starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-28 01:11:35 +03:00
Code Issues 429 Packages Projects Releases 10 Wiki Activity

SSO: ZITADEL login chooses the wrong account #35

New Issue
Closed
opened 2025-10-09 16:11:20 +03:00 by OVERLORD · 2 comments
OVERLORD commented 2025-10-09 16:11:20 +03:00
Owner
Copy Link

Originally created by @JSchmie on GitHub.

Prerequisites

Vaultwarden Support String

x

Vaultwarden Build Version

testing

Deployment method

Official Container Image

Custom deployment method

services:
  vaultwarden:
    image: vaultwarden/server:testing
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      DOMAIN: https://vault.mydomain.com
      SSO_ENABLED: true
      SSO_ONLY: true
      SSO_AUTHORITY: https://zitadel.mydomain.com
      SSO_SCOPES: email profile offline_access
      SSO_CLIENT_ID: MY_CLIENT_ID
      SSO_CLIENT_SECRET: MY_SECRET
      SSO_AUDIENCE_TRUSTED: '^\d{18}$'

      SSO_DEBUG_TOKENS: "true"
      LOG_LEVEL: "info,vaultwarden::sso=debug"

    volumes:
      - ./data/:/data/
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"

      # --- Router ---
      - "traefik.http.routers.vaultwarden.rule=Host(`vault.mydomain.com`)"
      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.routers.vaultwarden.tls.certresolver=lets-encrypt-resolver"

      # --- Service ---
      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"


networks:
  traefik:
    external: true

Reverse Proxy

traefik:v3.5

Host/Server Operating System

Linux

Operating System Version

Debian 12.11

Clients

Web Vault

Client Version

No response

Steps To Reproduce

  1. Start Vaultwarden with SSO enabled (image: vaultwarden/server:testing).
  2. Open the Web Vault login page.
  3. Enter email (as prompted), then click Use Single Sign-On (SSO).
  4. You are redirected to ZITADEL and then immediately redirected back to Vaultwarden without any account picker or password prompt.
  5. Vaultwarden then asks to set a Master Password (expected), but the authenticated SSO identity is not the intended user.

Expected Result

  • ZITADEL should prompt for account selection or credentials (no silent reuse of an existing session).
  • Authentication should occur as myname@mydomain.de (the intended user).
  • Vaultwarden should associate the returned SSO identity with that user.

Actual Result

  • ZITADEL silently reuses a prior session and authenticates the wrong user (e.g., zitadel-admin@zitadel.<subdomain>.mydomain.de) without a prompt.
  • Vaultwarden proceeds to the Master Password step using the unintended SSO identity.
  • Forcing prompts and org scoping via Vaultwarden env vars did not change this behavior.

Logs

[2025-08-25 15:08:30.745][request][INFO] POST /identity/connect/token
[2025-08-25 15:08:30.898][vaultwarden::sso][DEBUG] Authenticated user AuthenticatedUser { refresh_token: Some("some_key"), access_token: "some_key", expires_in: Some(43199s), identifier: OIDCIdentifier("https://zitadel.mydomain.coom/CLIENT_ID"), email: "zitadel-admin@zitadel.zitadel.mydomain.com", email_verified: Some(true), user_name: None }
[2025-08-25 15:08:30.899][vaultwarden::sso][DEBUG] Non jwt refresh_token (expiration set to 1758726510)
[2025-08-25 15:08:30.901][vaultwarden::api::identity][INFO] User zitadel-admin@zitadel.zitadel.mydomain.com logged in successfully. IP: 172.20.0.1
[2025-08-25 15:08:30.902][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-08-25 15:08:30.942][request][INFO] GET /api/sync?excludeDomains=true
[2025-08-25 15:08:30.945][response][INFO] (sync) GET /api/sync?<data..> => 200 OK

