Timshel
commented
6 months ago The redirection url you linked is not the correct one.
The url I mentionned is the one to Zitadel, it should start with what you put in SSO_AUTHORITY : https://api.auth
Closed LeVraiRoiDHyrule closed 6 months ago
Timshel
commented
6 months ago The redirection url you linked is not the correct one.
The url I mentionned is the one to Zitadel, it should start with what you put in SSO_AUTHORITY : https://api.auth
LeVraiRoiDHyrule
commented
6 months ago Is this redirection url supposed to be shown in Vaultwarden SSO debug logs ? The url I've shown is the only one in my logs.
Timshel
commented
6 months ago It's the browser url when you are redirected to Zitadel and asked to login.
LeVraiRoiDHyrule
commented
6 months ago That URL doesn't look like yours. I have https://api.auth.REDACTED.com/ui/login/login?authRequestID=266049351233568771
Timshel
commented
6 months ago Zitadel might make an internal redirection. Can you open the network debugger it should be the url of the 307 redirection from vaultwarden to Zitadel.
LeVraiRoiDHyrule
commented
6 months ago Found it! Here is what I have:
https://api.auth.REDACTED.com/oauth/v2/authorize?response_type=code&client_id=264077012140883971@REDACTED&state=Fzotg5dBTENc277ZWqABpBZCfLhdpGhZBjNEmnNcCEqZonR6MaYPhg5zCkJGx5zP_identifier=undefined&code_challenge=NNEIeOpGHvS7VEvJkPxIzrdud2VKzm3-y1eUhkcfIHs&code_challenge_method=S256&redirect_uri=https://vault.saladcesar.fr/identity/connect/oidc-signin&scope=openid "email profile offline_access roles groups"&nonce=-t9nBdYZY1qbBiulLRzGfwSo the problem seems to be the "", as openid is added outside of them.
Timshel
commented
6 months ago Yes don't put " in your docker-compose since it's included in the environment var.
LeVraiRoiDHyrule
commented
6 months ago Hi, I am now having a new issue. I can't understand what is happening. I keep having an error 400 Bad request on this URL:
https://vault.mydomain.com/identity/connect/authorize?client_id=web&redirect_uri=https%3A%2F%2Fvault.mydomain.com%2Fsso-connector.html&response_type=code&scope=api%20offline_access&state=iXrxM9eug2qAS7HMQyCibFE2iyQgyuGcwxY8vJCSsZDzVVbBZVYMpVrj3MPvNcUH_identifier=undefined&code_challenge=Gr8o8VS3Oux6Pr1d0pL_kJlHynRb2fgvJJMYZKkQ-f0&code_challenge_method=S256&response_mode=query&domain_hint=undefined&ssoToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJuYmYiOjE3MTU1MzI5NTQsImV4cCI6MTcxNTUzMzA3NCwiaXNzIjoiaHR0cHM6Ly92YXVsdC5zYWxhZGNlc2FyLmZyfHNzbyIsInN1YiI6InZhdWx0d2FyZGVuIn0.P0zTG0pdIo9jVJ_-HC3YnA5oxiazDHLXMludFyXex_6GdjpFnU3fBQXk6FFoy2bomTL5tUZ7cZLQAbX4mVOEDttgrKDm7BRw7QQg20g_dwfiK4ITNwTVw27g9R20rZDEVjJm3nK1RYQEQ-_8qkXiIDaLtOjrdGohJkPoZV6SRjQwbPThyCGwxD5GiDpDsZflabQjR2XGhGq65P--r1_eRBppvNXBX2Y4Z_0eEopU0KIGjOf6njh_5W_X_glDvuRAfVDyWXZBGz6gx-wufTieMfV4y4MNP8KvPA7kQCZSkKUkt2DF78ePWjhxZcgCAK9NptHmm_3soI3rwhHnwBMDVgI tried deleting and recreating the application in Zitadel, I tried fully recreating the Vaultwarden container and deleting its data, with no success. My Vaultwarden settings are the following:
- SSO_DEBUG_TOKENS=true
- LOG_LEVEL=debug
- DOMAIN=https://vault.${DOMAIN}
- SIGNUPS_ALLOWED=false
- INVITATIONS_ALLOWED=false
- SSO_ENABLED=true
- SSO_PKCE=true
- SSO_ONLY=true
- SSO_AUTHORITY=https://api.auth.${DOMAIN}
#- SSO_AUDIENCE_TRUSTED=^264080136108834819@saladserver|265257631239700483@apps|264076946105696259$|265976263691272195@apps
- SSO_CLIENT_ID=REDACTED@apps
- SSO_CLIENT_SECRET=dummy
#- SSO_SCOPES=email profile offline_access
- SSO_FRONTEND=override
#- SSO_ROLES_ENABLED=true I have the following error in Vaultwarden logs:
[2024-05-12 19:05:17.768][vaultwarden::sso][ERROR] Failed to discover OpenID provider: Request failed
The discovery endpoint of Zitadel is available and the address is correct (I can access it from my browser). Would you have an idea of what could be wrong ?
