Mirrors/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-03-11 20:44:43 +08:00
Code Issues Packages Projects Releases Wiki Activity

SSO using OpenID Connect (#3899)

Browse Source 
* Add SSO functionality using OpenID Connect

Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools>
Co-authored-by: Stuart Heap <sheap13@gmail.com>
Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud>
Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com>
Co-authored-by: Jacques B. <timshel@github.com>

* Improvements and error handling

* Stop rolling device token

* Add playwright tests

* Activate PKCE by default

* Ensure result order when searching for sso_user

* add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION

* Toggle SSO button in scss

* Base64 encode state before sending it to providers

* Prevent disabled User from SSO login

* Review fixes

* Remove unused UserOrganization.invited_by_email

* Split SsoUser::find_by_identifier_or_email

* api::Accounts::verify_password add the policy even if it's ignored

* Disable signups if SSO_ONLY is activated

* Add verifiedDate to organizations::get_org_domain_sso_details

* Review fixes

* Remove OrganizationId guard from get_master_password_policy

* Add wrapper type OIDCCode OIDCState OIDCIdentifier

* Membership::confirm_user_invitations fix and tests

* Allow set-password only if account is unitialized

* Review fixes

* Prevent accepting another user invitation

* Log password change event on SSO account creation

* Unify master password policy resolution

* Upgrade openidconnect to 4.0.0

* Revert "Remove unused UserOrganization.invited_by_email"

This reverts commit 548e19995e141314af98a10d170ea7371f02fab4.

* Process org enrollment in accounts::post_set_password

* Improve tests

* Pass the claim invited_by_email in case it was not in db

* Add Slack configuration hints

* Fix playwright tests

* Skip broken tests

* Add sso identifier in admin user panel

* Remove duplicate expiration check, add a log

* Augment mobile refresh_token validity

* Rauthy configuration hints

* Fix playwright tests

* Playwright upgrade and conf improvement

* Playwright tests improvements

* 2FA email and device creation change

* Fix and improve Playwright tests

* Minor improvements

* Fix enforceOnLogin org policies

* Run playwright sso tests against correct db

* PKCE should now work with Zitadel

* Playwright upgrade maildev to use MailBuffer.expect

* Upgrades playwright tests deps

* Check email_verified in id_token and user_info

* Add sso verified endpoint for v2025.6.0

* Fix playwright tests

* Create a separate sso_client

* Upgrade openidconnect to 4.0.1

* Server settings for login fields toggle

* Use only css for login fields

* Fix playwright test

* Review fix

* More review fix

* Perform same checks when setting kdf

---------

Co-authored-by: Felix Eckhofer <felix@eckhofer.com>
Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools>
Co-authored-by: Stuart Heap <sheap13@gmail.com>
Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud>
Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com>
Co-authored-by: Jacques B. <timshel@github.com>
Co-authored-by: Timshel <timshel@480s>
This commit is contained in:
Timshel
2025-08-08 23:22:22 +02:00
committed by GitHub
parent a0c76284fd
commit cff6c2b3af
110 changed files with 8081 additions and 329 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/static/scripts/admin.js vendored
View File

@@ -28,11 +28,11 @@ function msg(text, reload_page = true) {
reload_page && reload();
}
function _post(url, successMsg, errMsg, body, reload_page = true) {
function _fetch(method, url, successMsg, errMsg, body, reload_page = true) {
let respStatus;
let respStatusText;
fetch(url, {
method: "POST",
method: method,
body: body,
mode: "same-origin",
credentials: "same-origin",
@@ -65,6 +65,14 @@ function _post(url, successMsg, errMsg, body, reload_page = true) {
});
}
function _post(url, successMsg, errMsg, body, reload_page = true) {
return _fetch("POST", url, successMsg, errMsg, body, reload_page);
}
function _delete(url, successMsg, errMsg, body, reload_page = true) {
return _fetch("DELETE", url, successMsg, errMsg, body, reload_page);
}
// Bootstrap Theme Selector
const getStoredTheme = () => localStorage.getItem("theme");
const setStoredTheme = theme => localStorage.setItem("theme", theme);
@@ -146,4 +154,4 @@ document.addEventListener("DOMContentLoaded", (/*event*/) => {
navItem[0].className = navItem[0].className + " active";
navItem[0].setAttribute("aria-current", "page");
}
});
});

