SSO error with Authentik: unexpected issuer #134

New Issue

MrUnknownDE · 2026-04-05T20:31:44+02:00

MrUnknownDE commented

2026-04-05 20:31:44 +02:00

Originally created by @monchy80 on 1/30/2026

Prerequisites

I have searched the existing Closed AND Open Issues AND Discussions
I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.35.2
Web-vault version: v2025.12.1+build.3
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Database type: MySQL
Database version: 11.8.2-MariaDB-ubu2404
Uses config.json: true
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: true
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN, SSO_ENABLED, SSO_SIGNUPS_MATCH_EMAIL, SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SSO_SCOPES, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "*****://*******************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://****************************",
  "domain_origin": "*****://****************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.eu",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://api.bitwarden.eu",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "********************",
  "smtp_from_name": "**************",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "********************",
  "sso_allow_unknown_email_verification": true,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://***********************************************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://*********************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "****************************************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "openid email profile offline_access",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.35.2

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Traefik 3.5.0

Host/Server Operating System

Linux

Operating System Version

No response

Clients

Web Vault

Client Version

2025.12.1

Steps To Reproduce

Try to login with SSO

Expected Result

Redirect to Authentik login page

Actual Result

You receive this error:

{"message":"Failed to discover OpenID provider: Validation error: unexpected issuer URI https://authentik.apps.monchy.eu/application/o/vaultwarden-server02/ (expected https://authentik.apps.monchy.eu/application/o/vaultwarden-server02)","validationErrors":{"":["Failed to discover OpenID provider: Validation error: unexpected issuer URI https://authentik.apps.monchy.eu/application/o/vaultwarden-server02/ (expected https://authentik.apps.monchy.eu/application/o/vaultwarden-server02)"]},"errorModel":{"message":"Failed to discover OpenID provider: Validation error: unexpected issuer URI https://authentik.apps.monchy.eu/application/o/vaultwarden-server02/ (expected https://authentik.apps.monchy.eu/application/o/vaultwarden-server02)","object":"error"},"error":"","error_description":"","exceptionMessage":null,"exceptionStackTrace":null,"innerExceptionMessage":null,"object":"error"}

Logs

[2026-01-30 17:22:19.576][request][INFO] POST /api/organizations/domain/sso/verified

[2026-01-30 17:22:19.578][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK

[2026-01-30 17:22:19.584][request][INFO] GET /identity/sso/prevalidate?domainHint=17722dbf-f452-40ac-

[2026-01-30 17:22:19.588][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK

[2026-01-30 17:22:19.600][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt

[2026-01-30 17:22:19.689][vaultwarden::sso_client][ERROR] Failed to discover OpenID provider: Validation error: unexpected issuer URI `https://authentik.apps.monchy.eu/application/o/vaultwarden-server02/` (expected `https://authentik.apps.monchy.eu/application/o/vaultwarden-server02`)

[2026-01-30 17:22:19.689][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 400 Bad Request

Screenshots or Videos

No response

Additional Context

It seems to be a trailing slash issue. It seems to expect the issuer value returned by Authentik to be the same as the value stored in SSO_AUTHORITY. But Authentik returns the URL with a trailing slash.

Just to be sure, I also tried adding a trailing slash to SSO_AUTHORITY (I know that in the documentation it is expressly indicated not to put the trailing slash), and I get this error:

{"message":"Failed to discover OpenID provider: Failed to parse server response","validationErrors":{"":["Failed to discover OpenID provider: Failed to parse server response"]},"errorModel":{"message":"Failed to discover OpenID provider: Failed to parse server response","object":"error"},"error":"","error_description":"","exceptionMessage":null,"exceptionStackTrace":null,"innerExceptionMessage":null,"object":"error"}

*Originally created by @monchy80 on 1/30/2026* ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.35.2 * Web-vault version: v2025.12.1+build.3 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: MySQL * Database version: 11.8.2-MariaDB-ubu2404 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN, SSO_ENABLED, SSO_SIGNUPS_MATCH_EMAIL, SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SSO_SCOPES, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "*****://*******************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://****************************", "domain_origin": "*****://****************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.eu", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://api.bitwarden.eu", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "********************", "smtp_from_name": "**************", "smtp_host": "**************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "********************", "sso_allow_unknown_email_verification": true, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://***********************************************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://*********************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "****************************************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "openid email profile offline_access", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.35.2 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy Traefik 3.5.0 ### Host/Server Operating System Linux ### Operating System Version _No response_ ### Clients Web Vault ### Client Version 2025.12.1 ### Steps To Reproduce 1. Try to login with SSO ### Expected Result Redirect to Authentik login page ### Actual Result You receive this error: {"message":"Failed to discover OpenID provider: Validation error: unexpected issuer URI `https://authentik.apps.monchy.eu/application/o/vaultwarden-server02/` (expected `https://authentik.apps.monchy.eu/application/o/vaultwarden-server02`)","validationErrors":{"":["Failed to discover OpenID provider: Validation error: unexpected issuer URI `https://authentik.apps.monchy.eu/application/o/vaultwarden-server02/` (expected `https://authentik.apps.monchy.eu/application/o/vaultwarden-server02`)"]},"errorModel":{"message":"Failed to discover OpenID provider: Validation error: unexpected issuer URI `https://authentik.apps.monchy.eu/application/o/vaultwarden-server02/` (expected `https://authentik.apps.monchy.eu/application/o/vaultwarden-server02`)","object":"error"},"error":"","error_description":"","exceptionMessage":null,"exceptionStackTrace":null,"innerExceptionMessage":null,"object":"error"} ### Logs ```text [2026-01-30 17:22:19.576][request][INFO] POST /api/organizations/domain/sso/verified [2026-01-30 17:22:19.578][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK [2026-01-30 17:22:19.584][request][INFO] GET /identity/sso/prevalidate?domainHint=17722dbf-f452-40ac- [2026-01-30 17:22:19.588][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK [2026-01-30 17:22:19.600][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt [2026-01-30 17:22:19.689][vaultwarden::sso_client][ERROR] Failed to discover OpenID provider: Validation error: unexpected issuer URI `https://authentik.apps.monchy.eu/application/o/vaultwarden-server02/` (expected `https://authentik.apps.monchy.eu/application/o/vaultwarden-server02`) [2026-01-30 17:22:19.689][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 400 Bad Request ``` ### Screenshots or Videos _No response_ ### Additional Context It seems to be a **trailing slash issue**. It seems to expect the issuer value returned by Authentik to be the same as the value stored in SSO_AUTHORITY. But **Authentik returns the URL with a trailing slash**. Just to be sure, I also tried adding a trailing slash to SSO_AUTHORITY (I know that in the documentation it is expressly indicated not to put the trailing slash), and I get this error: `{"message":"Failed to discover OpenID provider: Failed to parse server response","validationErrors":{"":["Failed to discover OpenID provider: Failed to parse server response"]},"errorModel":{"message":"Failed to discover OpenID provider: Failed to parse server response","object":"error"},"error":"","error_description":"","exceptionMessage":null,"exceptionStackTrace":null,"innerExceptionMessage":null,"object":"error"}`

MrUnknownDE closed this issue

2026-04-05 20:31:44 +02:00

MrUnknownDE added the bug SSO bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug labels 2026-04-05 20:31:49 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#134