[SSO] Authentik Token exchange failure #291

New Issue

MrUnknownDE · 2026-04-05T20:47:49+02:00

MrUnknownDE commented

2026-04-05 20:47:49 +02:00

Originally created by @amypotato on 11/9/2025

Prerequisites

I have searched the existing Closed AND Open Issues AND Discussions
I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.34.3-9017ca26
Web-vault version: v2025.10.1
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Database type: SQLite
Database version: 3.50.2
Uses config.json: false
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: true
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://******************",
  "domain_origin": "*****://******************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info,vaultwarden::sso=debug",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***********************",
  "smtp_from_name": "***********",
  "smtp_host": "****",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "off",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "sso_allow_unknown_email_verification": true,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://********************************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://***********************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "***********",
  "sso_client_secret": "***",
  "sso_debug_tokens": true,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "openid email profile offline_access",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.34.3-9017ca26

Deployment method

Official Container Image

Custom deployment method

Deployed via docker swarm, docker swarm service definition:

vaultwarden:
    image: vaultwarden/server:testing
    volumes:
      - vaultwarden_data:/data
    secrets:
      - vaultwarden-oauth-client-secret
      - vaultwarden-admin-token-v3
    environment:
      # Web vault domain - IMPORTANT: Must be HTTPS in production
      DOMAIN: "https://vault.my.domain"
      # Database configuration (using SQLite by default, can be changed to PostgreSQL/MySQL)
      # DATABASE_URL: not set = uses SQLite stored in /data/
      # Security settings
      SIGNUPS_ALLOWED: "false"  # Disable new user registrations
      INVITATIONS_ALLOWED: "true"  # Allow invitations from existing users
      EMERGENCY_ACCESS_ALLOWED: "true"
      SENDS_ALLOWED: "true"
      WEB_VAULT_ENABLED: "true"
      # Admin panel settings
      ADMIN_TOKEN_FILE: "/run/secrets/vaultwarden-admin-token-v3"
      # SSO/OAuth configuration with Authentik
      SSO_ENABLED: "true"
      SSO_AUTHORITY: "https://auth.my.domain/application/o/vaultwarden/"
      SSO_CLIENT_ID: "${VAULTWARDEN_OAUTH_CLIENT_ID}"
      SSO_CLIENT_SECRET_FILE: "/run/secrets/vaultwarden-oauth-client-secret"
      SSO_SCOPES: "openid email profile offline_access"
      SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION: "true"
      SSO_CLIENT_CACHE_EXPIRATION: "0"
      # Email configuration using local mail container
      SMTP_HOST: "mail"
      SMTP_FROM: "${VAULTWARDEN_SMTP_FROM:-postmaster@my.domain}"
      SMTP_PORT: "25"
      SMTP_SECURITY: "off"
      SMTP_TIMEOUT: "15"
      # Other useful settings
      SHOW_PASSWORD_HINT: "false"
      LOG_LEVEL: "info,vaultwarden::sso=debug"
      SSO_DEBUG_TOKENS: "true"
      EXTENDED_LOGGING: "true"
      # Rocket server settings
      ROCKET_PORT: "80"
      ROCKET_WORKERS: "10"
    networks:
      - default
    stop_signal: SIGTERM
    stop_grace_period: 30s
    deploy:
      <<: *manager-deploy
      labels:
        # Enable Traefik for this service
        - "traefik.enable=true"
        - "traefik.swarm.network=homelab_default"
        # Main HTTPS router
        - "traefik.http.routers.vaultwarden.rule=Host(`vault.my.domain`)"
        - "traefik.http.routers.vaultwarden.entrypoints=websecure"
        - "traefik.http.routers.vaultwarden.tls=true"
        # Admin panel - separate subdomain or path
        - "traefik.http.routers.vaultwarden-admin.rule=Host(`vault.my.domain`) && PathPrefix(`/admin`)"
        - "traefik.http.routers.vaultwarden-admin.entrypoints=websecure"
        - "traefik.http.routers.vaultwarden-admin.tls=true"
        - "traefik.http.routers.vaultwarden-admin.middlewares=authentik-forward-auth@file"
        # HTTP → HTTPS redirect
        - "traefik.http.routers.vaultwarden-http.rule=Host(`vault.my.domain`)"
        - "traefik.http.routers.vaultwarden-http.entrypoints=web"
        - "traefik.http.routers.vaultwarden-http.middlewares=vaultwarden-https-redirect"
        - "traefik.http.middlewares.vaultwarden-https-redirect.redirectscheme.scheme=https"
        # Tell Traefik the container port
        - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
        - "prometheus-job=vaultwarden"

