SSO with OIDC (Keycloak and nginx): Error 400 when trying SSO-login #153

New Issue

MrUnknownDE · 2026-04-05T20:33:05+02:00

MrUnknownDE commented

2026-04-05 20:33:05 +02:00

Originally created by @lagerstrom235 on 1/16/2026

Prerequisites

I have searched the existing Closed AND Open Issues AND Discussions
I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.35.2
Web-vault version: v2025.12.1+build.3
OS/Arch: linux/x86_64
Running within a container: true (Base: Alpine)
Database type: SQLite
Database version: 3.51.1
Uses config.json: true
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: true
Internet access via a proxy: false
DNS Check: true
TZ environment: Europe/Stockholm
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: true
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, ADMIN_TOKEN, SSO_ENABLED, SSO_ONLY, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SSO_SCOPES, SSO_PKCE

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://*******************",
  "domain_origin": "*****://*******************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "example.com",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/vaultwarden.log",
  "log_level": "info,rocket::server=trace",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "***********",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "sso_allow_unknown_email_verification": true,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://*********************************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "***********",
  "sso_client_secret": "***",
  "sso_debug_tokens": true,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": false,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.35.2

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

nginx/1.28.0

Host/Server Operating System

Linux

Operating System Version

HOST: Ubuntu 24.04, Docker: vaultwarden/server:latest-alpine

Clients

Web Vault

Client Version

Brave v1.86.118, chromium 143.0.7499.169, firefox 146.0.1

Steps To Reproduce

Run vaultwarden (see vw-compose.yml in additional context)
Run keycloak (see auth-compose.yml)
Run nginx (see nginx-compose.yml)
Try to login using SSO

I've done some configuration which shows in the diagnostics paste which of course needs to be done

Expected Result

Redirected to keycloak website to login

Actual Result

Error 400, with JSON body saying "Failed to discover OpenID provider: Request failed"
(see 400.json)

Logs

Interesting part of logs is this:

"content-security-policy": "default-src 'none'; font-src 'self'; manifest-src 'self'; base-uri 'self'; form-action 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* ; img-src 'self' data: https://haveibeenpwned.com ; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory https://app.simplelogin.io/api/ https://app.addy.io/api/ https://api.fastmail.com/ https://api.forwardemail.net ;",


If more logs are required please let me know, I want to make sure I sanitize logs before pasting them on the internet

Screenshots or Videos

English is not my native language; please excuse typing errors.

My research:
I've been searching the web for similar issues and found multiple threads containing the 400 and "Failed to discover OpenID provider" although no-one seems to have the exact same issue as me. Which leads me to believe this is a configuration error on my side, I just can't find what I've done wrong.

From my hours of troubleshooting I think I've found the core issue in CORS:

Running fetch("https://auth.example.com/auth/realms/example/.well-known/openid-configuration").then(console.log) when on the website "https://vw.example.com"

I get a console-error:

Connecting to 'https://auth.example.com/auth/realms/example/.well-known/openid-configuration' violates the following Content Security Policy directive: "connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory https://app.simplelogin.io/api/ https://app.addy.io/api/ https://api.fastmail.com/ https://api.forwardemail.net". The action has been blocked.

Refused to connect because it violates the document's Content Security Policy.

Running the same fetch request on other websites (e.g. google.com, my old domains and other random sites) I get status:200 and the correct JSON response.
Using curl in the vaultwarden container also returns correct JSON response.

I cannot find in the documentation how to change CORS settings for vaultwarden.

I've tried overriding the CSP in nginx as well but to no avail.

Any insight would be greatly appreciated.
Thanks in advance

Additional Context

vw-compose.yml

services:
  vaultwarden:
    image: vaultwarden/server:latest-alpine
    environment:
      DOMAIN: "https://vw.example.com"
      ADMIN_TOKEN: "<admin token>"
      SSO_ENABLED: true
      SSO_ONLY: false
      SSO_PKCE: true
      SSO_AUTHORITY: "https://auth.example.com"
      SSO_CLIENT_ID: "vaultwarden"
      SSO_CLIENT_SECRET: "<secret key>"
      SSO_SCOPES: "profile email offline_access vaultwarden"
      LOG_LEVEL: info,rocket::server=trace
      LOG_FILE: "/data/vaultwarden.log"
    volumes:
      - ./vw-data/:/data/
    networks:
      - nginx-network

