[PR #3899] [MERGED] SSO using OpenID Connect #6992

New Issue

Closed

opened 2026-03-07 21:09:13 -06:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-03-07 21:09:13 -06:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/3899
Author: @Timshel
Created: 9/18/2023
Status: ✅ Merged
Merged: 8/8/2025
Merged by: @dani-garcia

Base: main ← Head: sso-support

---

📝 Commits (10+)

• 671f7a1 Add SSO functionality using OpenID Connect
• fefa55c Improvements and error handling
• 524d65e Stop rolling device token
• 927968d Add playwright tests
• d6af686 Activate PKCE by default
• fb5b568 Ensure result order when searching for sso_user
• 8dfaee6 add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION
• a9cc0e5 Toggle SSO button in scss
• a85bdb2 Base64 encode state before sending it to providers
• 3617be0 Prevent disabled User from SSO login

📊 Changes

110 files changed (+8081 additions, -329 deletions)

View changed files

📝 .env.template (+53 -0)
📝 Cargo.lock (+562 -10)
📝 Cargo.toml (+8 -0)
➕ SSO.md (+303 -0)
➕ migrations/mysql/2023-09-10-133000_add_sso/down.sql (+1 -0)
➕ migrations/mysql/2023-09-10-133000_add_sso/up.sql (+4 -0)
➕ migrations/mysql/2023-09-14-133000_add_users_organizations_invited_by_email/down.sql (+1 -0)
➕ migrations/mysql/2023-09-14-133000_add_users_organizations_invited_by_email/up.sql (+1 -0)
➕ migrations/mysql/2024-02-14-170000_add_state_to_sso_nonce/down.sql (+6 -0)
➕ migrations/mysql/2024-02-14-170000_add_state_to_sso_nonce/up.sql (+8 -0)
➕ migrations/mysql/2024-02-26-170000_add_pkce_to_sso_nonce/down.sql (+8 -0)
➕ migrations/mysql/2024-02-26-170000_add_pkce_to_sso_nonce/up.sql (+9 -0)
➕ migrations/mysql/2024-03-06-170000_add_sso_users/down.sql (+1 -0)
➕ migrations/mysql/2024-03-06-170000_add_sso_users/up.sql (+7 -0)
➕ migrations/mysql/2024-03-13-170000_sso_users_cascade/down.sql (+0 -0)
➕ migrations/mysql/2024-03-13-170000_sso_users_cascade/up.sql (+2 -0)
➕ migrations/postgresql/2023-09-10-133000_add_sso/down.sql (+1 -0)
➕ migrations/postgresql/2023-09-10-133000_add_sso/up.sql (+4 -0)
➕ migrations/postgresql/2023-09-14-133000_add_users_organizations_invited_by_email/down.sql (+1 -0)
➕ migrations/postgresql/2023-09-14-133000_add_users_organizations_invited_by_email/up.sql (+1 -0)

...and 80 more files

📄 Description

This is based on previous PR (#2787, #2449 and #3154) with work done by @pinpox, @m4w0lf, @Sheap, @bmunro-peralex, @tribut and others I probably missed sorry.

This PR add support for OpenId Connect to handle authentication to an external SSO.
This introduce another way to control who can use the vault without having to use invitation or an LDAP.

A master password is still required and not controlled by the SSO (depending on your point of view this might be a feature ;).

Bitwarden key connector is not supported and due to the license it's highly unlikely that it will ever be:

2.1 Commercial Module License. Subject to Your compliance with this Agreement, Bitwarden hereby grants to You a limited, non-exclusive, non-transferable, royalty-free license to use the Commercial Modules for the sole purposes of internal development and internal testing, and only in a non-production environment.

Usage

This should be agnostic to the SSO used as long as it supports client secret authentication and expose an OpenID Connect Discovery endpoint. (I'm testing it with Keycloak at the moment, a demo test stack is available README.md)

Added some documentation at the root of the project SSO.md that could be later moved to the wiki.

