AzureAD Roles are not part of the access token but only in the ID token

[nodomain]

Subject of the issue

If I configure roles for my AAD Entra app, the roles are mapped only in the ID token but not in the access token. Hence the debug log says that there are no roles found.

Deployment environment

• vaultwarden version: 1.30.1-7-alpine

• Install method: ECS

• Clients used: Web, iOS

• Reverse proxy and version: AWS ALB

• MySQL/MariaDB or PostgreSQL version: RDS Aurora

• Other relevant details:

Steps to reproduce

Log in and check the logs.

Expected behaviour

The roles are read from the ID token.

Actual behaviour

The roles are tried to be read from the access token.

Troubleshooting data

VAULTWARDEN_CONFIG_SSO_AUTHORITY=https://login.microsoftonline.com/xxx/v2.0

## Set your Client ID and Client Key
VAULTWARDEN_CONFIG_SSO_CLIENT_ID=xxx
VAULTWARDEN_CONFIG_SSO_CLIENT_SECRET=xxx
VAULTWARDEN_CONFIG_SSO_SCOPES="email profile offline_access"

## Optional SSO public key for JWT validation
# VAULTWARDEN_CONFIG_SSO_KEY_FILEPATH=%DATA_FOLDER%/VAULTWARDEN_CONFIG_SSO_key.pub.pem
## Optional Master password policy (minComplexity=[0-4])
# VAULTWARDEN_CONFIG_SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}'
## Enable the mapping of roles (user/admin) from the access_token
VAULTWARDEN_CONFIG_SSO_ROLES_ENABLED=true
## Missing/Invalid roles default to user
VAULTWARDEN_CONFIG_SSO_ROLES_DEFAULT_TO_USER=true
## Access token path to read roles
VAULTWARDEN_CONFIG_SSO_ROLES_TOKEN_PATH=roles
## Controls whether to add users to organization
# VAULTWARDEN_CONFIG_SSO_ORGANIZATIONS_INVITE=false
## Optional scope to retrieve user organizations
# VAULTWARDEN_CONFIG_SSO_ORGANIZATIONS_SCOPE=groups
## Access token path to read groups
# VAULTWARDEN_CONFIG_SSO_ORGANIZATIONS_TOKEN_PATH=/groups

[Timshel]

Hum Are role part of Identity or Authorization. Made the supposition it was the later will check if there is a consensus.

[nodomain]

The mentioned fix from #25 did not fix my issue yet.

This is the access token coming from EntraID.

[2024-02-12 22:03:19.462][vaultwarden::sso][DEBUG] Token access_token: {
    "acct": 0,
    "acr": "1",
    "acrs": [
        "urn:user:registersecurityinfo",
        "c20",
        "c21",
        "c22"
    ],
    "aio": "[Anonymized]",
    "amr": [
        "pwd",
        "mfa"
    ],
    "app_displayname": "[Anonymized] DEV",
    "appid": "[Anonymized]",
    "appidacr": "1",
    "aud": "[Anonymized]",
    "deviceid": "[Anonymized]",
    "exp": 1707780665,
    "family_name": "[Anonymized]",
    "given_name": "[Anonymized]",
    "iat": 1707775099,
    "idtyp": "user",
    "ipaddr": "[Anonymized]",
    "iss": "[Anonymized]",
    "name": "[Anonymized]",
    "nbf": 1707775099,
    "oid": "[Anonymized]",
    "onprem_sid": "[Anonymized]",
    "platf": "5",
    "puid": "[Anonymized]",
    "rh": "[Anonymized]",
    "scp": "email openid profile",
    "signin_state": [
        "dvc_mngd",
        "dvc_cmp",
        "kmsi"
    ],
    "sub": "[Anonymized]",
    "tenant_region_scope": "EU",
    "tid": "[Anonymized]",
    "unique_name": "[Anonymized]",
    "upn": "[Anonymized]",
    "uti": "[Anonymized]",
    "ver": "1.0",
    "wids": [
        "[Anonymized]",
        "[Anonymized]"
    ],
    "xms_st": {
        "sub": "[Anonymized]"
    },
    "xms_tcdt": 1391171320,
    "xms_tdbr": "EU"
}

[Timshel]

Hey, Made the change of reading the roles and groups in the id token only in today version 1.30.2-4 (still building).

[nodomain]

When deploying this tag, coming from 1.30.2-3

[2024-02-15 21:18:35.435][panic][ERROR] thread 'main' panicked at 'Error running migrations: QueryError(DieselMigrationName { name: "2024-02-14-170000_add_state_to_sso_nonce", version: MigrationVersion("20240214170000") }, DatabaseError(Unknown, "Unknown table 'vaultwarden.sso_nonce'"))': src/db/mod.rs:473

[nodomain]

... and the service is not getting stable due to this.

[Timshel]

Fixed the mysql/mariadb migration in 1.30.2-5 should be ready ~1h.

[nodomain]

I can confirm it works now with these settings:

"logged with admin cookie"

SSO_ROLES_ENABLED=true
## Missing/Invalid roles default to user
SSO_ROLES_DEFAULT_TO_USER=true
## Access token path to read roles
SSO_ROLES_TOKEN_PATH=/roles

[nodomain]

Thank you very much. Keep up the great work!