networks:
  nginx-network:
    external: true
    name: nginx-network

auth-compose.yml

services:
  keycloak:
    image: quay.io/keycloak/keycloak
    environment:
      KC_LOG_LEVEL: info
      KC_HOSTNAME: "https://auth.example.com/auth"
      KC_PROXY_HEADERS: xforwarded
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://postgres:5432/keycloak
      KC_DB_USERNAME: keycloak
      KC_HTTP_RELATIVE_PATH: "/auth"
      KC_DB_PASSWORD: "<secret>"
      KC_HTTPS_CERTIFICATE_FILE: "/etc/x509/example.com.crt"
      KC_TRUSTSTORE_PATHS: "/etc/x509/example.com.crt"
      KC_HTTPS_CERTIFICATE_KEY_FILE: "/etc/x509/example.com.key"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/health/ready"]
      interval: 15s
      timeout: 2s
      retries: 15
    restart: unless-stopped
    networks:
      - postgres-network
      - nginx-network
    volumes:
      - ./keycloak_data:/opt/keycloak/data
      - /etc/letsencrypt/live/example.com/cert.pem:/etc/x509/example.com.crt:ro
      - /etc/letsencrypt/live/example.com/privkey.pem:/etc/x509/example.com.key:ro
    command: ["start"]

networks:
  postgres-network:
    external: true
    name: postgres-network
  nginx-network:
    external: true
    name: nginx-network

nginx-compose.yml

services:
  nginx:
    image: nginx:stable
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      - /etc/letsencrypt/live/example.com/cert.pem:/etc/nginx/example.com.crt
      - /etc/letsencrypt/live/example.com/privkey.pem:/etc/nginx/example.com.key
    networks:
      - nginx-network
    ports:
      - 443:443
      - 80:80

networks:
  nginx-network:
    external: true
    name: nginx-network

nginx.conf

...
http {
    server {
        listen 80;
        server_name *.example.com example.com;

        return 301 https://$host$request_uri;
    }

    server {
        listen 443 ssl;
        http2 on;
        server_name vw.example.com;

        ssl_certificate example.com.crt;
        ssl_certificate_key example.com.key;

        location / {
            proxy_pass http://vaultwarden:80;
            proxy_http_version 1.1;

            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
        }
    }

    server {
        listen 443 ssl;
        server_name auth.example.com;

        ssl_certificate example.com.crt;
        ssl_certificate_key example.com.key;

        location / {
            proxy_pass https://keycloak:8443;
            proxy_http_version 1.1;

            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
...

400.json

{
  "message": "Failed to discover OpenID provider: Request failed",
  "validationErrors": {
    "": [
      "Failed to discover OpenID provider: Request failed"
    ]
  },
  "errorModel": {
    "message": "Failed to discover OpenID provider: Request failed",
    "object": "error"
  },
  "error": "",
  "error_description": "",
  "exceptionMessage": null,
  "exceptionStackTrace": null,
  "innerExceptionMessage": null,
  "object": "error"
}

