OIDC (Authentik) Login Option Des Not Appear on Desktop Browser Web Page #207

New Issue

MrUnknownDE · 2026-04-05T20:38:16+02:00

MrUnknownDE commented

2026-04-05 20:38:16 +02:00

Originally created by @pr0927 on 12/28/2025

Prerequisites

I have searched the existing Closed AND Open Issues AND Discussions
I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.35.0
Web-vault version: v2025.12.0
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Database type: PostgreSQL
Database version: PostgreSQL 16.4 (Debian 16.4-1.pgdg120+2) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit
Uses config.json: true
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: true
Internet access via a proxy: false
DNS Check: true
TZ environment: America/Los_Angeles
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: true
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "**********://*******************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://****************",
  "domain_origin": "*****://****************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": true,
  "email_2fa_enforce_on_verified_invite": true,
  "email_attempts_limit": 6,
  "email_change_allowed": true,
  "email_expiration_time": 3600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": "***",
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "[redacted]",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "Plain",
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "****************",
  "smtp_from_name": "*****",
  "smtp_host": "******************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "****************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://******************************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://*********************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "****************************************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "openid email profile offline_access",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.35

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Nginx Proxy Manager

Host/Server Operating System

Linux

Operating System Version

Debian

Clients

Web Vault

Client Version

No response

Steps To Reproduce

Go to main Vaultwarden address.
Weirdly get prompted to put in e-mail address.
Get taken to login page where an option is shown to login with a device.
See that there is no OIDC login option.

Expected Result

I expected to see an OIDC login option.

Actual Result

I don't see an OIDC login option - I do on mobile, and I do within the Firefox browser extension - but not in any desktop web browser.

Logs

Screenshots or Videos

Additional Context

Apologies in advance for the poor practice of putting some of this info in environment variables (was one of my first Docker containers, some legacy security practices...), planning on fixing this shortly with a .env file, but for now, my Docker compose:

services:
  postgres-vaultwarden:
    image: postgres:16.4
    container_name: postgres-vaultwarden
    labels:
      - "com.centurylinklabs.watchtower.monitor-only=true"
    user: 1000:1000
    restart: unless-stopped
    shm_size: 256mb
    environment:
      POSTGRES_USER: vaultwarden_user
      POSTGRES_PASSWORD: [redacted]
      POSTGRES_DB: vaultwarden_db
      TZ: America/Los_Angeles
    volumes:
      - /data/postgres-vaultwarden/data:/var/lib/postgresql/data
    ports:
      - "5433:5432"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U vaultwarden_user -d vaultwarden_db"]
      interval: 30s
      timeout: 10s
      retries: 5
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    labels:
      - "com.centurylinklabs.watchtower.monitor-only=true"
    environment:
      DOMAIN: "https://vault.[domain.tld]"  # required when using a reverse proxy; your domain; vaultwarden needs to know it's https to work properly with attachments
      SIGNUPS_ALLOWED: false # Deactivate this with "false" after you have created your account so that no strangers can register
      PUSH_ENABLED: true
      PUSH_INSTALLATION_ID: [redacted]
      PUSH_INSTALLATION_KEY: [redacted]
      DATABASE_URL: "postgresql://vaultwarden_user:[redacted]@postgres-vaultwarden:5432/vaultwarden_db"
      POSTGRES_USER: vaultwarden_user
      POSTGRES_PASSWORD: [redacted]
      POSTGRES_IP: postgres-vaultwarden
      POSTGRES_PORT: 5432
      POSTGRES_DB: vaultwarden_db
      JWT_SECRET: [redacted]
      TZ: America/Los_Angeles
      ADMIN_TOKEN: [redacted]
      SSO_ENABLED: true
      SSO_AUTHORITY: "https://auth.domain.tld/application/o/vaultwarden/"
      SSO_CLIENT_ID: [redacted]
      SSO_CLIENT_SECRET: [redacted]
      SSO_SCOPES: "openid email profile offline_access"
      SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION: false
      SSO_CLIENT_CACHE_EXPIRATION: 0
      SSO_ONLY: false # Set to true to disable email+master password login and require SSO
      SSO_SIGNUPS_MATCH_EMAIL: true # Match first SSO login to existing account by email
    ports:
      - 11001:80 # you can replace the 11001 with your preferred port
    volumes:
      - /data/vaultwarden/data:/data
    depends_on:
      postgres-vaultwarden:
        condition: service_healthy
    restart: unless-stopped

