mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-16 05:34:10 +03:00
[SSO] redirect URL misses port when sent to authorization endpoint #2495
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @MexHigh on GitHub (Jan 4, 2026).
Prerequisites
Vaultwarden Support String
Your environment (Generated via diagnostics page)
Config & Details (Generated via diagnostics page)
Show Config & Details
Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN, SSO_ENABLED, SSO_SIGNUPS_MATCH_EMAIL, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SSO_PKCE, SSO_AUTH_ONLY_NOT_SESSION, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_USERNAME, SMTP_PASSWORD
Failed HTTP Checks:
Config:
Vaultwarden Build Version
v1.35.1
Deployment method
Official Container Image
Custom deployment method
No response
Reverse Proxy
caddy 2.10.2
Host/Server Operating System
Linux
Operating System Version
Ubuntu 24.04 LTS
Clients
Web Vault
Client Version
No response
Steps To Reproduce
"sso_callback_path"indata/config.jsonto contain the current portredirect_uri=parameter does not contain the portExpected Result
I expect that the OIDC flow sets the callback/redirect URL as set in the config when calling the authorization endpoint.
Actual Result
Vaultwarden ignores the callback URL port (it also does not appear in the admin dashboard
/admin). The IDP then fails to verify the callback URL. Even when disabling this check in the IDP, the callback obviously fails due to being posted to the wrong port.Logs
Screenshots or Videos
No response
Additional Context
No response
@MexHigh commented on GitHub (Jan 4, 2026):
Just found out that the callback url is always assembled using the
"domain"configuration. After changing it, it works, however I find it quite confusing to have a seperate config property "sso_callback_path" from which the domain and port part is simply ignored. Is this intentional?@stefan0xC commented on GitHub (Jan 6, 2026):
If you look into the source code you will find that this is not something that is configurable at all but always autogenerated.
1e1f9957cd/src/config.rs (L822-L823)So yes this is intentional. Also that property is not mentioned in
.env.templatenor listed as available configuration in the SSO documentation. I'll check if we can reword the documentation a bit to make it clearer that you have to setDOMAINto the base URL. (I think there also is a small bug that requires the domain to not have a trailing/for some reason.)@zhuhaisto commented on GitHub (Jan 26, 2026):
After updating to the latest version, I found two issues
Mine is done
That senior, what's this problem? I'm so urgent
Android can't log in but the browser extension is normal issue
Do you say that you describe my problem, that is, it is inferred that it is caused by the problem of adding a domain name and port