Screenshots or Videos

No response

Additional Context

No response

Originally created by @JSchmie on GitHub. ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String x ### Vaultwarden Build Version testing ### Deployment method Official Container Image ### Custom deployment method ```yaml services: vaultwarden: image: vaultwarden/server:testing container_name: vaultwarden restart: unless-stopped environment: DOMAIN: https://vault.mydomain.com SSO_ENABLED: true SSO_ONLY: true SSO_AUTHORITY: https://zitadel.mydomain.com SSO_SCOPES: email profile offline_access SSO_CLIENT_ID: MY_CLIENT_ID SSO_CLIENT_SECRET: MY_SECRET SSO_AUDIENCE_TRUSTED: '^\d{18}$' SSO_DEBUG_TOKENS: "true" LOG_LEVEL: "info,vaultwarden::sso=debug" volumes: - ./data/:/data/ networks: - traefik labels: - "traefik.enable=true" - "traefik.docker.network=traefik" # --- Router --- - "traefik.http.routers.vaultwarden.rule=Host(`vault.mydomain.com`)" - "traefik.http.routers.vaultwarden.entrypoints=websecure" - "traefik.http.routers.vaultwarden.tls=true" - "traefik.http.routers.vaultwarden.tls.certresolver=lets-encrypt-resolver" # --- Service --- - "traefik.http.services.vaultwarden.loadbalancer.server.port=80" networks: traefik: external: true ``` ### Reverse Proxy traefik:v3.5 ### Host/Server Operating System Linux ### Operating System Version Debian 12.11 ### Clients Web Vault ### Client Version _No response_ ### Steps To Reproduce 1. Start Vaultwarden with SSO enabled (image: `vaultwarden/server:testing`). 2. Open the Web Vault login page. 3. Enter email (as prompted), then click **Use Single Sign-On (SSO)**. 4. You are redirected to ZITADEL and then **immediately** redirected back to Vaultwarden **without** any account picker or password prompt. 5. Vaultwarden then asks to set a Master Password (expected), but the authenticated SSO identity is **not** the intended user. ### Expected Result - ZITADEL should prompt for account selection or credentials (no silent reuse of an existing session). - Authentication should occur as **myname@mydomain.de** (the intended user). - Vaultwarden should associate the returned SSO identity with that user. ### Actual Result - ZITADEL silently reuses a prior session and authenticates the **wrong** user (e.g., `zitadel-admin@zitadel.<subdomain>.mydomain.de`) without a prompt. - Vaultwarden proceeds to the Master Password step using the **unintended** SSO identity. - Forcing prompts and org scoping via Vaultwarden env vars did not change this behavior. ### Logs ```text [2025-08-25 15:08:30.745][request][INFO] POST /identity/connect/token [2025-08-25 15:08:30.898][vaultwarden::sso][DEBUG] Authenticated user AuthenticatedUser { refresh_token: Some("some_key"), access_token: "some_key", expires_in: Some(43199s), identifier: OIDCIdentifier("https://zitadel.mydomain.coom/CLIENT_ID"), email: "zitadel-admin@zitadel.zitadel.mydomain.com", email_verified: Some(true), user_name: None } [2025-08-25 15:08:30.899][vaultwarden::sso][DEBUG] Non jwt refresh_token (expiration set to 1758726510) [2025-08-25 15:08:30.901][vaultwarden::api::identity][INFO] User zitadel-admin@zitadel.zitadel.mydomain.com logged in successfully. IP: 172.20.0.1 [2025-08-25 15:08:30.902][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-08-25 15:08:30.942][request][INFO] GET /api/sync?excludeDomains=true [2025-08-25 15:08:30.945][response][INFO] (sync) GET /api/sync?<data..> => 200 OK ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_
OVERLORD added the SSObug labels 2025-10-09 16:11:20 +03:00
OVERLORD commented 2025-10-09 16:11:23 +03:00
Author
Owner
Copy Link

@Timshel commented on GitHub:

Hey,

Forcing prompts and org scoping via Vaultwarden env vars did not change this behavior.

Did you try setting SSO_AUTHORIZE_EXTRA_PARAMS=prompt=select_account I believe Zitadel should support it ?

@Timshel commented on GitHub: Hey, > Forcing prompts and org scoping via Vaultwarden env vars did not change this behavior. Did you try setting `SSO_AUTHORIZE_EXTRA_PARAMS=prompt=select_account` I believe Zitadel should support it ?
OVERLORD commented 2025-10-09 16:11:23 +03:00
Author
Owner
Copy Link

@JSchmie commented on GitHub:

Hi, and thanks for the quick reply, @Timshel.
This works! The only hiccup is the flow: I have to enter my email, get redirected to my ZITADEL instance (log in there if needed), and then enter my master password. It’d be smoother if I only had to enter my email once.

@JSchmie commented on GitHub: Hi, and thanks for the quick reply, @Timshel. This works! The only hiccup is the flow: I have to enter my email, get redirected to my ZITADEL instance (log in there if needed), and then enter my master password. It’d be smoother if I only had to enter my email once.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
bug
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
troubleshooting
wontfix
No Label bug SSO
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#35
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?