Reverse Proxy

traefik 3.6.0

Host/Server Operating System

Linux

Operating System Version

Ubuntu 24.04 LTS

Clients

Web Vault

Client Version

No response

Steps To Reproduce

Open web vault
Enter email
Click sign in with SSO
Sign into authentik on redirect
Follow redirect to the web vault

Expected Result

User is logged in

Actual Result

Error message appears in a red notification in the web vault and is logged in the vaultwarden container:

Failed to contact token endpoint: ServerResponse(StandardErrorResponse { error: invalid_client, error_description: Some("Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)"), error_uri: None })

Logs

1762724911305	2025-11-09T21:48:31.305Z	[2025-11-09 21:48:31.305][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
1762724911304	2025-11-09T21:48:31.304Z	[2025-11-09 21:48:31.304][request][INFO] GET /api/devices/knowndevice
1762724911194	2025-11-09T21:48:31.194Z	[2025-11-09 21:48:31.194][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
1762724911194	2025-11-09T21:48:31.194Z	[2025-11-09 21:48:31.194][vaultwarden::sso_client][ERROR] Failed to contact token endpoint: ServerResponse(StandardErrorResponse { error: invalid_client, error_description: Some("Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)"), error_uri: None })
1762724910365	2025-11-09T21:48:30.365Z	[2025-11-09 21:48:30.364][request][INFO] POST /identity/connect/token
1762724909605	2025-11-09T21:48:29.605Z	[2025-11-09 21:48:29.605][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect
1762724909603	2025-11-09T21:48:29.603Z	[2025-11-09 21:48:29.603][request][INFO] GET /identity/connect/oidc-signin?code=b0311f71e61a44d080d6575fd
1762724909262	2025-11-09T21:48:29.262Z	[2025-11-09 21:48:29.262][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect
1762724908519	2025-11-09T21:48:28.519Z	[2025-11-09 21:48:28.519][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt
1762724908419	2025-11-09T21:48:28.419Z	[2025-11-09 21:48:28.419][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK
1762724908417	2025-11-09T21:48:28.417Z	[2025-11-09 21:48:28.416][request][INFO] GET /identity/sso/prevalidate?domainHint=VW_DUMMY_IDENTIFIER
1762724908357	2025-11-09T21:48:28.357Z	[2025-11-09 21:48:28.356][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK
1762724908356	2025-11-09T21:48:28.356Z	[2025-11-09 21:48:28.356][request][INFO] POST /api/organizations/domain/sso/verified
1762724887575	2025-11-09T21:48:07.575Z	[2025-11-09 21:48:07.575][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
1762724887574	2025-11-09T21:48:07.574Z	[2025-11-09 21:48:07.573][request][INFO] GET /api/devices/knowndevice
1762724877708	2025-11-09T21:47:57.708Z	[2025-11-09 21:47:57.708][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
1762724877707	2025-11-09T21:47:57.707Z	[2025-11-09 21:47:57.706][request][INFO] GET /api/devices/knowndevice
1762724875757	2025-11-09T21:47:55.757Z	[2025-11-09 21:47:55.757][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
1762724875755	2025-11-09T21:47:55.755Z	[2025-11-09 21:47:55.755][request][INFO] GET /api/devices/knowndevice
1762724875583	2025-11-09T21:47:55.583Z	[2025-11-09 21:47:55.583][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
1762724875583	2025-11-09T21:47:55.583Z	[2025-11-09 21:47:55.583][vaultwarden::sso_client][ERROR] Failed to contact token endpoint: ServerResponse(StandardErrorResponse { error: invalid_client, error_description: Some("Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)"), error_uri: None })
1762724874805	2025-11-09T21:47:54.805Z	[2025-11-09 21:47:54.805][request][INFO] POST /identity/connect/token
1762724874006	2025-11-09T21:47:54.006Z	[2025-11-09 21:47:54.005][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect
1762724874003	2025-11-09T21:47:54.003Z	[2025-11-09 21:47:54.003][request][INFO] GET /identity/connect/oidc-signin?code=31170d4cb5f84827b7a8bf18f
