github-starred/vaultwarden
2
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-03-09 04:32:44 -05:00
Code Issues 79 Packages Projects Releases 78 Wiki Activity

[PR #6205] [MERGED] Improve sso auth flow #7380

New Issue
Closed
opened 2026-03-07 21:16:33 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-03-07 21:16:33 -06:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/6205
Author: @Timshel
Created: 8/20/2025
Status: Merged
Merged: 12/6/2025
Merged by: @dani-garcia

Base: mainHead: features/sso-db-code

📝 Commits (1)

📊 Changes

17 files changed (+449 additions, -295 deletions)

View changed files

📝 .env.template (+2 -2)
migrations/mysql/2025-08-20-120000_sso_nonce_to_auth/down.sql (+9 -0)
migrations/mysql/2025-08-20-120000_sso_nonce_to_auth/up.sql (+12 -0)
migrations/postgresql/2025-08-20-120000_sso_nonce_to_auth/down.sql (+9 -0)
migrations/postgresql/2025-08-20-120000_sso_nonce_to_auth/up.sql (+12 -0)
migrations/sqlite/2025-08-20-120000_sso_nonce_to_auth/down.sql (+9 -0)
migrations/sqlite/2025-08-20-120000_sso_nonce_to_auth/up.sql (+12 -0)
📝 src/api/identity.rs (+53 -55)
📝 src/config.rs (+2 -2)
📝 src/db/mod.rs (+40 -0)
📝 src/db/models/mod.rs (+2 -2)
src/db/models/sso_auth.rs (+134 -0)
src/db/models/sso_nonce.rs (+0 -87)
📝 src/db/schema.rs (+5 -2)
📝 src/main.rs (+4 -4)
📝 src/sso.rs (+121 -125)
📝 src/sso_client.rs (+23 -16)

📄 Description

This PR make multiple modifications to the authentication flow:

  • stop wrapping the returned values from the authorization (code or error) in a JWT token to pass through Bitwarden redirection. Instead, it stores them in database and use the state to find them again.
    The length of the JWT Token might have been causing issue with the desktop client and Chrome on Windows.
  • stop using a memory cache to store the User information in case a 2FA flow is triggered, use the database that we were reading anyway.
  • Validate the Bitwarden clients PKCE code challenge to ensure that the client exchanging the code is the one which initiated the request (Either pass it to the provider or check it before calling it).

Documentation which could be added to the wiki:

Login Flow

On SSO_PKCE

When activated the Bitwarden Clients PKCE code challenge are passed to the provider.
If disabled PKCE validation is still done before exchanging the code.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/6205 **Author:** [@Timshel](https://github.com/Timshel) **Created:** 8/20/2025 **Status:** ✅ Merged **Merged:** 12/6/2025 **Merged by:** [@dani-garcia](https://github.com/dani-garcia) **Base:** `main` ← **Head:** `features/sso-db-code` --- ### 📝 Commits (1) - [`4ceb6ab`](https://github.com/dani-garcia/vaultwarden/commit/4ceb6abe04a4d559952c93415a741ba8e8fffc99) Improve sso auth flow ### 📊 Changes **17 files changed** (+449 additions, -295 deletions) <details> <summary>View changed files</summary> 📝 `.env.template` (+2 -2) ➕ `migrations/mysql/2025-08-20-120000_sso_nonce_to_auth/down.sql` (+9 -0) ➕ `migrations/mysql/2025-08-20-120000_sso_nonce_to_auth/up.sql` (+12 -0) ➕ `migrations/postgresql/2025-08-20-120000_sso_nonce_to_auth/down.sql` (+9 -0) ➕ `migrations/postgresql/2025-08-20-120000_sso_nonce_to_auth/up.sql` (+12 -0) ➕ `migrations/sqlite/2025-08-20-120000_sso_nonce_to_auth/down.sql` (+9 -0) ➕ `migrations/sqlite/2025-08-20-120000_sso_nonce_to_auth/up.sql` (+12 -0) 📝 `src/api/identity.rs` (+53 -55) 📝 `src/config.rs` (+2 -2) 📝 `src/db/mod.rs` (+40 -0) 📝 `src/db/models/mod.rs` (+2 -2) ➕ `src/db/models/sso_auth.rs` (+134 -0) ➖ `src/db/models/sso_nonce.rs` (+0 -87) 📝 `src/db/schema.rs` (+5 -2) 📝 `src/main.rs` (+4 -4) 📝 `src/sso.rs` (+121 -125) 📝 `src/sso_client.rs` (+23 -16) </details> ### 📄 Description This PR make multiple modifications to the authentication flow: - stop wrapping the returned values from the authorization (`code` or `error`) in a JWT token to pass through Bitwarden redirection. Instead, it stores them in database and use the `state` to find them again. The length of the JWT Token might have been causing issue with the desktop client and Chrome on Windows. - stop using a memory cache to store the User information in case a 2FA flow is triggered, use the database that we were reading anyway. - Validate the Bitwarden clients PKCE code challenge to ensure that the client exchanging the `code` is the one which initiated the request (Either pass it to the provider or check it before calling it). ------- Documentation which could be added to the wiki: ## Login Flow ### On `SSO_PKCE` When activated the Bitwarden Clients PKCE code challenge are passed to the provider. If disabled PKCE validation is still done before exchanging the code. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-03-07 21:16:33 -06:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#7380
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?