[PR #1955] [CLOSED] OIDC SSO Re: Issue #246 #6669

New Issue

Closed

opened 2026-03-07 21:02:47 -06:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-03-07 21:02:47 -06:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/1955
Author: @Sheap
Created: 9/1/2021
Status: ❌ Closed

Base: main ← Head: sso-for-pr

---

📝 Commits (10+)

• 2e90782 add required fields to schema/org form
• 4674464 working sso login
• 284d215 policy enforcement - multiple devices
• d0d476f cleanup
• d0d261a safe handling of RawStrs
• 05a4a6c comment updates
• 7f97e7f add web-vault-sso.patch
• 635a485 remove changes for local development
• 47d5320 trivial PR feedback - missing files from web-vault patch
• 4d39197 use migrations properly, avoid panics

📊 Changes

21 files changed (+1509 additions, -18 deletions)

View changed files

📝 .dockerignore (+1 -1)
📝 Cargo.lock (+183 -8)
📝 Cargo.toml (+1 -0)
➕ migrations/mysql/2021-09-16-133000_add_sso/down.sql (+2 -0)
➕ migrations/mysql/2021-09-16-133000_add_sso/up.sql (+18 -0)
📝 migrations/postgresql/2019-09-12-100000_create_tables/up.sql (+1 -1)
➕ migrations/postgresql/2021-09-16-133000_add_sso/down.sql (+2 -0)
➕ migrations/postgresql/2021-09-16-133000_add_sso/up.sql (+18 -0)
➕ migrations/sqlite/2021-09-16-133000_add_sso/down.sql (+2 -0)
➕ migrations/sqlite/2021-09-16-133000_add_sso/up.sql (+18 -0)
📝 src/api/core/organizations.rs (+56 -1)
📝 src/api/identity.rs (+238 -2)
📝 src/db/models/mod.rs (+4 -0)
📝 src/db/models/org_policy.rs (+1 -1)
📝 src/db/models/organization.rs (+14 -4)
➕ src/db/models/sso_config.rs (+104 -0)
➕ src/db/models/sso_nonce.rs (+71 -0)
📝 src/db/schemas/mysql/schema.rs (+23 -0)
📝 src/db/schemas/postgresql/schema.rs (+23 -0)
📝 src/db/schemas/sqlite/schema.rs (+23 -0)

...and 1 more files

📄 Description

This branch adds the minimal required changes to allow OIDC SSO (at least with keycloak. There are many options/features of the process which I did not address, which may rule out other providers).

This is so far my biggest contact point with rust in a web server, as well as in implementing OIDC, so I wouldn't be surprised if there were places where I strayed from the path. But I have tested it, and at least it works. I'd welcome any feedback here. My greatest concern is that I'm currently ignoring the nonce. I believe it should be checked against, but I'm not sure where would be a sensible place to store it between generating it alongside the auth url, and consuming it when exchanging the code for an access token.

Note: There are associated changes required to the webvault here - I wasn't sure how I should link them, so to keep things simple for now, I've simply included a .patch file in this repo.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/1955 **Author:** [@Sheap](https://github.com/Sheap) **Created:** 9/1/2021 **Status:** ❌ Closed **Base:** `main` ← **Head:** `sso-for-pr` --- ### 📝 Commits (10+) - [`2e90782`](https://github.com/dani-garcia/vaultwarden/commit/2e907826ae209925d21280354869fe0ef077eed0) add required fields to schema/org form - [`4674464`](https://github.com/dani-garcia/vaultwarden/commit/4674464aed0fc70303debce7696ad5d5e941e671) working sso login - [`284d215`](https://github.com/dani-garcia/vaultwarden/commit/284d2155c0778981e74112c08663c669c6157a83) policy enforcement - multiple devices - [`d0d476f`](https://github.com/dani-garcia/vaultwarden/commit/d0d476f8effc1067748de653e431131f265acf0f) cleanup - [`d0d261a`](https://github.com/dani-garcia/vaultwarden/commit/d0d261a3468c97e7500b8b3aa956ea99ad18e9d2) safe handling of RawStrs - [`05a4a6c`](https://github.com/dani-garcia/vaultwarden/commit/05a4a6c4a8c9cdd11bbff2266010a1fc32a226db) comment updates - [`7f97e7f`](https://github.com/dani-garcia/vaultwarden/commit/7f97e7f8dd36fa0c33d9773a831a0c446dcd3fe9) add web-vault-sso.patch - [`635a485`](https://github.com/dani-garcia/vaultwarden/commit/635a48514fad1f279379c954361bc493d64f7f0a) remove changes for local development - [`47d5320`](https://github.com/dani-garcia/vaultwarden/commit/47d5320df4161f333ce23660b9d1317763a81cd5) trivial PR feedback - missing files from web-vault patch - [`4d39197`](https://github.com/dani-garcia/vaultwarden/commit/4d39197df2622440db30070e5135d53db61b33fa) use migrations properly, avoid panics ### 📊 Changes **21 files changed** (+1509 additions, -18 deletions) <details> <summary>View changed files</summary> 📝 `.dockerignore` (+1 -1) 📝 `Cargo.lock` (+183 -8) 📝 `Cargo.toml` (+1 -0) ➕ `migrations/mysql/2021-09-16-133000_add_sso/down.sql` (+2 -0) ➕ `migrations/mysql/2021-09-16-133000_add_sso/up.sql` (+18 -0) 📝 `migrations/postgresql/2019-09-12-100000_create_tables/up.sql` (+1 -1) ➕ `migrations/postgresql/2021-09-16-133000_add_sso/down.sql` (+2 -0) ➕ `migrations/postgresql/2021-09-16-133000_add_sso/up.sql` (+18 -0) ➕ `migrations/sqlite/2021-09-16-133000_add_sso/down.sql` (+2 -0) ➕ `migrations/sqlite/2021-09-16-133000_add_sso/up.sql` (+18 -0) 📝 `src/api/core/organizations.rs` (+56 -1) 📝 `src/api/identity.rs` (+238 -2) 📝 `src/db/models/mod.rs` (+4 -0) 📝 `src/db/models/org_policy.rs` (+1 -1) 📝 `src/db/models/organization.rs` (+14 -4) ➕ `src/db/models/sso_config.rs` (+104 -0) ➕ `src/db/models/sso_nonce.rs` (+71 -0) 📝 `src/db/schemas/mysql/schema.rs` (+23 -0) 📝 `src/db/schemas/postgresql/schema.rs` (+23 -0) 📝 `src/db/schemas/sqlite/schema.rs` (+23 -0) _...and 1 more files_ </details> ### 📄 Description This branch adds the minimal required changes to allow OIDC SSO (at least with keycloak. There are many options/features of the process which I did not address, which may rule out other providers). This is so far my biggest contact point with rust in a web server, as well as in implementing OIDC, so I wouldn't be surprised if there were places where I strayed from the path. But I have tested it, and at least it works. I'd welcome any feedback here. My greatest concern is that I'm currently ignoring the nonce. I believe it should be checked against, but I'm not sure where would be a sensible place to store it between generating it alongside the auth url, and consuming it when exchanging the code for an access token. Note: There are associated changes required to the webvault here - I wasn't sure how I should link them, so to keep things simple for now, I've simply included a .patch file in this repo. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-03-07 21:02:47 -06:00

GiteaMirror closed this issue 2026-03-07 21:02:47 -06:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#6669