search

Timshel / vaultwarden

Fork from dani-garcia/vaultwarden to add OpendID support.
GNU Affero General Public License v3.0
87 stars 12 forks source link

AzureAD: Vaultwarden asks for SSO identifier after login #12

Closed sandervandegeijn closed 10 months ago

sandervandegeijn commented 10 months ago

Running the latest tag from oidcwarden/vaultwarden-oidc:latest at monday 8th Jan 20:39 CET:

Bitwarden app on mac

image

iOS app: IMG_2616

This wasn't there before. On iOS the login flow is also broken when adding a new account, after this screen it will ask for the master password in the popup webview and if you fill in that, you are logged in but not in the app, but in the webview that's opened for the login flow. The app doesn't get logged in.

In the browser it's working correctly.

Logs:
| This is an *unofficial* Bitwarden implementation, DO NOT use the   |
| official channels to report bugs/features, regardless of client.   |
| Send usage/configuration questions or feature requests to:         |
|   https://github.com/dani-garcia/vaultwarden/discussions or        |
|   https://vaultwarden.discourse.group/                             |
| Report suspected bugs/issues in the software itself at:            |
|   https://github.com/dani-garcia/vaultwarden/issues/new            |
\--------------------------------------------------------------------/

[INFO] Can't read optional SSO public key at data/sso_key.pub.pem : No such file or directory (os error 2)
[2024-01-08 19:31:17.214][vaultwarden::api::notifications][INFO] Starting WebSockets server on 0.0.0.0:3012
[2024-01-08 19:31:17.215][start][INFO] Rocket has launched from http://0.0.0.0:8080
[2024-01-08 19:32:07.104][request][INFO] GET /api/config/
[2024-01-08 19:32:07.104][response][INFO] (config) GET /api/config => 200 OK
[2024-01-08 19:32:08.514][request][INFO] GET /api/devices/knowndevice
[2024-01-08 19:32:08.519][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2024-01-08 19:32:10.876][request][INFO] POST /api/organizations/domain/sso/details
[2024-01-08 19:32:10.879][response][INFO] (get_org_domain_sso_details) POST /api/organizations/domain/sso/details => 200 OK
[2024-01-08 19:32:11.361][request][INFO] GET /identity/account/prevalidate?domainHint=MDT+Integration+Ser
[2024-01-08 19:32:11.361][response][INFO] (prevalidate) GET /identity/account/prevalidate => 200 OK
[2024-01-08 19:32:13.997][request][INFO] GET /identity/connect/authorize?client_id=mobile&redirect_uri=
[2024-01-08 19:32:14.155][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect
[2024-01-08 19:32:14.734][request][INFO] GET /identity/connect/oidc-signin?code=0.xx
[2024-01-08 19:32:14.734][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect
[2024-01-08 19:32:18.358][request][INFO] GET /api/config
[2024-01-08 19:32:18.359][response][INFO] (config) GET /api/config => 200 OK
[2024-01-08 19:32:51.465][request][INFO] GET /api/config
[2024-01-08 19:32:51.466][response][INFO] (config) GET /api/config => 200 OK
[2024-01-08 19:32:52.918][request][INFO] GET /api/devices/knowndevice
[2024-01-08 19:32:52.920][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2024-01-08 19:32:53.968][request][INFO] POST /api/organizations/domain/sso/details
[2024-01-08 19:32:53.969][response][INFO] (get_org_domain_sso_details) POST /api/organizations/domain/sso/details => 200 OK
[2024-01-08 19:32:54.018][request][INFO] GET /identity/account/prevalidate?domainHint=MDT%20Integration%2
[2024-01-08 19:32:54.019][response][INFO] (prevalidate) GET /identity/account/prevalidate => 200 OK
[2024-01-08 19:32:54.086][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt
[2024-01-08 19:32:54.089][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect
[2024-01-08 19:32:54.500][request][INFO] GET /identity/connect/oidc-signin?code=0.xxxx
[2024-01-08 19:32:54.500][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect
[2024-01-08 19:32:55.015][request][INFO] GET /api/config
[2024-01-08 19:32:55.015][response][INFO] (config) GET /api/config => 200 OK
[2024-01-08 19:32:55.015][request][INFO] POST /identity/connect/token
[2024-01-08 19:32:55.289][vaultwarden::api::identity][INFO] User sander.vandegeijn@wur.nl logged in successfully. IP: 10.xxx
[2024-01-08 19:32:55.289][response][INFO] (login) POST /identity/connect/token => 200 OK
[2024-01-08 19:32:55.324][request][INFO] GET /api/config
