[PR #6158] Allow SSO role mapping to add admin cookie #3698

Open
opened 2026-02-05 05:40:38 +03:00 by OVERLORD · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/6158
Author: @Timshel
Created: 8/9/2025
Status: 🔄 Open

Base: mainHead: features/sso-roles


📝 Commits (1)

  • 6b8995a Allow SSO role mapping to add admin cookie

📊 Changes

15 files changed (+367 additions, -67 deletions)

View changed files

📝 .env.template (+9 -0)
📝 Cargo.lock (+1 -0)
📝 Cargo.toml (+1 -0)
📝 playwright/compose/keycloak/setup.sh (+34 -2)
📝 playwright/docker-compose.yml (+2 -0)
playwright/tests/sso_roles.spec.ts (+56 -0)
📝 src/api/admin.rs (+27 -15)
📝 src/api/identity.rs (+30 -6)
📝 src/auth.rs (+5 -3)
📝 src/config.rs (+6 -0)
📝 src/db/models/sso_auth.rs (+8 -1)
📝 src/sso.rs (+100 -8)
📝 src/sso_client.rs (+63 -15)
📝 src/static/templates/admin/login.hbs (+17 -11)
📝 src/static/templates/admin/settings.hbs (+8 -6)

📄 Description

Add the ability to parse the IDToken and User Information endpoint response from an OIDC Provider to retrieve a role to grant access to Vaultwarden admin console. Support two roles: admin or user.

This feature is controlled by the following configuration:

  • SSO_ROLES_ENABLED: control if the mapping is done, default is false`.
  • SSO_ROLES_DEFAULT_TO_USER: do not block login in case of missing role, default is true.
  • SSO_ROLES_TOKEN_PATH=/resource_access/${SSO_CLIENT_ID}/roles: path to read roles in the ID Token or User Information response.

The role claim parsing is done using generic since the goal is to reuse it to parse Organization role claims (The idea is to have admin/user for Vaultwarden admin page access. And OrgOwner, OrgAdmin, OrgManager and OrgUser for user membership).

Replaced the FromRequest for Secure since it seemed simpler to just check if the DOMAIN start with https.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/6158 **Author:** [@Timshel](https://github.com/Timshel) **Created:** 8/9/2025 **Status:** 🔄 Open **Base:** `main` ← **Head:** `features/sso-roles` --- ### 📝 Commits (1) - [`6b8995a`](https://github.com/dani-garcia/vaultwarden/commit/6b8995ac9f6482bf01ba70264c5e923886b8f69c) Allow SSO role mapping to add admin cookie ### 📊 Changes **15 files changed** (+367 additions, -67 deletions) <details> <summary>View changed files</summary> 📝 `.env.template` (+9 -0) 📝 `Cargo.lock` (+1 -0) 📝 `Cargo.toml` (+1 -0) 📝 `playwright/compose/keycloak/setup.sh` (+34 -2) 📝 `playwright/docker-compose.yml` (+2 -0) ➕ `playwright/tests/sso_roles.spec.ts` (+56 -0) 📝 `src/api/admin.rs` (+27 -15) 📝 `src/api/identity.rs` (+30 -6) 📝 `src/auth.rs` (+5 -3) 📝 `src/config.rs` (+6 -0) 📝 `src/db/models/sso_auth.rs` (+8 -1) 📝 `src/sso.rs` (+100 -8) 📝 `src/sso_client.rs` (+63 -15) 📝 `src/static/templates/admin/login.hbs` (+17 -11) 📝 `src/static/templates/admin/settings.hbs` (+8 -6) </details> ### 📄 Description Add the ability to parse the `IDToken` and User Information endpoint response from an OIDC Provider to retrieve a `role` to grant access to Vaultwarden admin console. Support two roles: `admin` or `user`. This feature is controlled by the following configuration: - `SSO_ROLES_ENABLED: control if the mapping is done, default is `false`. - `SSO_ROLES_DEFAULT_TO_USER`: do not block login in case of missing role, default is `true`. - `SSO_ROLES_TOKEN_PATH=/resource_access/${SSO_CLIENT_ID}/roles`: path to read roles in the ID Token or User Information response. The role claim parsing is done using generic since the goal is to reuse it to parse Organization role claims (The idea is to have `admin`/`user` for Vaultwarden admin page access. And `OrgOwner`, `OrgAdmin`, `OrgManager` and `OrgUser` for user membership). Replaced the `FromRequest for Secure` since it seemed simpler to just check if the `DOMAIN` start with `https`. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2026-02-05 05:40:38 +03:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#3698