Thanks in advance for any answer, have a nice day.
Timshel
commented
6 months ago [2024-05-12 19:05:17.768][vaultwarden::sso][ERROR] Failed to discover OpenID provider: Request failed
As far as I'm aware this only happen when the SSO_AUTHORITY is invalid.
${SSO_AUTHORITY}/.well-known/openid-configuration should return a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse.
The /.well-known/openid-configuration is appended by vaultwarden.
LeVraiRoiDHyrule
commented
6 months ago What is weird is that ${SSO_AUTHORITY}/.well-known/openid-configuration perfectly works and returns the json document. And it was perfectly working until now.
Timshel
commented
6 months ago Yes but most of the issues you had were with the handling of env variable by docker-compose.
As I mentioned somewhere else I would recommend using the env_file parameter in the docker-compose (which appear more stable, never had the same issues) or alternatively mount a .env file next to the /vaultwarden executable.
LeVraiRoiDHyrule
commented
6 months ago I found my issue ! It had nothing to see with Vaultwarden and I'm sorry for bothering you with it. The certificates of my website had issues and that was preventing a proper connection from Vaultwarden to Zitadel. Thanks again for your help and sorry again. I am beggining to experience a bit with Vaultwarden SSO and everything works like a charm ! My full SSO server is near from completion and I couldn't do it without your help. Have a very pleasant day.
LeVraiRoiDHyrule
commented
5 months ago Hi again. I was wrong, my problem was not the certs of my reverse proxy. There is something else that made my issue reappear. I am having the same error 400 as above, on the same URL and with the following settings:
# BASE
- DOMAIN=https://vault.${DOMAIN}
- SIGNUPS_ALLOWED=false
- INVITATIONS_ALLOWED=false
- LOG_LEVEL=debug
# SSO
- SSO_ENABLED=true
- SSO_PKCE=true
- SSO_ONLY=true
- SSO_AUTHORITY=https://api.auth.${DOMAIN}
- SSO_AUDIENCE_TRUSTED=^REDACTED
- SSO_CLIENT_ID=266819328995819523@apps
- SSO_CLIENT_SECRET=dummy
- SSO_SCOPES=email profile offline_access
- SSO_FRONTEND=override
#- SSO_ROLES_ENABLED=true
#- SSO_ORGANIZATIONS_INVITE=true
- SSO_DEBUG_TOKENS=trueHere is the URL in error again:
https://vault.REDACTED.com/identity/connect/authorize?client_id=web&redirect_uri=https%3A%2F%2Fvault.REDACTED.com%2Fsso-connector.html&response_type=code&scope=api%20offline_access&state=q7NBqXMbJZaWRyVNA2W3nerAetBeiZYgdzV4LY8nVvrs5vhufAVzVzFNfikR3k9b_identifier=undefined&code_challenge=RfkEmHx9k0pQMTCojhIUz4uCx_bOTBjw_l175G-axYA&code_challenge_method=S256&response_mode=query&domain_hint=undefined&ssoToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJuYmYiOjE3MTY0MDYzMzEsImV4cCI6MTcxNjQwNjQ1MSwiaXNzIjoiaHR0cHM6Ly92YXVsdC5zYWxhZGNlc2FyLmZyfHNzbyIsInN1YiI6InZhdWx0d2FyZGVuIn0.SP1G3Rtqesf453d_0GuByl85XZ9FmoD8nXH5TGwqZ4UBXqaHpWSwN5SYAUSpAO44vb0fBApKBuRwlZdq-nk8nnnfkFdAdcvXZRSLNTMk4VreLX6DNIy1FH17lNY-r6hYHADQX9JnGxz4pUyfaeAxpG5VPcCREvDmLQ9FmFPYyzjDdL8Xo-wZFlj2hnGH-doHsO-hUDpqPN7MhcjKy_qiZhLSj7PD5Bg6S3V1FET2cDnjNjM4GY9CjsNuC2rV_GJb52CNMea7X1O1l-adE5GQrCbPPEUOw86cJQSvZf5M-oHODJiIeIlXhyicRf_gOXmrsh07f9w0WDngk8Fi1G1qUgI have this in vaultwarden logs:
[2024-05-22 22:00:26.840][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 400 Bad RequestI do not have Failed to discover OpenID provider: Request failed this time.
Would you have an idea of what could be wrong ? Is there something else I should look into to know more ?
Thanks in advance for any answer and have nice day (or evening)
Timshel
commented
5 months ago Don't you have an error in the logs before ? :
[2024-05-22 22:00:26.840][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 400 Bad Request
Hi,
Following on this issue https://github.com/Timshel/vaultwarden/issues/54#issuecomment-2097785764 , I noticed that with the following scopes set up:
- SSO_SCOPES="email profile offline_access roles groups"I get the following redirection URL:
I am missing most scopes as well as
openid.Here is my complete config:
Any help is welcome, have a nice day