mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-16 05:34:10 +03:00
[PR #6158] Allow SSO role mapping to add admin cookie #3698
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/dani-garcia/vaultwarden/pull/6158
Author: @Timshel
Created: 8/9/2025
Status: 🔄 Open
Base:
main← Head:features/sso-roles📝 Commits (1)
6b8995aAllow SSO role mapping to add admin cookie📊 Changes
15 files changed (+367 additions, -67 deletions)
View changed files
📝
.env.template(+9 -0)📝
Cargo.lock(+1 -0)📝
Cargo.toml(+1 -0)📝
playwright/compose/keycloak/setup.sh(+34 -2)📝
playwright/docker-compose.yml(+2 -0)➕
playwright/tests/sso_roles.spec.ts(+56 -0)📝
src/api/admin.rs(+27 -15)📝
src/api/identity.rs(+30 -6)📝
src/auth.rs(+5 -3)📝
src/config.rs(+6 -0)📝
src/db/models/sso_auth.rs(+8 -1)📝
src/sso.rs(+100 -8)📝
src/sso_client.rs(+63 -15)📝
src/static/templates/admin/login.hbs(+17 -11)📝
src/static/templates/admin/settings.hbs(+8 -6)📄 Description
Add the ability to parse the
IDTokenand User Information endpoint response from an OIDC Provider to retrieve aroleto grant access to Vaultwarden admin console. Support two roles:adminoruser.This feature is controlled by the following configuration:
SSO_ROLES_ENABLED: control if the mapping is done, default isfalse`.SSO_ROLES_DEFAULT_TO_USER: do not block login in case of missing role, default istrue.SSO_ROLES_TOKEN_PATH=/resource_access/${SSO_CLIENT_ID}/roles: path to read roles in the ID Token or User Information response.The role claim parsing is done using generic since the goal is to reuse it to parse Organization role claims (The idea is to have
admin/userfor Vaultwarden admin page access. AndOrgOwner,OrgAdmin,OrgManagerandOrgUserfor user membership).Replaced the
FromRequest for Securesince it seemed simpler to just check if theDOMAINstart withhttps.🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.