SSO using OpenID Connect #1440

New Issue

MrUnknownDE · 2026-04-06T01:54:35+02:00

MrUnknownDE commented

2026-04-06 01:54:35 +02:00

Originally created by @Timshel on 9/18/2023

This is based on previous PR (#2787, #2449 and #3154) with work done by @pinpox, @m4w0lf, @Sheap, @bmunro-peralex, @tribut and others I probably missed sorry.

This PR add support for OpenId Connect to handle authentication to an external SSO.
This introduce another way to control who can use the vault without having to use invitation or an LDAP.

A master password is still required and not controlled by the SSO (depending on your point of view this might be a feature ;).

Bitwarden key connector is not supported and due to the license it's highly unlikely that it will ever be:

2.1 Commercial Module License. Subject to Your compliance with this Agreement, Bitwarden hereby grants to You a limited, non-exclusive, non-transferable, royalty-free license to use the Commercial Modules for the sole purposes of internal development and internal testing, and only in a non-production environment.

Usage

This should be agnostic to the SSO used as long as it supports client secret authentication and expose an OpenID Connect Discovery endpoint. (I'm testing it with Keycloak at the moment, a demo test stack is available README.md)

Added some documentation at the root of the project SSO.md that could be later moved to the wiki.

I made some additional modification in my main branch to allow for easier testing (modified Docker image to use prebuilt patched front-end).

On front-end modification, I made patched versions available at Timshel/oidc_web_builds. Two versions are available :

One contains the change expected to be merged (named button); all change needs to be compatible with the non-sso version.
Second one set #sso as the default redirect url.

Issues

As mentioned in the previous PR one of the main issue is the inability for the organization invitation to work with the SSO redirection. To fix it a patch to the front-end is needed.

:warning:⚠️ ⚠️ If you have issues or need help testing the PR ⚠️ ⚠️ ⚠️

Please open issues in Timshel/vaultwarden in order to keep the discussion here focused on merging this work.
Of course if you believe your issue is important mention this PR so a reference will be visible.

But please try to keep commenting in this PR to a minimum to keep it legible, the previous one has over 200 comments ...

*Originally created by @Timshel on 9/18/2023* This is based on previous PR (#2787, #2449 and #3154) with work done by @pinpox, @m4w0lf, @Sheap, @bmunro-peralex, @tribut and others I probably missed sorry. This PR add support for OpenId Connect to handle authentication to an external SSO. This introduce another way to control who can use the vault without having to use invitation or an LDAP. A master password is still required and not controlled by the SSO (depending on your point of view this might be a feature ;). Bitwarden [key connector](https://bitwarden.com/help/about-key-connector) is not supported and due to the [license](https://github.com/bitwarden/key-connector/blob/main/LICENSE.txt) it's highly unlikely that it will ever be: > 2.1 Commercial Module License. Subject to Your compliance with this Agreement, Bitwarden hereby grants to You a limited, non-exclusive, non-transferable, royalty-free license to use the Commercial Modules for the sole purposes of internal development and internal testing, and only in a non-production environment. ## Usage This should be agnostic to the SSO used as long as it supports client secret authentication and expose an OpenID Connect Discovery endpoint. (I'm testing it with Keycloak at the moment, a demo test stack is available [README.md](https://github.com/Timshel/vaultwarden/blob/sso-support/test/oidc/README.md)) Added some documentation at the root of the project [SSO.md](https://github.com/Timshel/vaultwarden/blob/sso-support/SSO.md) that could be later moved to the wiki. I made some additional modification in my [main branch](https://github.com/Timshel/vaultwarden/blob/main/README.md) to allow for easier testing (modified Docker image to use prebuilt patched front-end). On front-end modification, I made patched versions available at [Timshel/oidc_web_builds](https://github.com/Timshel/oidc_web_builds). Two versions are available : - One contains the change expected to be merged (named `button`); all change needs to be compatible with the non-sso version. - Second one set `#sso` as the default redirect url. ## Issues As mentioned in the previous PR one of the main issue is the inability for the organization invitation to work with the SSO redirection. To fix it a [patch](https://github.com/Timshel/oidc_web_builds/blob/master/oidc_invite.patch) to the front-end is needed. ## **:warning::warning: :warning: If you have issues or need help testing the PR :warning: :warning: :warning:** Please open issues in [Timshel/vaultwarden](https://github.com/Timshel/vaultwarden/issues) in order to keep the discussion here focused on merging this work. Of course if you believe your issue is important mention this PR so a reference will be visible. But please try to keep commenting in this PR to a minimum to keep it legible, the previous one has over 200 comments ...

MrUnknownDE closed this issue

2026-04-06 01:54:35 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1440