Fix public api for domains with path prefix #1162

New Issue

MrUnknownDE · 2026-04-06T01:41:21+02:00

MrUnknownDE commented

2026-04-06 01:41:21 +02:00

Originally created by @FDHoho007 on 4/12/2024

Vaultwarden is currently unable to handle the Bitwarden Directory Connector when the base domain includes a path prefix.
Example:
DOMAIN=https://example.com/ -> works
DOMAIN=https://example.com/vault/ -> doesn't work
Vaultwarden rejects the token issued seconds before with the error message "Token not issued by this server".
This message is thrown when the token issuer check fails. When a organization api token is issued, the iss attribute follows the scheme "domain_origin|scope". But when the issuer is checked in api/core/public.rs, the iss attribute is expected to contain "domain|scope".
When using a domain with path prefix this leads to conflicts. To fix this I replaced the domain check through a domain_origin check as issued in auth.rs.

*Originally created by @FDHoho007 on 4/12/2024* Vaultwarden is currently unable to handle the Bitwarden Directory Connector when the base domain includes a path prefix. Example: `DOMAIN=https://example.com/` -> works `DOMAIN=https://example.com/vault/` -> doesn't work Vaultwarden rejects the token issued seconds before with the error message `"Token not issued by this server"`. This message is thrown when the token issuer check fails. When a organization api token is issued, the iss attribute follows the scheme `"domain_origin|scope"`. But when the issuer is checked in api/core/public.rs, the iss attribute is expected to contain `"domain|scope"`. When using a domain with path prefix this leads to conflicts. To fix this I replaced the domain check through a domain_origin check as issued in auth.rs.

MrUnknownDE closed this issue

2026-04-06 01:41:21 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1162