[PR #6205] Improve sso auth flow #2441

New Issue

Open

opened 2025-10-09 18:05:13 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2025-10-09 18:05:13 +03:00

Owner

Copy Link

Original Pull Request: https://github.com/dani-garcia/vaultwarden/pull/6205

State: open
Merged: No

---

This PR make multiple modifications to the authentication flow:

• stop wrapping the returned values from the authorization (code or error) in a JWT token to pass through Bitwarden redirection. Instead, it stores them in database and use the state to find them again.
  The length of the JWT Token might have been causing issue with the desktop client and Chrome on Windows.
• stop using a memory cache to store the User information in case a 2FA flow is triggered, use the database that we were reading anyway.
• Validate the Bitwarden clients PKCE code challenge to ensure that the client exchanging the code is the one which initiated the request (Either pass it to the provider or check it before calling it).

---

Documentation which could be added to the wiki:

Login Flow

On SSO_PKCE

When activated the Bitwarden Clients PKCE code challenge are passed to the provider.
If disabled PKCE validation is still done before exchanging the code.

**Original Pull Request:** https://github.com/dani-garcia/vaultwarden/pull/6205 **State:** open **Merged:** No --- This PR make multiple modifications to the authentication flow: - stop wrapping the returned values from the authorization (`code` or `error`) in a JWT token to pass through Bitwarden redirection. Instead, it stores them in database and use the `state` to find them again. The length of the JWT Token might have been causing issue with the desktop client and Chrome on Windows. - stop using a memory cache to store the User information in case a 2FA flow is triggered, use the database that we were reading anyway. - Validate the Bitwarden clients PKCE code challenge to ensure that the client exchanging the `code` is the one which initiated the request (Either pass it to the provider or check it before calling it). ------- Documentation which could be added to the wiki: ## Login Flow ### On `SSO_PKCE` When activated the Bitwarden Clients PKCE code challenge are passed to the provider. If disabled PKCE validation is still done before exchanging the code.

OVERLORD added the pull-request label 2025-10-09 18:05:13 +03:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#2441