1762724873605	2025-11-09T21:47:53.605Z	[2025-11-09 21:47:53.605][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect
1762724872874	2025-11-09T21:47:52.874Z	[2025-11-09 21:47:52.874][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt
1762724872788	2025-11-09T21:47:52.788Z	[2025-11-09 21:47:52.788][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK
1762724872786	2025-11-09T21:47:52.786Z	[2025-11-09 21:47:52.785][request][INFO] GET /identity/sso/prevalidate?domainHint=00000000-0000-0000-
1762724856961	2025-11-09T21:47:36.961Z	[2025-11-09 21:47:36.960][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
1762724856959	2025-11-09T21:47:36.959Z	[2025-11-09 21:47:36.959][request][INFO] GET /api/devices/knowndevice
1762724856797	2025-11-09T21:47:36.797Z	[2025-11-09 21:47:36.796][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
1762724856796	2025-11-09T21:47:36.796Z	[2025-11-09 21:47:36.796][vaultwarden::sso_client][ERROR] Failed to contact token endpoint: ServerResponse(StandardErrorResponse { error: invalid_client, error_description: Some("Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)"), error_uri: None })
1762724856041	2025-11-09T21:47:36.041Z	[2025-11-09 21:47:36.041][request][INFO] POST /identity/connect/token
1762724855280	2025-11-09T21:47:35.280Z	[2025-11-09 21:47:35.280][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect
1762724855275	2025-11-09T21:47:35.275Z	[2025-11-09 21:47:35.275][request][INFO] GET /identity/connect/oidc-signin?code=1f5881b1554f473590d507ee5
1762724854832	2025-11-09T21:47:34.832Z	[2025-11-09 21:47:34.832][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect
1762724854157	2025-11-09T21:47:34.157Z	[2025-11-09 21:47:34.156][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt
1762724854078	2025-11-09T21:47:34.078Z	[2025-11-09 21:47:34.078][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK
1762724854076	2025-11-09T21:47:34.076Z	[2025-11-09 21:47:34.076][request][INFO] GET /identity/sso/prevalidate?domainHint=VW_DUMMY_IDENTIFIER
1762724853980	2025-11-09T21:47:33.980Z	[2025-11-09 21:47:33.979][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK
1762724853979	2025-11-09T21:47:33.979Z	[2025-11-09 21:47:33.978][request][INFO] POST /api/organizations/domain/sso/verified
1762724852878	2025-11-09T21:47:32.878Z	[2025-11-09 21:47:32.878][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
1762724852875	2025-11-09T21:47:32.875Z	[2025-11-09 21:47:32.875][request][INFO] GET /api/devices/knowndevice
1762724667379	2025-11-09T21:44:27.379Z	[2025-11-09 21:44:27.379][start][INFO] Rocket has launched from http://0.0.0.0:80
1762724667277	2025-11-09T21:44:27.277Z	
1762724667277	2025-11-09T21:44:27.277Z	\--------------------------------------------------------------------/
1762724667277	2025-11-09T21:44:27.277Z	|   https://github.com/dani-garcia/vaultwarden/issues/new            |
1762724667277	2025-11-09T21:44:27.277Z	| Report suspected bugs/issues in the software itself at:            |
1762724667277	2025-11-09T21:44:27.277Z	|   https://vaultwarden.discourse.group/                             |
1762724667277	2025-11-09T21:44:27.277Z	|   https://github.com/dani-garcia/vaultwarden/discussions or        |
1762724667277	2025-11-09T21:44:27.277Z	| Send usage/configuration questions or feature requests to:         |
1762724667277	2025-11-09T21:44:27.277Z	| official channels to report bugs/features, regardless of client.   |
1762724667277	2025-11-09T21:44:27.277Z	| This is an *unofficial* Bitwarden implementation, DO NOT use the   |
1762724667277	2025-11-09T21:44:27.277Z	|--------------------------------------------------------------------|
1762724667277	2025-11-09T21:44:27.277Z	|                      Version 1.34.3-9017ca26                       |
1762724667277	2025-11-09T21:44:27.277Z	|                        Starting Vaultwarden                        |
1762724667277	2025-11-09T21:44:27.277Z	/--------------------------------------------------------------------\