33
src/static/scripts/admin_users.js vendored
View File

@@ -24,6 +24,28 @@ function deleteUser(event) {
}
}
function deleteSSOUser(event) {
event.preventDefault();
event.stopPropagation();
const id = event.target.parentNode.dataset.vwUserUuid;
const email = event.target.parentNode.dataset.vwUserEmail;
if (!id || !email) {
alert("Required parameters not found!");
return false;
}
const input_email = prompt(`To delete user "${email}", please type the email below`);
if (input_email != null) {
if (input_email == email) {
_delete(`${BASE_URL}/admin/users/${id}/sso`,
"User SSO Associtation deleted correctly",
"Error deleting user SSO association"
);
} else {
alert("Wrong email, please try again");
}
}
}
function remove2fa(event) {
event.preventDefault();
event.stopPropagation();
@@ -246,6 +268,9 @@ function initUserTable() {
document.querySelectorAll("button[vw-delete-user]").forEach(btn => {
btn.addEventListener("click", deleteUser);
});
document.querySelectorAll("button[vw-delete-sso-user]").forEach(btn => {
btn.addEventListener("click", deleteSSOUser);
});
document.querySelectorAll("button[vw-disable-user]").forEach(btn => {
btn.addEventListener("click", disableUser);
});
@@ -263,6 +288,8 @@ function initUserTable() {
// onLoad events
document.addEventListener("DOMContentLoaded", (/*event*/) => {
const size = jQuery("#users-table > thead th").length;
const ssoOffset = size-7;
jQuery("#users-table").DataTable({
"drawCallback": function() {
initUserTable();
@@ -275,10 +302,10 @@ document.addEventListener("DOMContentLoaded", (/*event*/) => {
],
"pageLength": -1, // Default show all
"columnDefs": [{
"targets": [1, 2],
"targets": [1 + ssoOffset, 2 + ssoOffset],
"type": "date-iso"
}, {
"targets": 6,
"targets": size-1,
"searchable": false,
"orderable": false
}]
@@ -303,4 +330,4 @@ document.addEventListener("DOMContentLoaded", (/*event*/) => {
if (btnInviteUserForm) {
btnInviteUserForm.addEventListener("submit", inviteUser);
}
});
});

11
src/static/templates/admin/users.hbs
View File

@@ -6,6 +6,9 @@
<thead>
<tr>
<th class="vw-account-details">User</th>
{{#if sso_enabled}}
<th class="vw-sso-identifier">SSO Identifier</th>
{{/if}}
<th class="vw-created-at">Created at</th>
<th class="vw-last-active">Last Active</th>
<th class="vw-entries">Entries</th>
@@ -38,6 +41,11 @@
</span>
</div>
</td>
{{#if ../sso_enabled}}
<td>
<span class="d-block">{{sso_identifier}}</span>
</td>
{{/if}}
<td>
<span class="d-block">{{created_at}}</span>
</td>
@@ -67,6 +75,9 @@
{{/if}}
<button type="button" class="btn btn-sm btn-link p-0 border-0 float-right" vw-deauth-user>Deauthorize sessions</button><br>
<button type="button" class="btn btn-sm btn-link p-0 border-0 float-right" vw-delete-user>Delete User</button><br>
{{#if ../sso_enabled}}
<button type="button" class="btn btn-sm btn-link p-0 border-0 float-right" vw-delete-sso-user>Delete SSO Association</button><br>
{{/if}}
{{#if user_enabled}}
<button type="button" class="btn btn-sm btn-link p-0 border-0 float-right" vw-disable-user>Disable User</button><br>
{{else}}

