts/profile [2026-02-02 09:11:50.196][response][INFO] (profile) GET /api/accounts/profile => 200 OK [2026-02-02 09:11:50.352][request][INFO] GET /api/accounts/revision-date [2026-02-02 09:11:50.374][request][INFO] GET /api/accounts/revision-date [2026-02-02 09:11:50.377][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK [2026-02-02 09:11:50.382][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK [2026-02-02 09:11:50.437][request][INFO] GET /api/auth-requests/pending [2026-02-02 09:11:50.451][response][INFO] (get_auth_requests_pending) GET /api/auth-requests/pending => 200 OK ``` ### Screenshots or Videos Organisation two-step policy is active <img width="799" height="192" alt="Image" src="https://github.com/user-attachments/assets/a6666bfe-63c5-43b3-afa2-2bd41af8dc3c" /> The policy is applied to a user that was invited without SSO, but not the SSO user (futffu) <img width="1945" height="255" alt="Image" src="https://github.com/user-attachments/assets/06433be2-e01c-4ea3-94dd-ab63795a02fd" /> ### Additional Context _No response_
GiteaMirror added the bug label 2026-03-07 20:53:38 -06:00
GiteaMirror commented 2026-03-07 20:53:39 -06:00
Author
Owner
Copy Link

@stefan0xC commented on GitHub (Feb 2, 2026):

Image

The Require 2FA policy does not apply to Admins and Owners.

The policy is applied to a user that was invited without SSO, but not the SSO user (futffu)

The membership overview will only inform you if a user (no matter their role) has enabled 2FA.

@stefan0xC commented on GitHub (Feb 2, 2026): <img width="180" height="153" alt="Image" src="https://github.com/user-attachments/assets/8d0c1965-559e-4412-9883-89b74c5d3632" /> The [Require 2FA policy](https://bitwarden.com/help/policies/#require-two-step-login) does not apply to Admins and Owners. > The policy is applied to a user that was invited without SSO, but not the SSO user (futffu) The membership overview will only inform you if a user (no matter their role) has enabled 2FA.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#6176
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?