Screenshots or Videos

No response

Additional Context

No response

*Originally created by @amypotato on 11/9/2025* ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3-9017ca26 * Web-vault version: v2025.10.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://******************", "domain_origin": "*****://******************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info,vaultwarden::sso=debug", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***********************", "smtp_from_name": "***********", "smtp_host": "****", "smtp_password": null, "smtp_port": 25, "smtp_security": "off", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "sso_allow_unknown_email_verification": true, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://********************************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://***********************************************", "sso_client_cache_expiration": 0, "sso_client_id": "***********", "sso_client_secret": "***", "sso_debug_tokens": true, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "openid email profile offline_access", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.34.3-9017ca26 ### Deployment method Official Container Image ### Custom deployment method Deployed via docker swarm, docker swarm service definition: ``` vaultwarden: image: vaultwarden/server:testing volumes: - vaultwarden_data:/data secrets: - vaultwarden-oauth-client-secret - vaultwarden-admin-token-v3 environment: # Web vault domain - IMPORTANT: Must be HTTPS in production DOMAIN: "https://vault.my.domain" # Database configuration (using SQLite by default, can be changed to PostgreSQL/MySQL) # DATABASE_URL: not set = uses SQLite stored in /data/ # Security settings SIGNUPS_ALLOWED: "false" # Disable new user registrations INVITATIONS_ALLOWED: "true" # Allow invitations from existing users EMERGENCY_ACCESS_ALLOWED: "true" SENDS_ALLOWED: "true" WEB_VAULT_ENABLED: "true" # Admin panel settings ADMIN_TOKEN_FILE: "/run/secrets/vaultwarden-admin-token-v3" # SSO/OAuth configuration with Authentik SSO_ENABLED: "true" SSO_AUTHORITY: "https://auth.my.domain/application/o/vaultwarden/" SSO_CLIENT_ID: "${VAULTWARDEN_OAUTH_CLIENT_ID}" SSO_CLIENT_SECRET_FILE: "/run/secrets/vaultwarden-oauth-client-secret" SSO_SCOPES: "openid email profile offline_access" SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION: "true" SSO_CLIENT_CACHE_EXPIRATION: "0" # Email configuration using local mail container SMTP_HOST: "mail" SMTP_FROM: "${VAULTWARDEN_SMTP_FROM:-postmaster@my.domain}" SMTP_PORT: "25" SMTP_SECURITY: "off" SMTP_TIMEOUT: "15" # Other useful settings SHOW_PASSWORD_HINT: "false" LOG_LEVEL: "info,vaultwarden::sso=debug" SSO_DEBUG_TOKENS: "true" EXTENDED_LOGGING: "true" # Rocket server settings ROCKET_PORT: "80" ROCKET_WORKERS: "10" networks: - default stop_signal: SIGTERM stop_grace_period: 30s deploy: <<: *manager-deploy labels: # Enable Traefik for this service - "traefik.enable=true" - "traefik.swarm.network=homelab_default" # Main HTTPS router - "traefik.http.routers.vaultwarden.rule=Host(`vault.my.domain`)" - "traefik.http.routers.vaultwarden.entrypoints=websecure" - "traefik.http.routers.vaultwarden.tls=true" # Admin panel - separate subdomain or path - "traefik.http.routers.vaultwarden-admin.rule=Host(`vault.my.domain`) && PathPrefix(`/admin`)" - "traefik.http.routers.vaultwarden-admin.entrypoints=websecure" - "traefik.http.routers.vaultwarden-admin.tls=true" - "traefik.http.routers.vaultwarden-admin.middlewares=authentik-forward-auth@file" # HTTP → HTTPS redirect - "traefik.http.routers.vaultwarden-http.rule=Host(`vault.my.domain`)" - "traefik.http.routers.vaultwarden-http.entrypoints=web" - "traefik.http.routers.vaultwarden-http.middlewares=vaultwarden-https-redirect" - "traefik.http.middlewares.vaultwarden-https-redirect.redirectscheme.scheme=https" # Tell Traefik the container port - "traefik.http.services.vaultwarden.loadbalancer.server.port=80" - "prometheus-job=vaultwarden" ``` ### Reverse