[SSO] redirect URL misses port when sent to authorization endpoint #2495

Open
opened 2026-02-05 04:42:17 +03:00 by OVERLORD · 3 comments
Owner

Originally created by @MexHigh on GitHub (Jan 4, 2026).

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.35.1
  • Web-vault version: v2025.12.1
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: MySQL
  • Database version: 8.0.32
  • Uses config.json: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: false
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: false

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN, SSO_ENABLED, SSO_SIGNUPS_MATCH_EMAIL, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SSO_PKCE, SSO_AUTH_ONLY_NOT_SESSION, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_USERNAME, SMTP_PASSWORD

Failed HTTP Checks:

API calls:
Header: 'referrer-policy' does not contain 'same-origin'
Header: 'x-xss-protection' does not contain '0'
2FA Connector calls:
Header: 'referrer-policy' does not contain 'same-origin'
Header: 'x-xss-protection' does not contain '0'
Header: 'x-frame-options' is present while it should not
Header: 'content-security-policy' is present while it should not

Config:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "*****://******************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://******************",
  "domain_origin": "*****://******************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": false,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/vaultwarden.log",
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "******************",
  "smtp_from_name": "***********",
  "smtp_host": "*************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "**************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": true,
  "sso_authority": "*****://***********",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://***********************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "************************************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.35.1

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

caddy 2.10.2

Host/Server Operating System

Linux

Operating System Version

Ubuntu 24.04 LTS

Clients

Web Vault

Client Version

No response

Steps To Reproduce

  1. Host Vaultwarden on a non-default port (requirement when using mTLS mixed with non-mTLS hosts on the same IP)
  2. Setup OIDC
  3. Check "sso_callback_path" in data/config.json to contain the current port
  4. Do a SSO Login and observe that the redirect_uri= parameter does not contain the port
  5. IDP fails verifying the callback URL, since it is configured to require the vaulwarden port

Expected Result

I expect that the OIDC flow sets the callback/redirect URL as set in the config when calling the authorization endpoint.

Actual Result

Vaultwarden ignores the callback URL port (it also does not appear in the admin dashboard /admin). The IDP then fails to verify the callback URL. Even when disabling this check in the IDP, the callback obviously fails due to being posted to the wrong port.

Logs

Jan  4 15:23:51 INF Request app=pocket-id version=2.0.2 status=200 method=POST path=/api/oidc/authorization-required query="" route=/api/oidc/authorization-required ip=<redacted> latency=4.162326ms referer="https://<redacted>/authorize?response_type=code&client_id=<redacted>&state=redacted>&redirect_uri=https%3A%2F%2F<redacted-host-WITH-NO-PORT>%2Fidentity%2Fconnect%2Foidc-signin&scope=openid+email+profile&code_challenge=<redacted>&code_challenge_method=S256&nonce=<redacted>" user_agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36" body_size=31

Jan  4 15:23:51 INF Request app=pocket-id version=2.0.2 status=200 method=GET path=/api/webauthn/login/start query="" route=/api/webauthn/login/start ip=2a02:8071:5203:2c3:5b87:8f5d:999c:aef6 latency=82.241404ms referer="https://<redacted>/authorize?response_type=code&client_id=<redacted>&state=<redacted>&redirect_uri=https%3A%2F%2F<redacted-host-WITH-NO-PORT>%2Fidentity%2Fconnect%2Foidc-signin&scope=openid+email+profile&code_challenge=<redacted>&code_challenge_method=S256&nonce=<redacted>" user_agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36" body_size=126