2
src/static/templates/email/send_org_invite.html.hbs
View File

@@ -9,7 +9,7 @@ Join {{{org_name}}}
</tr>
<tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
<td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
<a href="{{{url}}}"
<a data-testid="invite" href="{{{url}}}"
clicktracking=off target="_blank" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #3c8dbc; border-color: #3c8dbc; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
Join Organization Now
</a>

4
src/static/templates/email/sso_change_email.hbs Normal file
View File

@@ -0,0 +1,4 @@
Your Email Changed
<!---------------->
Your email was changed in your SSO Provider. Please update your email in Account Settings ({{url}}).
{{> email/email_footer_text }}

11
src/static/templates/email/sso_change_email.html.hbs Normal file
View File

@@ -0,0 +1,11 @@
Your Email Changed
<!---------------->
{{> email/email_header }}
<table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
<tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
<td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
Your email was changed in your SSO Provider. Please update your email in <a href="{{url}}/">Account Settings</a>.
</td>
</tr>
</table>
{{> email/email_footer }}

2
src/static/templates/email/twofactor_email.html.hbs
View File

@@ -4,7 +4,7 @@ Vaultwarden Login Verification Code
<table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
<tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
<td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top">
Your two-step verification code is: <b>{{token}}</b>
Your two-step verification code is: <b data-testid="2fa">{{token}}</b>
</td>
</tr>
<tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">

2
src/static/templates/email/verify_email.html.hbs
View File

@@ -9,7 +9,7 @@ Verify Your Email
</tr>
<tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
<td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
<a href="{{url}}/#/verify-email/?userId={{user_id}}&token={{token}}"
<a data-testid="verify" href="{{url}}/#/verify-email/?userId={{user_id}}&token={{token}}"
clicktracking=off target="_blank" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #3c8dbc; border-color: #3c8dbc; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
Verify Email Address Now
</a>

22
src/static/templates/scss/vaultwarden.scss.hbs
View File

@@ -21,15 +21,33 @@ a[href$="/settings/sponsored-families"] {
}
/* Hide the sso `Email` input field */
{{#if sso_disabled}}
.vw-email-sso {
@extend %vw-hide;
}
{{/if}}
/* Hide the default/continue `Email` input field */
{{#if (not sso_disabled)}}
.vw-email-continue {
@extend %vw-hide;
}
{{/if}}
/* Hide the `Continue` button on the login page */
{{#if (not sso_disabled)}}
.vw-continue-login {
@extend %vw-hide;
}
{{/if}}
/* Hide the `Enterprise Single Sign-On` button on the login page */
{{#if (webver ">=2025.5.1")}}
{{#if sso_disabled}}
.vw-sso-login {
@extend %vw-hide;
}
{{/if}}
{{else}}
app-root ng-component > form > div:nth-child(1) > div > button[buttontype="secondary"].\!tw-text-primary-600:nth-child(4) {
@extend %vw-hide;
@@ -53,9 +71,11 @@ app-root ng-component > form > div:nth-child(1) > div > button[buttontype="secon
/* Hide the or text followed by the two buttons hidden above */
{{#if (webver ">=2025.5.1")}}
{{#if (or sso_disabled sso_only)}}
.vw-or-text {
@extend %vw-hide;
}
{{/if}}
{{else}}
app-root ng-component > form > div:nth-child(1) > div:nth-child(3) > div:nth-child(2) {
@extend %vw-hide;
@@ -63,9 +83,11 @@ app-root ng-component > form > div:nth-child(1) > div:nth-child(3) > div:nth-chi
{{/if}}
/* Hide the `Other` button on the login page */
{{#if (or sso_disabled sso_only)}}
.vw-other-login {
@extend %vw-hide;
}
{{/if}}
/* Hide Two-Factor menu in Organization settings */
bit-nav-item[route="settings/two-factor"],