*Originally created by @pr0927 on 12/28/2025* ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.35.0 * Web-vault version: v2025.12.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: PostgreSQL * Database version: PostgreSQL 16.4 (Debian 16.4-1.pgdg120+2) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * TZ environment: America/Los_Angeles * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "**********://*******************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://****************", "domain_origin": "*****://****************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": true, "email_2fa_enforce_on_verified_invite": true, "email_attempts_limit": 6, "email_change_allowed": true, "email_expiration_time": 3600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": "***", "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "[redacted]", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": "Plain", "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "****************", "smtp_from_name": "*****", "smtp_host": "******************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "****************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://******************************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://*********************************************", "sso_client_cache_expiration": 0, "sso_client_id": "****************************************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "openid email profile offline_access", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.35 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy Nginx Proxy Manager ### Host/Server Operating System Linux ### Operating System Version Debian ### Clients Web Vault ### Client Version _No response_ ### Steps To Reproduce 1. Go to main Vaultwarden address. 2. Weirdly get prompted to put in e-mail address. 3. Get taken to login page where an option is shown to login with a device. 4. See that there is no OIDC login option. ### Expected Result I expected to see an OIDC login option. ### Actual Result I don't see an OIDC login option - I do on mobile, and I do within the Firefox browser extension - but not in any desktop web browser. ### Logs ```text ``` ### Screenshots or Videos <img width="1920" height="970" alt="Image" src="https://github.com/user-attachments/assets/b26114e2-a4cf-48f5-9eb9-91dcf2db92e2" /> <img width="1920" height="970" alt="Image" src="https://github.com/user-attachments/assets/a2bdccbf-b2e2-4919-adab-98f221b9fa8f" /> ### Additional Context Apologies in advance for the poor practice of putting some of this info in environment variables (was one of my first Docker containers, some legacy security practices...), planning on fixing this shortly with a .env file, but for now, my Docker compose: ``` services: postgres-vaultwarden: image: postgres:16.4 container_name: postgres-vaultwarden labels: - "com.centurylinklabs.watchtower.monitor-only=true" user: 1000:1000 restart: unless-stopped shm_size: 256mb environment: POSTGRES_USER: vaultwarden_user POSTGRES_PASSWORD: [redacted] POSTGRES_DB: vaultwarden_db TZ: America/Los_Angeles volumes: - /data/postgres-vaultwarden/data:/var/lib/postgresql/data ports: - "5433:5432" healthcheck: test: ["CMD-SHELL", "pg_isready -U vaultwarden_user -d vaultwarden_db"] interval: 30s timeout: 10s retries: 5 vaultwarden: image: vaultwarden/server:latest container_name: vaultwarden labels: - "com.centurylinklabs.watchtower.monitor-only=true" environment: DOMAIN: "https://vault.[domain.tld]" # required when using a reverse proxy; your domain; vaultwarden needs to know it's https to work properly with attachments SIGNUPS_ALLOWED: false # Deactivate this with "false" after you have created your account so that no strangers can register PUSH_ENABLED: true PUSH_INSTALLATION_ID: [redacted] PUSH_INSTALLATION_KEY: [redacted] DATABASE_URL: "postgresql://vaultwarden_user:[redacted]@postgres-vaultwarden:5432/vaultwarden_db" POSTGRES_USER: vaultwarden_user POSTGRES_PASSWORD: [redacted] POSTGRES_IP: postgres-vaultwarden POSTGRES_PORT: 5432 POSTGRES_DB: vaultwarden_db JWT_SECRET: [redacted] TZ: America/Los_Angeles ADMIN_TOKEN: [redacted] SSO_ENABLED: true SSO_AUTHORITY: "https://auth.domain.tld/application/o/vaultwarden/" SSO_CLIENT_ID: [redacted] SSO_CLIENT_SECRET: [redacted] SSO_SCOPES: "openid email profile offline_access" SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION: false SSO_CLIENT_CACHE_EXPIRATION: 0 SSO_ONLY: false # Set to true to disable email+master password login and require SSO SSO_SIGNUPS_MATCH_EMAIL: true # Match first SSO login to existing account by email ports: - 11001:80 # you can replace the 11001 with your preferred port volumes: - /data/vaultwarden/data:/data depends_on: postgres-vaultwarden: condition: service_healthy restart: unless-stopped ```

MrUnknownDE closed this issue

2026-04-05 20:38:16 +02:00

MrUnknownDE added the bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug labels 2026-04-05 20:38:26 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#207