Vaultwarden is currently unable to handle the Bitwarden Directory Connector when the base domain includes a path prefix.
Example:
DOMAIN=https://example.com/ -> works
DOMAIN=https://example.com/vault/ -> doesn't work
Vaultwarden rejects the token issued seconds before with the error message "Token not issued by this server".
This message is thrown when the token issuer check fails. When a organization api token is issued, the iss attribute follows the scheme "domain_origin|scope". But when the issuer is checked in api/core/public.rs, the iss attribute is expected to contain "domain|scope".
When using a domain with path prefix this leads to conflicts. To fix this I replaced the domain check through a domain_origin check as issued in auth.rs.
Vaultwarden is currently unable to handle the Bitwarden Directory Connector when the base domain includes a path prefix. Example:
DOMAIN=https://example.com/
-> worksDOMAIN=https://example.com/vault/
-> doesn't work Vaultwarden rejects the token issued seconds before with the error message"Token not issued by this server"
. This message is thrown when the token issuer check fails. When a organization api token is issued, the iss attribute follows the scheme"domain_origin|scope"
. But when the issuer is checked in api/core/public.rs, the iss attribute is expected to contain"domain|scope"
. When using a domain with path prefix this leads to conflicts. To fix this I replaced the domain check through a domain_origin check as issued in auth.rs.