Screenshots or Videos

No response

Additional Context

No response

Originally created by @MexHigh on GitHub (Jan 4, 2026). ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.35.1 * Web-vault version: v2025.12.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: MySQL * Database version: 8.0.32 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: false * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: false ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN, SSO_ENABLED, SSO_SIGNUPS_MATCH_EMAIL, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SSO_PKCE, SSO_AUTH_ONLY_NOT_SESSION, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_USERNAME, SMTP_PASSWORD **Failed HTTP Checks:** ```yaml API calls: Header: 'referrer-policy' does not contain 'same-origin' Header: 'x-xss-protection' does not contain '0' 2FA Connector calls: Header: 'referrer-policy' does not contain 'same-origin' Header: 'x-xss-protection' does not contain '0' Header: 'x-frame-options' is present while it should not Header: 'content-security-policy' is present while it should not ``` **Config:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "*****://******************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://******************", "domain_origin": "*****://******************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": false, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/data/vaultwarden.log", "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 100000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "******************", "smtp_from_name": "***********", "smtp_host": "*************", "smtp_password": "***", "smtp_port": 465, "smtp_security": "force_tls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "**************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": true, "sso_authority": "*****://***********", "sso_authorize_extra_params": "", "sso_callback_path": "*****://***********************************************", "sso_client_cache_expiration": 0, "sso_client_id": "************************************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "email profile", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.35.1 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy caddy 2.10.2 ### Host/Server Operating System Linux ### Operating System Version Ubuntu 24.04 LTS ### Clients Web Vault ### Client Version _No response_ ### Steps To Reproduce 1. Host Vaultwarden on a non-default port (requirement when using mTLS mixed with non-mTLS hosts on the same IP) 2. Setup OIDC 3. Check `"sso_callback_path"` in `data/config.json` to contain the current port 4. Do a SSO Login and observe that the `redirect_uri=` parameter does not contain the port 5. IDP fails verifying the callback URL, since it is configured to require the vaulwarden port ### Expected Result I expect that the OIDC flow sets the callback/redirect URL as set in the config when calling the authorization endpoint. ### Actual Result Vaultwarden ignores the callback URL port (it also does not appear in the admin dashboard `/admin`). The IDP then fails to verify the callback URL. Even when disabling this check in the IDP, the callback obviously fails due to being posted to the wrong port. ### Logs ```text Jan 4 15:23:51 INF Request app=pocket-id version=2.0.2 status=200 method=POST path=/api/oidc/authorization-required query="" route=/api/oidc/authorization-required ip=<redacted> latency=4.162326ms referer="https://<redacted>/authorize?response_type=code&client_id=<redacted>&state=redacted>&redirect_uri=https%3A%2F%2F<redacted-host-WITH-NO-PORT>%2Fidentity%2Fconnect%2Foidc-signin&scope=openid+email+profile&code_challenge=<redacted>&code_challenge_method=S256&nonce=<redacted>" user_agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36" body_size=31 Jan 4 15:23:51 INF Request app=pocket-id version=2.0.2 status=200 method=GET path=/api/webauthn/login/start query="" route=/api/webauthn/login/start ip=2a02:8071:5203:2c3:5b87:8f5d:999c:aef6 latency=82.241404ms referer="https://<redacted>/authorize?response_type=code&client_id=<redacted>&state=<redacted>&redirect_uri=https%3A%2F%2F<redacted-host-WITH-NO-PORT>%2Fidentity%2Fconnect%2Foidc-signin&scope=openid+email+profile&code_challenge=<redacted>&code_challenge_method=S256&nonce=<redacted>" user_agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36" body_size=126 ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_
OVERLORD added the bugSSO labels 2026-02-05 04:42:17 +03:00
Author
Owner

@MexHigh commented on GitHub (Jan 4, 2026):

Just found out that the callback url is always assembled using the "domain" configuration. After changing it, it works, however I find it quite confusing to have a seperate config property "sso_callback_path" from which the domain and port part is simply ignored. Is this intentional?

@MexHigh commented on GitHub (Jan 4, 2026): Just found out that the callback url is always assembled using the `"domain"` configuration. After changing it, it works, however I find it quite confusing to have a seperate config property "sso_callback_path" from which the domain and port part is simply ignored. Is this intentional?
Author
Owner

@stefan0xC commented on GitHub (Jan 6, 2026):

If you look into the source code you will find that this is not something that is configurable at all but always autogenerated.
1e1f9957cd/src/config.rs (L822-L823)

So yes this is intentional. Also that property is not mentioned in .env.template nor listed as available configuration in the SSO documentation. I'll check if we can reword the documentation a bit to make it clearer that you have to set DOMAIN to the base URL. (I think there also is a small bug that requires the domain to not have a trailing / for some reason.)

@stefan0xC commented on GitHub (Jan 6, 2026): If you look into the source code you will find that this is not something that is configurable at all but always [autogenerated](https://github.com/dani-garcia/vaultwarden/blob/1e1f9957cd037fad87e5cd33245720f865942016/src/config.rs#L501). https://github.com/dani-garcia/vaultwarden/blob/1e1f9957cd037fad87e5cd33245720f865942016/src/config.rs#L822-L823 So yes this is intentional. Also that property is not mentioned in [`.env.template`](https://github.com/dani-garcia/vaultwarden/blob/main/.env.template#L481) nor [listed as available configuration in the SSO documentation](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#configuration). I'll check if we can reword the documentation a bit to make it clearer that you have to set `DOMAIN` to the base URL. (I think there also is a small bug that requires the domain to not have a trailing `/` for some reason.)
Author
Owner

@zhuhaisto commented on GitHub (Jan 26, 2026):

After updating to the latest version, I found two issues

  1. Changed email, unable to receive email verification code, I configured smtp in config
  2. Android login fails, but there are no problems on the browser on the computer

Mine is done

  1. Reverse proxy
  2. Domain with port format

That senior, what's this problem? I'm so urgent

Android can't log in but the browser extension is normal issue

Do you say that you describe my problem, that is, it is inferred that it is caused by the problem of adding a domain name and port

@zhuhaisto commented on GitHub (Jan 26, 2026): After updating to the latest version, I found two issues 1. Changed email, unable to receive email verification code, I configured smtp in config 2. Android login fails, but there are no problems on the browser on the computer Mine is done 1. Reverse proxy 2. Domain with port format That senior, what's this problem? I'm so urgent Android can't log in but the browser extension is normal issue Do you say that you describe my problem, that is, it is inferred that it is caused by the problem of adding a domain name and port
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#2495