Sync problem when using Desktop application

[Gurkeb]

Subject of the issue

Desktop application is not syncing when authenticating via SSO

Deployment environment

### Your environment (Generated via diagnostics page)
* Vaultwarden version: v1.30.5-9
* Web-vault version: voidc_button-v2024.3.1-1
* OS/Arch: linux/x86_64
* Running within a container: true (Base: Debian)
* Environment settings overridden: true
* Uses a reverse proxy: true
* IP Header check: true (X-Forwarded-For)
* Internet access: true
* Internet access via a proxy: false
* DNS Check: true
* Browser/Server Time Check: true
* Server/NTP Time Check: true
* Domain Configuration Check: true
* HTTPS Check: true
* Database type: SQLite
* Database version: 3.45.0
* Clients used: 
* Reverse proxy and version: 
* Other relevant information: 

### Config (Generated via diagnostics page)
<details><summary>Show Running Config</summary>

**Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN, SSO_ENABLED, SSO_ONLY, SSO_AUTH_ONLY_NOT_SESSION, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_USERNAME, SMTP_PASSWORD

```json
{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*******************",
  "domain_origin": "*****://*******************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "commsLAB Vaultwarden",
  "invitations_allowed": false,
  "ip_header": "X-Forwarded-For",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_level_override": "",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "***************************,******************************",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "**********************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "*********************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "**********************",
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "https://login.microsoftonline.com/aa7b9c07-d853-400d-a662-a362a4c5009f/v2.0",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "https://safe.commsportal.ch/identity/connect/oidc-signin",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "4945429d-4656-4941-886e-94d6e7e20c9e",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_organizations_all_collections": true,
  "sso_organizations_id_mapping": "",
  "sso_organizations_invite": false,
  "sso_organizations_token_path": "/groups",
  "sso_pkce": false,
  "sso_roles_default_to_user": true,
  "sso_roles_enabled": false,
  "sso_roles_token_path": "/resource_access/4945429d-4656-4941-886e-94d6e7e20c9e/roles",
  "sso_scopes": "email profile offline_access",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

<!-- The version number, obtained from the logs (at startup) or the admin diagnostics page -->
<!-- This is NOT the version number shown on the web vault, which is versioned separately from vaultwarden -->
<!-- Remember to check if your issue exists on the latest version first! -->
* vaultwarden version:

<!-- How the server was installed: Docker image, OS package, built from source, etc. -->
* Install method: Docker Compose

* Clients used: web vault, desktop, Android, iOS

* Reverse proxy and version:

* MySQL/MariaDB or PostgreSQL version: SQLite 3.45.0

* Other relevant details:

### Steps to reproduce
Classic installation of the SSO branch of Vaultwarden, but setting "Disable email+master password login" to true.
We use EntraID for SSO 

### Expected behaviour
No way to log in to the desktop using only the master password.
When using SSO via Chrome, no way to open/pass the info to the desktop app as described in [github.com/bitwarden/clients/issues/2606](url)
When copying the url to Firefox, passing the auth and opening the desktop app works
After passing SSO, normal login with master password and sync of passwords works

### Actual behaviour
When we authenticate the SSO via Firefox as mentioned above due to the Chrome limitation on the official desktop application from Bitwarden, we can authenticate in a second step with the master password.
Unfortunately, after opening the Tresor with the master password, no synchronization is possible, and forcing it with the Sync button also gives an error.
We have found that if we re-enable the use of the master password and don't use SSO, the vault will sync without any problems.
This may also be related to #35. 

In addition, the SSO redirect from the desktop app only triggers a "Not Safe" warning from Chrome, highlighting everything in red. Not the same behavior on Firefox though.

[Timshel]

Hey,

Just to be sure the redirection from Firefox to the application is successful ? On which OS are you running the desktop app ? and if on linux how the app is packaged/installed ?

[Gurkeb]

Hey,

Yes, we tested it on two windows machines. We have Chrome or Edge as standard browsers. In Chrome the SSO url gets marked as unsafe, in all the other Browsers we tested that wasn't a problem. But if we continue for both Chrome and Edge when being promoted to open Bitwarden nothing happens.

If we set Firefox as standard Browser everything works fine, also with opening the Bitwarden Desktop app. After that we naturally we get asked for the master password and the vault unlocks. But for both machines we tested so far the vault won't sync and won't dhow any content in the vault. It will only show the wheel spinning as if it's still synchronizing

[Timshel]

Hey, Just tested on Windows too, and I'm able to reproduce.

Will have a look but might take some time since first I'll try to make the Firefox redirection work on my linux install (rebooting to Windows each time to test is not fun ^^).

[Gurkeb]

Awesome and no worries! Really appreciate the work, it's awesome! :)

[Timshel]

Ok was able to configure the redirection on linux with Firefox. And it just works the vault display all my password :D.

So will have to spin a VM or something else to debug on Windows.

[Gurkeb]

sounds promising already!

[Gurkeb]

Hey @Timshel, just wanted to ask if there is any development on this issue or if there is something I can do to support with solving it! :)

[Timshel]

Hey, Sorry haven't made much progress. I have a vm running but I have a different issue where I'm unable to unlock the vault :(.

[Gurkeb]

No worries at all, just wanted to check in :) if there's anything I can do to help let me know

[jobritz]

Hey,

Yes, we tested it on two windows machines. We have Chrome or Edge as standard browsers. In Chrome the SSO url gets marked as unsafe, in all the other Browsers we tested that wasn't a problem. But if we continue for both Chrome and Edge when being promoted to open Bitwarden nothing happens.

If we set Firefox as standard Browser everything works fine, also with opening the Bitwarden Desktop app. After that we naturally we get asked for the master password and the vault unlocks. But for both machines we tested so far the vault won't sync and won't dhow any content in the vault. It will only show the wheel spinning as if it's still synchronizing

Did you had to do anything to make it work with Edge? I think I have the same issue as in #35 because SSO is working for me with all other clients but not with the desktop client. I'm using a windows machine and I have to use Edge so I'm wondering if you know how to make SSO work for the desktop client? Thank you for your help :)

[Gurkeb]

Hey @jobritz

I think so far this is still an open issue @Timshel is working on it. The only workaround we have so far is to allow the use of the master password for the login not forcing the SSO, disabling the master password. @Timshel is working on the issue so I think we just have to be patient. :)

There are some known issues though where Chrome and Edge (since it is based on Chromium) won't open the Bitwarden application from the browser passing all the information. As far as I know this is an issue with Bitwarden though and not with this repo so out of scope of @Timshel.

[jobritz]

Yes, I saw the issue on the Bitwarden repo, but if you scroll down the last comment says that after 3 years there is still no fix for this issue :(.

[Timshel]

Hey

Just to manage expectation I don't expect to have any solution in the short term. I can't reproduce the issue when using a VM (remotely) since I can't even login .... (so another issue ?).

Might try this week to run a VM locally to see if I have the same issues, then the next step would be to setup windows on a laptop but I would prefer to avoid it.

And outside of the logistic issues the fact that the desktop app works on Linux is not really a good sign since I believe it's supposed to be the same code.