I made some additional modification in my main branch to allow for easier testing (modified Docker image to use prebuilt patched front-end).

On front-end modification, I made patched versions available at Timshel/oidc_web_builds. Two versions are available :

• One contains the change expected to be merged (named button); all change needs to be compatible with the non-sso version.
• Second one set #sso as the default redirect url.

Issues

As mentioned in the previous PR one of the main issue is the inability for the organization invitation to work with the SSO redirection. To fix it a patch to the front-end is needed.

:warning:⚠️ ⚠️ If you have issues or need help testing the PR ⚠️ ⚠️ ⚠️

Please open issues in Timshel/vaultwarden in order to keep the discussion here focused on merging this work.
Of course if you believe your issue is important mention this PR so a reference will be visible.

But please try to keep commenting in this PR to a minimum to keep it legible, the previous one has over 200 comments ...

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/3899 **Author:** [@Timshel](https://github.com/Timshel) **Created:** 9/18/2023 **Status:** ✅ Merged **Merged:** 8/8/2025 **Merged by:** [@dani-garcia](https://github.com/dani-garcia) **Base:** `main` ← **Head:** `sso-support` --- ### 📝 Commits (10+) - [`671f7a1`](https://github.com/dani-garcia/vaultwarden/commit/671f7a1d314a8ba26d286c46c4e1df35bbb033ac) Add SSO functionality using OpenID Connect - [`fefa55c`](https://github.com/dani-garcia/vaultwarden/commit/fefa55cad4dac02ee4f272b1740a69fc3c86d2a2) Improvements and error handling - [`524d65e`](https://github.com/dani-garcia/vaultwarden/commit/524d65e77223b1a1f2c76e7371ac73558d220aa8) Stop rolling device token - [`927968d`](https://github.com/dani-garcia/vaultwarden/commit/927968d2518343b15b328ea6f99a5901ae755f6a) Add playwright tests - [`d6af686`](https://github.com/dani-garcia/vaultwarden/commit/d6af6861529778598a3d32297b728de30e538682) Activate PKCE by default - [`fb5b568`](https://github.com/dani-garcia/vaultwarden/commit/fb5b56803a20fb542ad1456aec76f5a365e2aa5a) Ensure result order when searching for sso_user - [`8dfaee6`](https://github.com/dani-garcia/vaultwarden/commit/8dfaee61dfecc5d29071abec8df7886ef374cb04) add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION - [`a9cc0e5`](https://github.com/dani-garcia/vaultwarden/commit/a9cc0e5b4ab8308545eea8dd16d90736216cf745) Toggle SSO button in scss - [`a85bdb2`](https://github.com/dani-garcia/vaultwarden/commit/a85bdb255855b407af4a26d8214e2331e960bf9a) Base64 encode state before sending it to providers - [`3617be0`](https://github.com/dani-garcia/vaultwarden/commit/3617be0098c60c9220ef678c9730c2c2604efd0a) Prevent disabled User from SSO login ### 📊 Changes **110 files changed** (+8081 additions, -329 deletions) <details> <summary>View changed files</summary> 📝 `.env.template` (+53 -0) 📝 `Cargo.lock` (+562 -10) 📝 `Cargo.toml` (+8 -0) ➕ `SSO.md` (+303 -0) ➕ `migrations/mysql/2023-09-10-133000_add_sso/down.sql` (+1 -0) ➕ `migrations/mysql/2023-09-10-133000_add_sso/up.sql` (+4 -0) ➕ `migrations/mysql/2023-09-14-133000_add_users_organizations_invited_by_email/down.sql` (+1 -0) ➕ `migrations/mysql/2023-09-14-133000_add_users_organizations_invited_by_email/up.sql` (+1 -0) ➕ `migrations/mysql/2024-02-14-170000_add_state_to_sso_nonce/down.sql` (+6 -0) ➕ `migrations/mysql/2024-02-14-170000_add_state_to_sso_nonce/up.sql` (+8 -0) ➕ `migrations/mysql/2024-02-26-170000_add_pkce_to_sso_nonce/down.sql` (+8 -0) ➕ `migrations/mysql/2024-02-26-170000_add_pkce_to_sso_nonce/up.sql` (+9 -0) ➕ `migrations/mysql/2024-03-06-170000_add_sso_users/down.sql` (+1 -0) ➕ `migrations/mysql/2024-03-06-170000_add_sso_users/up.sql` (+7 -0) ➕ `migrations/mysql/2024-03-13-170000_sso_users_cascade/down.sql` (+0 -0) ➕ `migrations/mysql/2024-03-13-170000_sso_users_cascade/up.sql` (+2 -0) ➕ `migrations/postgresql/2023-09-10-133000_add_sso/down.sql` (+1 -0) ➕ `migrations/postgresql/2023-09-10-133000_add_sso/up.sql` (+4 -0) ➕ `migrations/postgresql/2023-09-14-133000_add_users_organizations_invited_by_email/down.sql` (+1 -0) ➕ `migrations/postgresql/2023-09-14-133000_add_users_organizations_invited_by_email/up.sql` (+1 -0) _...and 80 more files_ </details> ### 📄 Description This is based on previous PR (#2787, #2449 and #3154) with work done by @pinpox, @m4w0lf, @Sheap, @bmunro-peralex, @tribut and others I probably missed sorry. This PR add support for OpenId Connect to handle authentication to an external SSO. This introduce another way to control who can use the vault without having to use invitation or an LDAP. A master password is still required and not controlled by the SSO (depending on your point of view this might be a feature ;). Bitwarden [key connector](https://bitwarden.com/help/about-key-connector) is not supported and due to the [license](https://github.com/bitwarden/key-connector/blob/main/LICENSE.txt) it's highly unlikely that it will ever be: > 2.1 Commercial Module License. Subject to Your compliance with this Agreement, Bitwarden hereby grants to You a limited, non-exclusive, non-transferable, royalty-free license to use the Commercial Modules for the sole purposes of internal development and internal testing, and only in a non-production environment. ## Usage This should be agnostic to the SSO used as long as it supports client secret authentication and expose an OpenID Connect Discovery endpoint. (I'm testing it with Keycloak at the moment, a demo test stack is available [README.md](https://github.com/Timshel/vaultwarden/blob/sso-support/test/oidc/README.md)) Added some documentation at the root of the project [SSO.md](https://github.com/Timshel/vaultwarden/blob/sso-support/SSO.md) that could be later moved to the wiki. I made some additional modification in my [main branch](https://github.com/Timshel/vaultwarden/blob/main/README.md) to allow for easier testing (modified Docker image to use prebuilt patched front-end). On front-end modification, I made patched versions available at [Timshel/oidc_web_builds](https://github.com/Timshel/oidc_web_builds). Two versions are available : - One contains the change expected to be merged (named `button`); all change needs to be compatible with the non-sso version. - Second one set `#sso` as the default redirect url. ## Issues As mentioned in the previous PR one of the main issue is the inability for the organization invitation to work with the SSO redirection. To fix it a [patch](https://github.com/Timshel/oidc_web_builds/blob/master/oidc_invite.patch) to the front-end is needed. ## **:warning::warning: :warning: If you have issues or need help testing the PR :warning: :warning: :warning:** Please open issues in [Timshel/vaultwarden](https://github.com/Timshel/vaultwarden/issues) in order to keep the discussion here focused on merging this work. Of course if you believe your issue is important mention this PR so a reference will be visible. But please try to keep commenting in this PR to a minimum to keep it legible, the previous one has over 200 comments ... --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-03-07 21:09:13 -06:00

GiteaMirror closed this issue 2026-03-07 21:09:13 -06:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#6992