SSO: Not properly redirected to linux desktop client #222

New Issue

MrUnknownDE · 2026-04-05T20:40:31+02:00

MrUnknownDE commented

2026-04-05 20:40:31 +02:00

Originally created by @ravxen on 12/24/2025

Prerequisites

I have searched the existing Closed AND Open Issues AND Discussions
I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.34.3-0ab7784b
Web-vault version: v2025.12.0
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Database type: SQLite
Database version: 3.50.2
Uses config.json: false
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: true
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://********************",
  "domain_origin": "*****://********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.eu",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://api.bitwarden.eu",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "*****************",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "********************",
  "smtp_from_name": "***********",
  "smtp_host": "***************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "******************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": true,
  "sso_authority": "*****://******************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://*************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "***********",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": true,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

testing

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

pangolin:latest, uses traefik:v.3.4.0 as backend

Host/Server Operating System

Linux

Operating System Version

Arch Linux

Clients

Desktop

Client Version

bitwarden 2025.10.0-1

Steps To Reproduce

Deploy server with vaultwarden:testing and sso enabled
Configure 'keycloak' as SSO Provider
Test if the bitwarden desktop client works (browser & android successfully tested)
Login with credentials

Expected Result

Webpage gets redirected to the desktop client and successfully logs in.

Actual Result

Webpage never redirects, despite having the following URIs configured as "Valid redirect URI" in keycloak.

- https://vault.domain.tld/identity/connect/oidc-signin
- bitwarden://* (Initially 'bitwarden://sso-callback', but changed just to make sure. Both didn't work.)

Logs

Vaultwarden: 


[2025-12-24 07:59:14.733][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK
[2025-12-24 07:59:14.785][request][INFO] GET /identity/sso/prevalidate?domainHint=VW_DUMMY_IDENTIFIER
[2025-12-24 07:59:14.788][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK
[2025-12-24 07:59:14.822][request][INFO] GET /identity/connect/authorize?client_id=desktop&redirect_uri
[2025-12-24 07:59:14.965][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect
[2025-12-24 07:59:15.057][request][INFO] GET /identity/connect/oidc-signin?state=YkhXakREZXlNNWpFY0hrWU1h
[2025-12-24 07:59:15.057][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect

Keycloak (User events):

auth_method -> openid-connect
auth_type -> code
response_type -> code
redirect_uri -> https://vault.domain.tld/identity/connect/oidc-signin
consent ->  no_consent_required
code_id -> 157ad942-1tu7-3513-6434-99db72jd5y32
response_mode -> query
username -> myname

Screenshots or Videos

No response

Additional Context

redirect_uri -> https://vault.domain.tld/identity/connect/oidc-signin

Is somewhat the culprit I guess, because desktop expects bitwarden://sso-callback because the URL in the browser shows

https://vault.domain.lab/#/sso?clientId=desktop&redirectUri=bitwarden:%252F%252Fsso-callback

Im not sure if vaultwarden SSO has an issue with keycloak because keycloak is correctly configured and mobile redirects, similar to the bitwarden URI, work for e.g immich or jellyfin.

*Originally created by @ravxen on 12/24/2025* ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3-0ab7784b * Web-vault version: v2025.12.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://********************", "domain_origin": "*****://********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": false, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.eu", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://api.bitwarden.eu", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "*****************", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "********************", "smtp_from_name": "***********", "smtp_host": "***************", "smtp_password": "***", "smtp_port": 465, "smtp_security": "force_tls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "******************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": true, "sso_authority": "*****://******************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://*************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "***********", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": true, "sso_pkce": true, "sso_scopes": "email profile", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version testing ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy pangolin:latest, uses traefik:v.3.4.0 as backend ### Host/Server Operating System Linux ### Operating System Version Arch Linux ### Clients Desktop ### Client Version bitwarden 2025.10.0-1 ### Steps To Reproduce 1. Deploy server with vaultwarden:testing and sso enabled 2. Configure 'keycloak' as SSO Provider 3. Test if the bitwarden desktop client works (browser & android successfully tested) 4. Login with credentials ### Expected Result Webpage gets redirected to the desktop client and successfully logs in. ### Actual Result Webpage never redirects, despite having the following URIs configured as "Valid redirect URI" in keycloak. ``` - https://vault.domain.tld/identity/connect/oidc-signin - bitwarden://* (Initially 'bitwarden://sso-callback', but changed just to make sure. Both didn't work.) ``` ### Logs ```text Vaultwarden: [2025-12-24 07:59:14.733][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK [2025-12-24 07:59:14.785][request][INFO] GET /identity/sso/prevalidate?domainHint=VW_DUMMY_IDENTIFIER [2025-12-24 07:59:14.788][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK [2025-12-24 07:59:14.822][request][INFO] GET /identity/connect/authorize?client_id=desktop&redirect_uri [2025-12-24 07:59:14.965][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect [2025-12-24 07:59:15.057][request][INFO] GET /identity/connect/oidc-signin?state=YkhXakREZXlNNWpFY0hrWU1h [2025-12-24 07:59:15.057][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect Keycloak (User events): auth_method -> openid-connect auth_type -> code response_type -> code redirect_uri -> https://vault.domain.tld/identity/connect/oidc-signin consent -> no_consent_required code_id -> 157ad942-1tu7-3513-6434-99db72jd5y32 response_mode -> query username -> myname ``` ### Screenshots or Videos _No response_ ### Additional Context ``` redirect_uri -> https://vault.domain.tld/identity/connect/oidc-signin ``` Is somewhat the culprit I guess, because desktop expects bitwarden://sso-callback because the URL in the browser shows ``` https://vault.domain.lab/#/sso?clientId=desktop&redirectUri=bitwarden:%252F%252Fsso-callback ``` Im not sure if vaultwarden SSO has an issue with keycloak because keycloak is correctly configured and mobile redirects, similar to the bitwarden URI, work for e.g immich or jellyfin.

MrUnknownDE closed this issue

2026-04-05 20:40:31 +02:00

Sign in to join this conversation.

No Label SSO SSO SSO bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#222