[2024-01-08 19:32:55.324][response][INFO] (config) GET /api/config => 200 OK
[2024-01-08 19:32:55.396][request][INFO] GET /api/config
[2024-01-08 19:32:55.396][response][INFO] (config) GET /api/config => 200 OK
[2024-01-08 19:32:58.947][request][INFO] POST /api/accounts/verify-password
[2024-01-08 19:32:59.321][response][INFO] (verify_password) POST /api/accounts/verify-password => 200 OK
[2024-01-08 19:32:59.391][request][INFO] POST /identity/connect/token
[2024-01-08 19:32:59.400][response][INFO] (login) POST /identity/connect/token => 200 OK
[2024-01-08 19:32:59.440][request][INFO] GET /api/sync?excludeDomains=true
[2024-01-08 19:32:59.462][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2024-01-08 19:32:59.475][request][INFO] GET /notifications/hub?access_token=xxxx
[2024-01-08 19:32:59.475][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 10.xxxx
[2024-01-08 19:32:59.476][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2024-01-08 19:32:59.548][request][INFO] GET /api/config
[2024-01-08 19:32:59.548][response][INFO] (config) GET /api/config => 200 OK
[2024-01-08 19:35:03.737][request][INFO] GET /api/config/
[2024-01-08 19:35:03.737][response][INFO] (config) GET /api/config => 200 OK
[2024-01-08 19:35:05.062][request][INFO] GET /api/devices/knowndevice
[2024-01-08 19:35:05.063][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2024-01-08 19:35:08.769][request][INFO] POST /api/organizations/domain/sso/details
[2024-01-08 19:35:08.770][response][INFO] (get_org_domain_sso_details) POST /api/organizations/domain/sso/details => 200 OK
[2024-01-08 19:35:08.945][request][INFO] GET /identity/account/prevalidate?domainHint=VaultWarden
[2024-01-08 19:35:08.946][response][INFO] (prevalidate) GET /identity/account/prevalidate => 200 OK
[2024-01-08 19:35:11.042][request][INFO] GET /identity/connect/authorize?client_id=mobile&redirect_uri=
[2024-01-08 19:35:11.045][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect
[2024-01-08 19:35:11.384][request][INFO] GET /identity/connect/oidc-signin?code=0.xxx
[2024-01-08 19:35:11.385][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect
[2024-01-08 19:35:14.443][request][INFO] GET /api/config
[2024-01-08 19:35:14.443][response][INFO] (config) GET /api/config => 200 OK
[2024-01-08 19:35:51.480][request][INFO] POST /identity/connect/token
[2024-01-08 19:35:51.484][response][INFO] (login) POST /identity/connect/token => 200 OK
[2024-01-08 19:35:51.700][request][INFO] GET /api/config
[2024-01-08 19:35:51.701][response][INFO] (config) GET /api/config => 200 OK
[2024-01-08 19:35:58.590][request][INFO] GET /api/config
[2024-01-08 19:35:58.590][response][INFO] (config) GET /api/config => 200 OK
[2024-01-08 19:35:58.606][request][INFO] GET /api/devices/knowndevice
[2024-01-08 19:35:58.607][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2024-01-08 19:35:58.748][request][INFO] GET /api/config
[2024-01-08 19:35:58.748][response][INFO] (config) GET /api/config => 200 OK
[2024-01-08 19:36:04.319][request][INFO] GET /api/config
[2024-01-08 19:36:04.320][response][INFO] (config) GET /api/config => 200 OK
[2024-01-08 19:36:13.266][request][INFO] GET /api/devices/knowndevice
[2024-01-08 19:36:13.267][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2024-01-08 19:36:14.926][request][INFO] GET /api/config
[2024-01-08 19:36:14.926][response][INFO] (config) GET /api/config => 200 OK
[2024-01-08 19:36:14.927][request][INFO] POST /api/organizations/domain/sso/details
[2024-01-08 19:36:14.928][response][INFO] (get_org_domain_sso_details) POST /api/organizations/domain/sso/details => 200 OK
[2024-01-08 19:36:14.954][request][INFO] GET /identity/account/prevalidate?domainHint=MDT%xxxx%2
[2024-01-08 19:36:14.955][response][INFO] (prevalidate) GET /identity/account/prevalidate => 200 OK
[2024-01-08 19:36:15.025][request][INFO] GET /identity/connect/authorize?client_id=desktop&redirect_uri
[2024-01-08 19:36:15.028][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect
[2024-01-08 19:36:15.309][request][INFO] GET /identity/connect/oidc-signin?code=0.xxx
[2024-01-08 19:36:15.309][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect
[2024-01-08 19:36:15.594][request][INFO] GET /api/config
[2024-01-08 19:36:15.595][response][INFO] (config) GET /api/config => 200 OK
[2024-01-08 19:36:56.262][request][INFO] GET /api/config
[2024-01-08 19:36:56.262][response][INFO] (config) GET /api/config => 200 OK

