VW ignores disabling email verification requirement #193

New Issue

MrUnknownDE · 2026-04-05T20:36:46+02:00

MrUnknownDE commented

2026-04-05 20:36:46 +02:00

Originally created by @williamkray on 12/31/2025

Prerequisites

I have searched the existing Closed AND Open Issues AND Discussions
I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.35.1
Web-vault version: v2025.12.1
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Database type: SQLite
Database version: 3.50.2
Uses config.json: false
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: true
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://*************",
  "domain_origin": "*****://*************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "***********",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "sso_allow_unknown_email_verification": true,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://*********************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://******************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "****************************************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": true,
  "sso_pkce": true,
  "sso_scopes": "openid email profile offline_access",
  "sso_signups_match_email": false,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.35.1

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

traefik 3.5.4

Host/Server Operating System

Linux

Operating System Version

Arch Linux

Clients

Web Vault

Client Version

v2025.12.1

Steps To Reproduce

I have deleted all browser local storage and cookies, deleted my vaultwarden data folder, and tried starting fresh multiple times to ensure nothing is cached. I am not using cloudflare or any caching layer.
Initially I followed the setup guide here: https://integrations.goauthentik.io/security/vaultwarden/ which sets SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false, but I have also continued to experiment with allowing unknown email verification.

As of this moment, the environment variables I am setting are:

    environment:
      DOMAIN: "https://vault.my.domain"
      SIGNUPS_ALLOWED: false
      SSO_ENABLED: true
      SSO_AUTHORITY: https://auth.my.domain/application/o/vault/
      SSO_CLIENT_ID: REDACTED
      SSO_CLIENT_SECRET: REDACTED
      SSO_SCOPES: "openid email profile offline_access"
      SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION: true
      SSO_CLIENT_CACHE_EXPIRATION: 0
      SSO_ONLY: true
      SSO_SIGNUPS_MATCH_EMAIL: false

Expected Result

I am able to log into Vaultwarden through SSO, even with an unregistered account.

Actual Result

When attempting to log in with an un-registered account using an email address associated with my SSO user, I get a 400 response in Vaultwarden with the error "You must verify your email address with your identity provider"
I have attempted to change the email verification requirements, but no matter what I set it to it seems to fail to log me in as a new user.
In Authentik, I see successful authorization events for my Vaultwarden application.

Logs

vaultwarden-1  | [2025-12-31 16:03:28.928][vaultwarden::auth][INFO] Private key 'data/rsa_key.pem' created correctly
vaultwarden-1  | [2025-12-31 16:03:29.379][start][INFO] Rocket has launched from http://0.0.0.0:80
vaultwarden-1  | [2025-12-31 16:06:19.059][request][INFO] GET /api/config
vaultwarden-1  | [2025-12-31 16:06:19.059][response][INFO] (config) GET /api/config => 200 OK
vaultwarden-1  | [2025-12-31 16:06:24.265][request][INFO] POST /api/organizations/domain/sso/verified
vaultwarden-1  | [2025-12-31 16:06:24.266][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK
vaultwarden-1  | [2025-12-31 16:06:24.279][request][INFO] GET /identity/sso/prevalidate?domainHint=VW_DUMMY_IDENTIFIER
vaultwarden-1  | [2025-12-31 16:06:24.281][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK
vaultwarden-1  | [2025-12-31 16:06:24.308][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt
vaultwarden-1  | [2025-12-31 16:06:26.071][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect
vaultwarden-1  | [2025-12-31 16:06:26.574][request][INFO] GET /identity/connect/oidc-signin?code=REDACTED
vaultwarden-1  | [2025-12-31 16:06:26.575][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect
vaultwarden-1  | [2025-12-31 16:06:27.080][request][INFO] POST /identity/connect/token
vaultwarden-1  | [2025-12-31 16:06:29.483][vaultwarden::api::identity][ERROR] You need to verify your email with your provider before you can log in
vaultwarden-1  | [2025-12-31 16:06:29.483][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

Screenshots or Videos

No response

Additional Context

I assume this has something to do with it: https://docs.goauthentik.io/releases/2025.10/#default-oauth-scope-mappings

And so I have worked around the configuration in Authentik by creating a new email scope mapping, based off of the default scope mapping, that returns "email_verified": True specifically for this use-case, but it still seems like the Vaultwarden handling of this should be corrected.

