starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-03-01 11:19:52 +03:00
Code Issues 32 Packages Projects Releases 12 Wiki Activity

Allow SSO OIDC Issuer Redirect #2457

New Issue
Open
opened 2026-02-05 04:29:14 +03:00 by OVERLORD · 4 comments
OVERLORD commented 2026-02-05 04:29:14 +03:00
Owner
Copy Link

Originally created by @hofq on GitHub (Dec 7, 2025).

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.34.3-b77c01b8
  • Web-vault version: v2025.10.1
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: SQLite
  • Database version: 3.50.2
  • Uses config.json: true
  • Uses a reverse proxy: false
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: false
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN, SSO_ENABLED, SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_USERNAME, SMTP_PASSWORD

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://******************************",
  "domain_origin": "*****://******************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "******************************",
  "smtp_from_name": "***********",
  "smtp_host": "*****************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "******************************",
  "sso_allow_unknown_email_verification": true,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://***************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://***********************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "****************************************************************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": false,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

testing branch latest

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

nginx

Host/Server Operating System

Linux

Operating System Version

No response

Clients

Browser Extension, Web Vault, Desktop, Android, iOS

Client Version

No response

Steps To Reproduce

  • Use Nextcloud as SSO Provider via Plugin
  • Enter Issuer url
    Get an 301 Moved Permanently Error, cause of Dynamic Routing inside of Nextcloud

Enter Issuer url /intex.php/
Get Failed to discover OpenID provider: Validation error: unexpected issuer URI https://hostname/ (expected https://hostname/index.php)"

Expected Result

I would expect the App to dynamically resolve Redirects or add a Flag for that
or be able to specify openid-configuration directly

Actual Result

I get 2 Errors

Logs

Screenshots or Videos

No response

Additional Context

https://github.com/H2CK/oidc/issues/400

Originally created by @hofq on GitHub (Dec 7, 2025). ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3-b77c01b8 * Web-vault version: v2025.10.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: true * Uses a reverse proxy: false * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: false * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN, SSO_ENABLED, SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_USERNAME, SMTP_PASSWORD **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://******************************", "domain_origin": "*****://******************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "******************************", "smtp_from_name": "***********", "smtp_host": "*****************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "******************************", "sso_allow_unknown_email_verification": true, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://***************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://***********************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "****************************************************************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "email profile", "sso_signups_match_email": false, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version testing branch latest ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy nginx ### Host/Server Operating System Linux ### Operating System Version _No response_ ### Clients Browser Extension, Web Vault, Desktop, Android, iOS ### Client Version _No response_ ### Steps To Reproduce - Use Nextcloud as SSO Provider via Plugin - Enter Issuer url <Hostname> Get an 301 Moved Permanently Error, cause of Dynamic Routing inside of Nextcloud Enter Issuer url <Hostname>/intex.php/ Get Failed to discover OpenID provider: Validation error: unexpected issuer URI `https://hostname/` (expected `https://hostname/index.php`)" ### Expected Result I would expect the App to dynamically resolve Redirects or add a Flag for that or be able to specify openid-configuration directly ### Actual Result I get 2 Errors ### Logs ```text ``` ### Screenshots or Videos _No response_ ### Additional Context https://github.com/H2CK/oidc/issues/400
OVERLORD added the bugSSO labels 2026-02-05 04:29:14 +03:00
OVERLORD commented 2026-02-05 04:29:17 +03:00
Author
Owner
Copy Link

@SadmL commented on GitHub (Jan 1, 2026):

https://github.com/H2CK/oidc/issues/474#issuecomment-2406671034

@SadmL commented on GitHub (Jan 1, 2026): https://github.com/H2CK/oidc/issues/474#issuecomment-2406671034
OVERLORD commented 2026-02-05 04:29:20 +03:00
Author
Owner
Copy Link

@stefan0xC commented on GitHub (Jan 4, 2026):

H2CK/oidc#474 (comment)

I think this issue could be resolved by updating our documentation to also mention the OIDC App for Nextcloud and mention this specific rewrite fix to account for limitation of the app (though this should probably be added in their wiki as well). I don't think this is something that we should address by writing a custom http client as the OpenID specification does not allow 301 redirects or a different path for this endpoint (this is also why this probably will not be supported by the maintainer of the openidconnect-rs crate that we use).

@stefan0xC commented on GitHub (Jan 4, 2026): > [H2CK/oidc#474 (comment)](https://github.com/H2CK/oidc/issues/474#issuecomment-2406671034) I think this issue could be resolved by updating our documentation to also mention the [OIDC App for Nextcloud](https://apps.nextcloud.com/apps/oidc) and mention this specific rewrite fix to account for limitation of the app (though this should probably be added [in their wiki](https://github.com/H2CK/oidc/wiki/User-Documentation#endpoints) as well). I don't think this is something that we should address by writing a custom http client as the [OpenID specification does not allow 301 redirects](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest:~:text=A%20successful%20response%20MUST%20use%20the%20200%20OK%20HTTP%20status%20code) or a different path for this endpoint (this is also why this probably will not be supported [by the maintainer of the `openidconnect-rs` crate that we use](https://github.com/ramosbugs/openidconnect-rs/issues/13#issuecomment-608606360)).
OVERLORD commented 2026-02-05 04:29:24 +03:00
Author
Owner
Copy Link

@SadmL commented on GitHub (Jan 4, 2026):

Thing is there is no need to do such stuff, for example, for Matrix Synapse, Forgejo, GoToSocial, it works without these rewrites.
(I'm not a dev/programmer, and this is by no means a complaint)

@SadmL commented on GitHub (Jan 4, 2026): Thing is there is no need to do such stuff, for example, for [Matrix Synapse](https://github.com/element-hq/synapse), [Forgejo](https://codeberg.org/forgejo/forgejo/), [GoToSocial](https://codeberg.org/superseriousbusiness/gotosocial), it works without these rewrites. (I'm not a dev/programmer, and this is by no means a complaint)
OVERLORD commented 2026-02-05 04:29:25 +03:00
Author
Owner
Copy Link

@stefan0xC commented on GitHub (Jan 4, 2026):

Thing is there is no need to do such stuff, for example, for Matrix Synapse, Forgejo, GoToSocial, it works without these rewrites.

Yeah, but it seems like that is because the libraries they use are less strict about getting a resource. Synapse for example uses authlib which is using treq that by default allows redirects (and the same seems to be true for go's default http client) while openidconnect-rs as mentioned just allows 200 which might be less user-friendly but is straightforward and conforming to the spec.

@stefan0xC commented on GitHub (Jan 4, 2026): > Thing is there is no need to do such stuff, for example, for [Matrix Synapse](https://github.com/element-hq/synapse), [Forgejo](https://codeberg.org/forgejo/forgejo/), [GoToSocial](https://codeberg.org/superseriousbusiness/gotosocial), it works without these rewrites. Yeah, but it seems like that is because the libraries they use are less strict about getting a resource. Synapse for example uses `authlib` which is using `treq` that [by default allows redirects](https://github.com/twisted/treq/blob/9d2d7cca213d9b19ff75382bf28db0689e4c8ca8/src/treq/client.py#L206) (and the same seems to be true for go's [default http client](https://pkg.go.dev/net/http#Client)) while `openidconnect-rs` as mentioned [just allows `200`](https://github.com/ramosbugs/openidconnect-rs/blob/202c8b1d9338ce2304d87816efb56d4abd0a5bb7/src/discovery/mod.rs#L358) which might be less user-friendly but is straightforward and conforming to the spec.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label SSO bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#2457
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?