Deployment environment

Steps to reproduce

add a new account to the bitwarden app

Expected behaviour

User doesn't know what to fill in, this will lead to questions. Screen should be skipped.

Actual behaviour

Screen is shown

Troubleshooting data

^^

Timshel commented 10 months ago

Hey,

For the identifier it's normal the default front-end is what is expected to be merged. I patched the frontent for a better flow but you need to pass an env variable: cf https://github.com/Timshel/vaultwarden#docker

For your issues on IOS I see nothing strange in the logs, I have no ios device so I probably won't be able to debug it sorry.

sandervandegeijn commented 10 months ago

The SSO override is a nice touch, much more user friendly! Didn't see the SSO identifier screen anymore either. Will ask a colleague that hasn't used it to try it as well tomorrow.

I reinstalled the iOS version of BW, same problem. I made a video but I need a little time to blur out all the sensitive data. Will do that tomorrow (since it's 23:12 over here now).

Thanks for the effort!

Halyul commented 10 months ago

I have also encounter the same issue on both iOS device and android device. After logging in the webview, it's not redirected back to the mobile app but instead opening the web vault in the webview.

Timshel commented 10 months ago

Ok, I think I know where the regression is, will test-it with android.

Timshel commented 10 months ago

1.30.1-2 is building and should fix the issue.

sandervandegeijn commented 10 months ago

will test again, thanks!

Halyul commented 10 months ago

can confirm the latest build works on iOS and android devices

sandervandegeijn commented 10 months ago

I'm running the tag 1.30.1-2. Adding the new as a second account besides my normal account doesn't give the redirect error anymore. But on iOS I'm back at

IMG_2620

I'm also a bit confused where the MDT Integration Services text came from, I only used that as an organisation name.

Timshel commented 10 months ago

I'm also a bit confused where the MDT Integration Services text came from, I only used that as an organisation name.

As soon as the application has an email (first field with no front modification or after identification) it tries to check if it's associated with an Organization.

sandervandegeijn commented 10 months ago

Hm okay, feels a bit weird but it works I guess :)

Timshel commented 10 months ago

Hm okay, feels a bit weird but it works I guess :)

:), it's useful because if an user is already part of an organization (invitation or group/org mapping) then things like the org password policy can be applied when the user create his master password.

Edit: And from BitWarden point of view it's even more important since in the official server the sso is configured at the organization level and not globally.

sandervandegeijn commented 10 months ago

Edit: And from BitWarden point of view it's even more important since in the official server the sso is configured at the organization level and not globally.

I'm not sure I understand this entirely, for Vaultwarden it will be either enabled or disabled right?

The redirect issue has been solved, but on iOS I'm back at:

image

I saw there was a new image: oidcwarden/vaultwarden-oidc:testing Used that one to test this.

Timshel commented 10 months ago

Hey,

I'll close this since the original issue is working I believe. If IOS is still broken, maybe open another issue.

sandervandegeijn commented 10 months ago

Sure will test it as soon as there are docker containers with all the new fixes :)

Timshel commented 10 months ago

There is ^^ https://hub.docker.com/r/oidcwarden/vaultwarden-oidc/tags

sandervandegeijn commented 10 months ago

Great thanks!