Proxy traefik 3.6.0 ### Host/Server Operating System Linux ### Operating System Version Ubuntu 24.04 LTS ### Clients Web Vault ### Client Version _No response_ ### Steps To Reproduce 1. Open web vault 2. Enter email 3. Click sign in with SSO 4. Sign into authentik on redirect 5. Follow redirect to the web vault ### Expected Result User is logged in ### Actual Result Error message appears in a red notification in the web vault and is logged in the vaultwarden container: ``` Failed to contact token endpoint: ServerResponse(StandardErrorResponse { error: invalid_client, error_description: Some("Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)"), error_uri: None }) ``` ### Logs ```text 1762724911305 2025-11-09T21:48:31.305Z [2025-11-09 21:48:31.305][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK 1762724911304 2025-11-09T21:48:31.304Z [2025-11-09 21:48:31.304][request][INFO] GET /api/devices/knowndevice 1762724911194 2025-11-09T21:48:31.194Z [2025-11-09 21:48:31.194][response][INFO] (login) POST /identity/connect/token => 400 Bad Request 1762724911194 2025-11-09T21:48:31.194Z [2025-11-09 21:48:31.194][vaultwarden::sso_client][ERROR] Failed to contact token endpoint: ServerResponse(StandardErrorResponse { error: invalid_client, error_description: Some("Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)"), error_uri: None }) 1762724910365 2025-11-09T21:48:30.365Z [2025-11-09 21:48:30.364][request][INFO] POST /identity/connect/token 1762724909605 2025-11-09T21:48:29.605Z [2025-11-09 21:48:29.605][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect 1762724909603 2025-11-09T21:48:29.603Z [2025-11-09 21:48:29.603][request][INFO] GET /identity/connect/oidc-signin?code=b0311f71e61a44d080d6575fd 1762724909262 2025-11-09T21:48:29.262Z [2025-11-09 21:48:29.262][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect 1762724908519 2025-11-09T21:48:28.519Z [2025-11-09 21:48:28.519][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt 1762724908419 2025-11-09T21:48:28.419Z [2025-11-09 21:48:28.419][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK 1762724908417 2025-11-09T21:48:28.417Z [2025-11-09 21:48:28.416][request][INFO] GET /identity/sso/prevalidate?domainHint=VW_DUMMY_IDENTIFIER 1762724908357 2025-11-09T21:48:28.357Z [2025-11-09 21:48:28.356][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK 1762724908356 2025-11-09T21:48:28.356Z [2025-11-09 21:48:28.356][request][INFO] POST /api/organizations/domain/sso/verified 1762724887575 2025-11-09T21:48:07.575Z [2025-11-09 21:48:07.575][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK 1762724887574 2025-11-09T21:48:07.574Z [2025-11-09 21:48:07.573][request][INFO] GET /api/devices/knowndevice 1762724877708 2025-11-09T21:47:57.708Z [2025-11-09 21:47:57.708][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK 1762724877707 2025-11-09T21:47:57.707Z [2025-11-09 21:47:57.706][request][INFO] GET /api/devices/knowndevice 1762724875757 2025-11-09T21:47:55.757Z [2025-11-09 21:47:55.757][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK 1762724875755 2025-11-09T21:47:55.755Z [2025-11-09 21:47:55.755][request][INFO] GET /api/devices/knowndevice 1762724875583 2025-11-09T21:47:55.583Z [2025-11-09 21:47:55.583][response][INFO] (login) POST /identity/connect/token => 400 Bad Request 1762724875583 2025-11-09T21:47:55.583Z [2025-11-09 21:47:55.583][vaultwarden::sso_client][ERROR] Failed to contact token endpoint: ServerResponse(StandardErrorResponse { error: invalid_client, error_description: Some("Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)"), error_uri: None }) 1762724874805 2025-11-09T21:47:54.805Z [2025-11-09 21:47:54.805][request][INFO] POST /identity/connect/token 1762724874006 2025-11-09T21:47:54.006Z [2025-11-09 21:47:54.005][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect 1762724874003 2025-11-09T21:47:54.003Z [2025-11-09 21:47:54.003][request][INFO] GET /identity/connect/oidc-signin?code=31170d4cb5f84827b7a8bf18f 