*Originally created by @lagerstrom235 on 1/16/2026* ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.35.2 * Web-vault version: v2025.12.1+build.3 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Alpine) * Database type: SQLite * Database version: 3.51.1 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * TZ environment: Europe/Stockholm * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, ADMIN_TOKEN, SSO_ENABLED, SSO_ONLY, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SSO_SCOPES, SSO_PKCE **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://*******************", "domain_origin": "*****://*******************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "example.com", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/data/vaultwarden.log", "log_level": "info,rocket::server=trace", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "", "smtp_from_name": "***********", "smtp_host": null, "smtp_password": null, "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "sso_allow_unknown_email_verification": true, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://*********************************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "***********", "sso_client_secret": "***", "sso_debug_tokens": true, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": false, "sso_scopes": "email profile", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.35.2 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy nginx/1.28.0 ### Host/Server Operating System Linux ### Operating System Version HOST: Ubuntu 24.04, Docker: vaultwarden/server:latest-alpine ### Clients Web Vault ### Client Version Brave v1.86.118, chromium 143.0.7499.169, firefox 146.0.1 ### Steps To Reproduce 1. Run vaultwarden (see vw-compose.yml in additional context) 2. Run keycloak (see auth-compose.yml) 3. Run nginx (see nginx-compose.yml) 4. Try to login using SSO I've done some configuration which shows in the diagnostics paste which of course needs to be done ### Expected Result Redirected to keycloak website to login ### Actual Result Error 400, with JSON body saying "Failed to discover OpenID provider: Request failed" (see 400.json) ### Logs ```text Interesting part of logs is this: "content-security-policy": "default-src 'none'; font-src 'self'; manifest-src 'self'; base-uri 'self'; form-action 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* ; img-src 'self' data: https://haveibeenpwned.com ; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory https://app.simplelogin.io/api/ https://app.addy.io/api/ https://api.fastmail.com/ https://api.forwardemail.net ;", If more logs are required please let me know, I want to make sure I sanitize logs before pasting them on the internet ``` ### Screenshots or Videos English is not my native language; please excuse typing errors. My research: I've been searching the web for similar issues and found multiple threads containing the 400 and "Failed to discover OpenID provider" although no-one seems to have the exact same issue as me. Which leads me to believe this is a configuration error on my side, I just can't find what I've done wrong. From my hours of troubleshooting I think I've found the core issue in CORS: Running `fetch("https://auth.example.com/auth/realms/example/.well-known/openid-configuration").then(console.log)` when on the website "https://vw.example.com" I get a console-error: ``` Connecting to 'https://auth.example.com/auth/realms/example/.well-known/openid-configuration' violates the following Content Security Policy directive: "connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory https://app.simplelogin.io/api/ https://app.addy.io/api/ https://api.fastmail.com/ https://api.forwardemail.net". The action has been blocked. Refused to connect because it violates the document's Content Security Policy. ``` Running the same fetch request on other websites (e.g. google.com, my old domains and other random sites) I get status:200 and the correct JSON response. Using curl in the vaultwarden container also returns correct JSON response. I cannot find in the documentation how to change CORS settings for vaultwarden. I've tried overriding the CSP in nginx as well but to no avail. Any insight would be greatly appreciated. Thanks in advance ### Additional Context <details> <summary>vw-compose.yml</summary> ```yaml services: vaultwarden: image: vaultwarden/server:latest-alpine environment: DOMAIN: "https://vw.example.com" ADMIN_TOKEN: "<admin token>" SSO_ENABLED: true SSO_ONLY: false SSO_PKCE: true SSO_AUTHORITY: "https://auth.example.com" SSO_CLIENT_ID: "vaultwarden" SSO_CLIENT_SECRET: "<secret key>" SSO_SCOPES: "profile email offline_access vaultwarden" LOG_LEVEL: info,rocket::server=trace LOG_FILE: "/data/vaultwarden.log" volumes: - ./vw-data/:/data/ networks: - nginx-network networks: nginx-network: external: true name: nginx-network ``` </details> <details> <summary>auth-compose.yml</summary> ```yaml services: keycloak: image: quay.io/keycloak/keycloak environment: KC_LOG_LEVEL: info KC_HOSTNAME: "https://auth.example.com/auth" KC_PROXY_HEADERS: xforwarded KC_DB: postgres KC_DB_URL: jdbc:postgresql://postgres:5432/keycloak KC_DB_USERNAME: keycloak KC_HTTP_RELATIVE_PATH: "/auth" KC_DB_PASSWORD: "<secret>" KC_HTTPS_CERTIFICATE_FILE: "/etc/x509/example.com.crt" KC_TRUSTSTORE_PATHS: "/etc/x509/example.com.crt" KC_HTTPS_CERTIFICATE_KEY_FILE: "/etc/x509/example.com.key" healthcheck: test: ["CMD", "curl", "-f", "http://localhost:8080/health/ready"] interval: 15s timeout: 2s retries: 15 restart: unless-stopped networks: - postgres-network - nginx-network volumes: - ./keycloak_data:/opt/keycloak/data - /etc/letsencrypt/live/example.com/cert.pem:/etc/x509/example.com.crt:ro - /etc/letsencrypt/live/example.com/privkey.pem:/etc/x509/example.com.key:ro command: ["start"] networks: postgres-network: external: true name: postgres-network nginx-network: external: true name: nginx-network ``` </details> <details> <summary>nginx-compose.yml</summary> ```yaml services: nginx: image: nginx:stable volumes: - ./nginx.conf:/etc/nginx/nginx.conf:ro - /etc/letsencrypt/live/example.com/cert.pem:/etc/nginx/example.com.crt - /etc/letsencrypt/live/example.com/privkey.pem:/etc/nginx/example.com.key networks: - nginx-network ports: - 443:443 - 80:80 networks: nginx-network: external: true name: nginx-network ``` </details> <details> <summary>nginx.conf</summary> ```nginx ... http { server { listen 80; server_name *.example.com example.com; return 301 https://$host$request_uri; } server { listen 443 ssl; http2 on; server_name vw.example.com; ssl_certificate example.com.crt; ssl_certificate_key example.com.key; location / { proxy_pass http://vaultwarden:80; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } server { listen 443 ssl; server_name auth.example.com; ssl_certificate example.com.crt; ssl_certificate_key example.com.key; location / { proxy_pass https://keycloak:8443; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; } } ... ``` </details> <details> <summary>400.json</summary> ```JSON { "message": "Failed to discover OpenID provider: Request failed", "validationErrors": { "": [ "Failed to discover OpenID provider: Request failed" ] }, "errorModel": { "message": "Failed to discover OpenID provider: Request failed", "object": "error" }, "error": "", "error_description": "", "exceptionMessage": null, "exceptionStackTrace": null, "innerExceptionMessage": null, "object": "error" } ``` </details>

MrUnknownDE closed this issue

2026-04-05 20:33:05 +02:00

MrUnknownDE added the bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug labels 2026-04-05 20:33:11 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#153