mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-02-05 00:29:40 +03:00
Enable user SSO access using OAuth #50
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @lkraider on GitHub (Jul 20, 2018).
Would like to manage the users by enabling an OAuth source like Google or a custom one like a Keycloak instance.
@dani-garcia commented on GitHub (Jul 20, 2018):
I consider this to be outside the scope of the project, so I won't be implementing this. That said, if someone wants to implement it, i'll accept a PR as long as the implementation doesn't over-complicate the rest of the code.
@dani-garcia commented on GitHub (Nov 9, 2018):
To keep the issue tracker more focused, I'm closing this issue in favor of the meta issue at #246.
@lukasmrtvy commented on GitHub (Sep 11, 2019):
What about https://docs.rs/crate/oauth2/ ? (google,github, hope for generic oidc and keycloak)
@varac commented on GitHub (Jul 13, 2021):
I'd be happy if Oauth/OpenIDConnect would be implemented because it's the main blocker from including it in https://openappstack.net/
@felbinger commented on GitHub (Aug 27, 2021):
I'd also be very happy if a generic oidc provider would be implemented.
@GodMod commented on GitHub (Sep 28, 2021):
Yes, definitly a must have! I really like having this implemented!
@manuschillerdev commented on GitHub (Oct 6, 2021):
I would love to have a shot at experimenting with https://github.com/ramosbugs/oauth2-rs and vaultwarden.
I have common knowledge about oauth2 but would need some general guidance in which parts of vaultwarden would be affected by implementing it.
@dani-garcia would you be able to give us some hints on where to begin? :)
@robocrax commented on GitHub (Apr 14, 2022):
Anyone working on this or know a solution that is available?
@sethstuart commented on GitHub (Jun 23, 2022):
Commenting again to see if this is something that can be revisited
@Avsynthe commented on GitHub (Nov 19, 2022):
Bitwarden supports SSO via SAML 2.0 and OIDC. I actually self-hosted Vaultwarden on the premise that it did also.
This is absolutely a must-have for me. For now though I have to add yet another step when onboarding users to my self-hosted suite of services I grace my family and friends with haha
It looks like an attempt is already being made to implement OIDC at #2449
@BloodyIron commented on GitHub (Mar 7, 2023):
My vote is for SAML! Bitwarden SAML SSO experience is awesome, it would be fabulous to have in Vaultwarden!
@FunctionDJ commented on GitHub (Mar 7, 2023):
I think OAuth would be a much better idea than SAML if it's one or the other. I've tried implementing a SAML client and it was an absolute mess. Implementing an OAuth 2.1 client on the other hand was about 20 lines of code after i understood how it works.
@miglen commented on GitHub (May 11, 2023):
Just to chime in, SAML or OAuth both would be awesome to have!
@luebke-dev commented on GitHub (Feb 5, 2024):
OIDC pls
@PinguDEV-original commented on GitHub (Dec 9, 2024):
Yes definitly, would love it!
@wuast94 commented on GitHub (Jan 12, 2025):
would also love to see that, building a suite that contains many applications for friends and familys happens more and more, and it just makes sense to build arround SSO, im using authelia with Oauth for this.
And the Bitwarden clients seems to have support for it. Would love to see that feature on the roadmap :)
@Avsynthe commented on GitHub (Jan 12, 2025):
Doing the exact same thing and would love this for the same reason. Though I've moved to authentik for this and replaced authelia and my old identity server. Much more robust and a single application! Also supports more SSO types like and OIDC, SAML rather than just Oauth and LDAP
@viperfan7 commented on GitHub (Jan 25, 2025):
Honestly I'm super surprised that vaultwarden doesn't support some form of SSO, like, say, I have keycloak set up as my SSO provider, and it supports OIDC quite well.
Adding my +1 for OIDC support
@samuelleb11 commented on GitHub (Feb 6, 2025):
Authentik user here 🙋♂️ Would love to see SSO !