1762724873605 2025-11-09T21:47:53.605Z [2025-11-09 21:47:53.605][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect 1762724872874 2025-11-09T21:47:52.874Z [2025-11-09 21:47:52.874][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt 1762724872788 2025-11-09T21:47:52.788Z [2025-11-09 21:47:52.788][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK 1762724872786 2025-11-09T21:47:52.786Z [2025-11-09 21:47:52.785][request][INFO] GET /identity/sso/prevalidate?domainHint=00000000-0000-0000- 1762724856961 2025-11-09T21:47:36.961Z [2025-11-09 21:47:36.960][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK 1762724856959 2025-11-09T21:47:36.959Z [2025-11-09 21:47:36.959][request][INFO] GET /api/devices/knowndevice 1762724856797 2025-11-09T21:47:36.797Z [2025-11-09 21:47:36.796][response][INFO] (login) POST /identity/connect/token => 400 Bad Request 1762724856796 2025-11-09T21:47:36.796Z [2025-11-09 21:47:36.796][vaultwarden::sso_client][ERROR] Failed to contact token endpoint: ServerResponse(StandardErrorResponse { error: invalid_client, error_description: Some("Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)"), error_uri: None }) 1762724856041 2025-11-09T21:47:36.041Z [2025-11-09 21:47:36.041][request][INFO] POST /identity/connect/token 1762724855280 2025-11-09T21:47:35.280Z [2025-11-09 21:47:35.280][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect 1762724855275 2025-11-09T21:47:35.275Z [2025-11-09 21:47:35.275][request][INFO] GET /identity/connect/oidc-signin?code=1f5881b1554f473590d507ee5 1762724854832 2025-11-09T21:47:34.832Z [2025-11-09 21:47:34.832][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect 1762724854157 2025-11-09T21:47:34.157Z [2025-11-09 21:47:34.156][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt 1762724854078 2025-11-09T21:47:34.078Z [2025-11-09 21:47:34.078][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK 1762724854076 2025-11-09T21:47:34.076Z [2025-11-09 21:47:34.076][request][INFO] GET /identity/sso/prevalidate?domainHint=VW_DUMMY_IDENTIFIER 1762724853980 2025-11-09T21:47:33.980Z [2025-11-09 21:47:33.979][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK 1762724853979 2025-11-09T21:47:33.979Z [2025-11-09 21:47:33.978][request][INFO] POST /api/organizations/domain/sso/verified 1762724852878 2025-11-09T21:47:32.878Z [2025-11-09 21:47:32.878][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK 1762724852875 2025-11-09T21:47:32.875Z [2025-11-09 21:47:32.875][request][INFO] GET /api/devices/knowndevice 1762724667379 2025-11-09T21:44:27.379Z [2025-11-09 21:44:27.379][start][INFO] Rocket has launched from http://0.0.0.0:80 1762724667277 2025-11-09T21:44:27.277Z 1762724667277 2025-11-09T21:44:27.277Z \--------------------------------------------------------------------/ 1762724667277 2025-11-09T21:44:27.277Z | https://github.com/dani-garcia/vaultwarden/issues/new | 1762724667277 2025-11-09T21:44:27.277Z | Report suspected bugs/issues in the software itself at: | 1762724667277 2025-11-09T21:44:27.277Z | https://vaultwarden.discourse.group/ | 1762724667277 2025-11-09T21:44:27.277Z | https://github.com/dani-garcia/vaultwarden/discussions or | 1762724667277 2025-11-09T21:44:27.277Z | Send usage/configuration questions or feature requests to: | 1762724667277 2025-11-09T21:44:27.277Z | official channels to report bugs/features, regardless of client. | 1762724667277 2025-11-09T21:44:27.277Z | This is an *unofficial* Bitwarden implementation, DO NOT use the | 1762724667277 2025-11-09T21:44:27.277Z |--------------------------------------------------------------------| 1762724667277 2025-11-09T21:44:27.277Z | Version 1.34.3-9017ca26 | 1762724667277 2025-11-09T21:44:27.277Z | Starting Vaultwarden | 1762724667277 2025-11-09T21:44:27.277Z /--------------------------------------------------------------------\ ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_

MrUnknownDE closed this issue

2026-04-05 20:47:49 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#291