SSO User can bypass organisation two-step login requirement #131

New Issue

MrUnknownDE · 2026-04-05T20:31:33+02:00

MrUnknownDE commented

2026-04-05 20:31:33 +02:00

Originally created by @exu-g on 2/2/2026

Prerequisites

I have searched the existing Closed AND Open Issues AND Discussions
I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.35.2
Web-vault version: v2025.12.1+build.3
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Database type: PostgreSQL
Database version: PostgreSQL 16.10 (OnGres 16.10-build-6.44) on x86_64-pc-linux-gnu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-28), 64-bit
Uses config.json: true
Uses a reverse proxy: true
IP Header check: false (X-Forwarded-For)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: true
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, ADMIN_TOKEN, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD, SMTP_TIMEOUT

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "config/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "config",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "********://*********************************************************************************************************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://*************************",
  "domain_origin": "*****://*************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "config/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "config/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "config/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "****************************",
  "smtp_from_name": "***********",
  "smtp_host": "***********************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "****************************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://***************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://******************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "*******************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "email profile offline_access",
  "sso_signups_match_email": true,
  "templates_folder": "config/templates",
  "tmp_folder": "config/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.35.2

Deployment method

Official Container Image

Custom deployment method

Deployed on Kubernetes

Reverse Proxy

haproxy

Host/Server Operating System

Linux

Operating System Version

Kubernetes

Clients

Web Vault

Client Version

Firefox 147 - v2025.12.1

Steps To Reproduce

Enable SSO
Create account with SSO
Set master password
Join organisation with enforced two-step login
Log out
Log in using email and master password. Button "Other", not SSO

Expected Result

The login with email & password should not be allowed as it is missing two-step verification.

Actual Result

Login succeeds using email & master password only

Logs

[2026-02-02 09:11:39.863][request][INFO] GET /api/devices/knowndevice
[2026-02-02 09:11:39.869][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2026-02-02 09:11:48.914][request][INFO] POST /identity/accounts/prelogin
[2026-02-02 09:11:48.919][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2026-02-02 09:11:49.635][request][INFO] POST /identity/connect/token
[2026-02-02 09:11:49.805][vaultwarden::api::identity][INFO] User futffu logged in successfully. IP: 10.128.10.103
[2026-02-02 09:11:49.805][response][INFO] (login) POST /identity/connect/token => 200 OK
[2026-02-02 09:11:49.824][request][INFO] GET /api/config
[2026-02-02 09:11:49.824][response][INFO] (config) GET /api/config => 200 OK
[2026-02-02 09:11:49.828][request][INFO] GET /api/sync?excludeDomains=true
[2026-02-02 09:11:49.844][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2026-02-02 09:11:49.844][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 10.128.10.103
[2026-02-02 09:11:49.845][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2026-02-02 09:11:50.156][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2026-02-02 09:11:50.186][request][INFO] GET /api/accounts/profile
[2026-02-02 09:11:50.196][response][INFO] (profile) GET /api/accounts/profile => 200 OK
[2026-02-02 09:11:50.352][request][INFO] GET /api/accounts/revision-date
[2026-02-02 09:11:50.374][request][INFO] GET /api/accounts/revision-date
[2026-02-02 09:11:50.377][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK
[2026-02-02 09:11:50.382][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK
[2026-02-02 09:11:50.437][request][INFO] GET /api/auth-requests/pending
[2026-02-02 09:11:50.451][response][INFO] (get_auth_requests_pending) GET /api/auth-requests/pending => 200 OK

Screenshots or Videos

Organisation two-step policy is active

The policy is applied to a user that was invited without SSO, but not the SSO user (futffu)

Additional Context

No response

*Originally created by @exu-g on 2/2/2026* ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.35.2 * Web-vault version: v2025.12.1+build.3 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: PostgreSQL * Database version: PostgreSQL 16.10 (OnGres 16.10-build-6.44) on x86_64-pc-linux-gnu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-28), 64-bit * Uses config.json: true * Uses a reverse proxy: true * IP Header check: false (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, ADMIN_TOKEN, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD, SMTP_TIMEOUT **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "config/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "config", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "********://*********************************************************************************************************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://*************************", "domain_origin": "*****://*************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "config/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "config/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "config/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "****************************", "smtp_from_name": "***********", "smtp_host": "***********************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "****************************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://***************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://******************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "*******************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "email profile offline_access", "sso_signups_match_email": true, "templates_folder": "config/templates", "tmp_folder": "config/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.35.2 ### Deployment method Official Container Image ### Custom deployment method Deployed on Kubernetes ### Reverse Proxy haproxy ### Host/Server Operating System Linux ### Operating System Version Kubernetes ### Clients Web Vault ### Client Version Firefox 147 - v2025.12.1 ### Steps To Reproduce 1. Enable SSO 2. Create account with SSO 3. Set master password 4. Join organisation with enforced two-step login 5. Log out 6. Log in using email and master password. Button "Other", **not SSO** ### Expected Result The login with email & password should not be allowed as it is missing two-step verification. ### Actual Result Login succeeds using email & master password only ### Logs ```text [2026-02-02 09:11:39.863][request][INFO] GET /api/devices/knowndevice [2026-02-02 09:11:39.869][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK [2026-02-02 09:11:48.914][request][INFO] POST /identity/accounts/prelogin [2026-02-02 09:11:48.919][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK [2026-02-02 09:11:49.635][request][INFO] POST /identity/connect/token [2026-02-02 09:11:49.805][vaultwarden::api::identity][INFO] User futffu logged in successfully. IP: 10.128.10.103 [2026-02-02 09:11:49.805][response][INFO] (login) POST /identity/connect/token => 200 OK [2026-02-02 09:11:49.824][request][INFO] GET /api/config [2026-02-02 09:11:49.824][response][INFO] (config) GET /api/config => 200 OK [2026-02-02 09:11:49.828][request][INFO] GET /api/sync?excludeDomains=true [2026-02-02 09:11:49.844][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL [2026-02-02 09:11:49.844][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 10.128.10.103 [2026-02-02 09:11:49.845][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2026-02-02 09:11:50.156][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2026-02-02 09:11:50.186][request][INFO] GET /api/accounts/profile [2026-02-02 09:11:50.196][response][INFO] (profile) GET /api/accounts/profile => 200 OK [2026-02-02 09:11:50.352][request][INFO] GET /api/accounts/revision-date [2026-02-02 09:11:50.374][request][INFO] GET /api/accounts/revision-date [2026-02-02 09:11:50.377][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK [2026-02-02 09:11:50.382][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK [2026-02-02 09:11:50.437][request][INFO] GET /api/auth-requests/pending [2026-02-02 09:11:50.451][response][INFO] (get_auth_requests_pending) GET /api/auth-requests/pending => 200 OK ``` ### Screenshots or Videos Organisation two-step policy is active <img width="799" height="192" alt="Image" src="https://github.com/user-attachments/assets/a6666bfe-63c5-43b3-afa2-2bd41af8dc3c" /> The policy is applied to a user that was invited without SSO, but not the SSO user (futffu) <img width="1945" height="255" alt="Image" src="https://github.com/user-attachments/assets/06433be2-e01c-4ea3-94dd-ab63795a02fd" /> ### Additional Context _No response_

MrUnknownDE closed this issue

2026-04-05 20:31:33 +02:00

MrUnknownDE added the bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug labels 2026-04-05 20:31:38 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#131