*Originally created by @williamkray on 12/31/2025* ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.35.1 * Web-vault version: v2025.12.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://*************", "domain_origin": "*****://*************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "", "smtp_from_name": "***********", "smtp_host": null, "smtp_password": null, "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "sso_allow_unknown_email_verification": true, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://*********************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://******************************************", "sso_client_cache_expiration": 0, "sso_client_id": "****************************************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": true, "sso_pkce": true, "sso_scopes": "openid email profile offline_access", "sso_signups_match_email": false, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.35.1 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy traefik 3.5.4 ### Host/Server Operating System Linux ### Operating System Version Arch Linux ### Clients Web Vault ### Client Version v2025.12.1 ### Steps To Reproduce 1. I have deleted all browser local storage and cookies, deleted my vaultwarden data folder, and tried starting fresh multiple times to ensure nothing is cached. I am not using cloudflare or any caching layer. 2. Initially I followed the setup guide here: https://integrations.goauthentik.io/security/vaultwarden/ which sets SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false, but I have also continued to experiment with allowing unknown email verification. As of this moment, the environment variables I am setting are: ```yaml environment: DOMAIN: "https://vault.my.domain" SIGNUPS_ALLOWED: false SSO_ENABLED: true SSO_AUTHORITY: https://auth.my.domain/application/o/vault/ SSO_CLIENT_ID: REDACTED SSO_CLIENT_SECRET: REDACTED SSO_SCOPES: "openid email profile offline_access" SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION: true SSO_CLIENT_CACHE_EXPIRATION: 0 SSO_ONLY: true SSO_SIGNUPS_MATCH_EMAIL: false ``` ### Expected Result I am able to log into Vaultwarden through SSO, even with an unregistered account. ### Actual Result When attempting to log in with an un-registered account using an email address associated with my SSO user, I get a 400 response in Vaultwarden with the error "You must verify your email address with your identity provider" I have attempted to change the email verification requirements, but no matter what I set it to it seems to fail to log me in as a new user. In Authentik, I see successful authorization events for my Vaultwarden application. ### Logs ```text vaultwarden-1 | [2025-12-31 16:03:28.928][vaultwarden::auth][INFO] Private key 'data/rsa_key.pem' created correctly vaultwarden-1 | [2025-12-31 16:03:29.379][start][INFO] Rocket has launched from http://0.0.0.0:80 vaultwarden-1 | [2025-12-31 16:06:19.059][request][INFO] GET /api/config vaultwarden-1 | [2025-12-31 16:06:19.059][response][INFO] (config) GET /api/config => 200 OK vaultwarden-1 | [2025-12-31 16:06:24.265][request][INFO] POST /api/organizations/domain/sso/verified vaultwarden-1 | [2025-12-31 16:06:24.266][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK vaultwarden-1 | [2025-12-31 16:06:24.279][request][INFO] GET /identity/sso/prevalidate?domainHint=VW_DUMMY_IDENTIFIER vaultwarden-1 | [2025-12-31 16:06:24.281][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK vaultwarden-1 | [2025-12-31 16:06:24.308][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt vaultwarden-1 | [2025-12-31 16:06:26.071][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect vaultwarden-1 | [2025-12-31 16:06:26.574][request][INFO] GET /identity/connect/oidc-signin?code=REDACTED vaultwarden-1 | [2025-12-31 16:06:26.575][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect vaultwarden-1 | [2025-12-31 16:06:27.080][request][INFO] POST /identity/connect/token vaultwarden-1 | [2025-12-31 16:06:29.483][vaultwarden::api::identity][ERROR] You need to verify your email with your provider before you can log in vaultwarden-1 | [2025-12-31 16:06:29.483][response][INFO] (login) POST /identity/connect/token => 400 Bad Request ``` ### Screenshots or Videos _No response_ ### Additional Context I assume this has something to do with it: https://docs.goauthentik.io/releases/2025.10/#default-oauth-scope-mappings And so I have worked around the configuration in Authentik by creating a new email scope mapping, based off of the default scope mapping, that returns `"email_verified": True` specifically for this use-case, but it still seems like the Vaultwarden handling of this should be corrected.

MrUnknownDE closed this issue

2026-04-05 20:36:46 +02:00

MrUnknownDE added the bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug labels 2026-04-05 20:36:56 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#193