@ihatenodejs commented on GitHub (Feb 11, 2025):
Yet another Authentik user here, would love to see this implemented!
@Avsynthe commented on GitHub (Feb 12, 2025):
You can follow the progress here: https://github.com/dani-garcia/vaultwarden/pull/3899
Just don't bump that thread. Leave it clear for them to work in. They're close
@regiolis commented on GitHub (Mar 6, 2025):
Same here ^^
@HWiese1980 commented on GitHub (Apr 2, 2025):
PocketID user here, chiming in. You guys got my vote!
@MDeveloping commented on GitHub (Apr 11, 2025):
SSO / LDAP would be very important for us and nice to see. In a first step a basic user / password authentication for LDAP Users would be enough. Users could be further managed inside of Vaultwarden.
In a second step, managing by LDAP Groups would be good.
@Datenschmutz commented on GitHub (Apr 16, 2025):
+1 from another Authentik user
@hitmeet commented on GitHub (Apr 21, 2025):
+1 from keycloak user. It would help a lot.
@sofmeright commented on GitHub (Jul 18, 2025):
+1 (If this was implemented I'd actually feel reason to switch to vaultwarden from the official bitwarden container image.🙈) Zitadel user.
@justatechie commented on GitHub (Aug 1, 2025):
+1 from a kanidm user!
@Blackcbears commented on GitHub (Aug 5, 2025):
+1
@mortee commented on GitHub (Sep 9, 2025):
+1
@FlattusBlastus commented on GitHub (Sep 11, 2025):
https://developers.google.com/identity/openid-connect/openid-connect
erm??? Being your own IdP AND hosting your vault at the same time?
@Eirikr70 commented on GitHub (Sep 14, 2025):
Pocket-ID and TinyAuth user here. I would be fond of that additional layer!
@alfonsrv commented on GitHub (Sep 26, 2025):
Let me release your expectations – OAuth or LDAP auth the way you imagine it is likely never to come to Vaultwarden. It's already been discussed for 5 years+ and lots of information is available throughout the internet as to why this is.
The main reason being the way Bitwarden handles en-/decryption and requires the master password, else the web interface would have to be rewritten completely, which @dani-garcia mentioned is out of scope at multiple occasions.
The regular Bitwarden handles this over Key Connector which (in easy terms) stores the master passwords and releases them to a user once they are sufficiently authenticated. Due to license restrictions of Key Connector this feature will likely never be implemented though (Timshel also outlined in the PR mentioned here after I brought it up) – you'll need to purchase a subscription with Bitwarden if you want Enterprise Features. It's relatively inexpensive and helps move Bitwarden + open-source in general along.
@MDeveloping commented on GitHub (Sep 26, 2025):
This is regrettable. As Vaultwarden doesn't support LDAP its completely useless for companies if more than a handful people want to use it.
It would make sense to extend the project far enough to allow for a proper LDAP implementation. As noted above, even an initial step of supporting LDAP username and password authentication would already be valuable, while keeping the rest of the administration within Vaultwarden.
There is a project called "vaultwarden-ldap", but unfortunately it only synchronizes LDAP users with Vaultwarden and does not provide LDAP authentication. Still, it might be worth looking into as a reference, since it already handles communication with LDAP.
@BlackDex commented on GitHub (Sep 26, 2025):
@MDeveloping as far as i know we support LDAP in the sense that account creation can be automated via the Directory Connector. There isn't anything more we can do to be honest.
Using the password from LDAP or SSO is not how it works as a master password is always needed to encrypt/decrypt the stored data.
The only way to have this working via SSO is by implementing support for the Key Connector or maybe the new Trusted Devices
Also, i think you can run the key-connector locally without any issues, see https://github.com/bitwarden/key-connector.
But, Vaultwarden does not have any support for this. That the key-connector tool it self is Bitwarden Licensed doesn't mean you can't use it as far as i know. The same goes for the Directory Connector btw, that is also Bitwarden Licensed.
Someone just need to develop it.