Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSO using OpenID Connect #3899

Open
wants to merge 41 commits into
base: main
Choose a base branch
from
Open
Changes from 1 commit
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
671f7a1
Add SSO functionality using OpenID Connect
tribut Aug 30, 2023
fefa55c
Improvements and error handling
Timshel Sep 12, 2024
524d65e
Stop rolling device token
Timshel Apr 15, 2024
927968d
Add playwright tests
Timshel Sep 25, 2024
d6af686
Activate PKCE by default
Timshel Oct 7, 2024
fb5b568
Ensure result order when searching for sso_user
Timshel Oct 7, 2024
8dfaee6
add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION
Timshel Oct 7, 2024
a9cc0e5
Toggle SSO button in scss
Timshel Nov 18, 2024
a85bdb2
Base64 encode state before sending it to providers
Timshel Nov 28, 2024
3617be0
Prevent disabled User from SSO login
Timshel Nov 28, 2024
b9e257b
Review fixes
Timshel Dec 30, 2024
0e8a462
Remove unused UserOrganization.invited_by_email
Timshel Jan 2, 2025
bee619f
Split SsoUser::find_by_identifier_or_email
Timshel Jan 2, 2025
44045a8
api::Accounts::verify_password add the policy even if it's ignored
Timshel Jan 3, 2025
ce5368f
Disable signups if SSO_ONLY is activated
Timshel Jan 3, 2025
a5ce1c3
Add verifiedDate to organizations::get_org_domain_sso_details
Timshel Jan 7, 2025
f353933
Review fixes
Timshel Jan 10, 2025
6129214
Merge remote-tracking branch 'dani/main' into sso-support
Timshel Jan 10, 2025
2f4d2da
Remove OrganizationId guard from get_master_password_policy
Timshel Jan 10, 2025
16c230e
Add wrapper type OIDCCode OIDCState OIDCIdentifier
Timshel Jan 10, 2025
795328b
Merge remote-tracking branch 'dani/main' into sso-support
Timshel Jan 13, 2025
3ec4b0c
Merge remote-tracking branch 'dani/main' into sso-support
Timshel Jan 15, 2025
da8be29
Membership::confirm_user_invitations fix and tests
Timshel Jan 16, 2025
6f9b88e
Allow set-password only if account is unitialized
Timshel Jan 16, 2025
0b556b2
Review fixes
Timshel Jan 16, 2025
ae1c17a
Prevent accepting another user invitation
Timshel Jan 17, 2025
6ee5580
Merge remote-tracking branch 'dani/main' into sso-support
Timshel Jan 24, 2025
004aae9
Merge tag '1.33.0' into sso-support
Timshel Jan 27, 2025
246072c
Merge remote-tracking branch 'dani/main' into sso-support
Timshel Jan 28, 2025
175d488
Log password change event on SSO account creation
Timshel Jan 28, 2025
59bfc13
Merge remote-tracking branch 'dani/main' into sso-support
Timshel Jan 30, 2025
f3a8806
Merge tag '1.33.1' into sso-support
Timshel Feb 4, 2025
a0662bb
Merge remote-tracking branch 'dani/main' into sso-support
Timshel Feb 4, 2025
e31b154
Unify master password policy resolution
Timshel Feb 4, 2025
d6051b1
Upgrade openidconnect to 4.0.0
Timshel Feb 5, 2025
49dcceb
Merge remote-tracking branch 'dani/main' into sso-support
Timshel Feb 10, 2025
8d2d9f8
Revert "Remove unused UserOrganization.invited_by_email"
Timshel Jan 8, 2025
7649ce8
Process org enrollment in accounts::post_set_password
Timshel Feb 11, 2025
edef0ca
Improve tests
Timshel Feb 11, 2025
5711080
Pass the claim invited_by_email in case it was not in db
Timshel Feb 11, 2025
1feda56
Merge remote-tracking branch 'dani/main' into sso-support
Timshel Feb 17, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Toggle SSO button in scss
Timshel committed Jan 9, 2025
commit a9cc0e5b4ab8308545eea8dd16d90736216cf745
7 changes: 0 additions & 7 deletions docker/start.sh
Original file line number Diff line number Diff line change
@@ -26,11 +26,4 @@ elif [ -d /etc/bitwarden_rs.d ]; then
done
fi

# Toggle the SSO Link
if [ "$SSO_ENABLED" = "true" ]; then
sed -i 's#a\[routerlink="/sso"\]#a\[routerlink="/sso-sed"\]#' /web-vault/app/main.*.css
else
sed -i 's#a\[routerlink="/sso-sed"\]#a\[routerlink="/sso"\]#' /web-vault/app/main.*.css
fi

exec /vaultwarden "${@}"
3 changes: 1 addition & 2 deletions playwright/tests/sso_login.spec.ts
Original file line number Diff line number Diff line change
@@ -38,8 +38,7 @@ test('Non SSO login', async ({ page }) => {
await expect(page).toHaveTitle(/Vaultwarden Web/);
});


test('Non SSO login Failure', async ({ page, browser }, testInfo: TestInfo) => {
test('Non SSO login impossible', async ({ page, browser }, testInfo: TestInfo) => {
await utils.restartVaultwarden(page, testInfo, {
SSO_ENABLED: true,
SSO_ONLY: true
10 changes: 6 additions & 4 deletions src/api/web.rs
Original file line number Diff line number Diff line change
@@ -54,12 +54,14 @@ fn not_found() -> ApiResult<Html<String>> {
#[get("/css/vaultwarden.css")]
fn vaultwarden_css() -> Cached<Css<String>> {
let css_options = json!({
"signup_disabled": !CONFIG.signups_allowed() && CONFIG.signups_domains_whitelist().is_empty(),
"mail_enabled": CONFIG.mail_enabled(),
"yubico_enabled": CONFIG._enable_yubico() && (CONFIG.yubico_client_id().is_some() == CONFIG.yubico_secret_key().is_some()),
"emergency_access_allowed": CONFIG.emergency_access_allowed(),
"sends_allowed": CONFIG.sends_allowed(),
"load_user_scss": true,
"mail_enabled": CONFIG.mail_enabled(),
"sends_allowed": CONFIG.sends_allowed(),
"signup_disabled": !CONFIG.signups_allowed() && CONFIG.signups_domains_whitelist().is_empty(),
"sso_disabled": !CONFIG.sso_enabled(),
"sso_only": CONFIG.sso_enabled() && CONFIG.sso_only(),
"yubico_enabled": CONFIG._enable_yubico() && (CONFIG.yubico_client_id().is_some() == CONFIG.yubico_secret_key().is_some()),
});

let scss = match CONFIG.render_template("scss/vaultwarden.scss", &css_options) {
19 changes: 14 additions & 5 deletions src/static/templates/scss/vaultwarden.scss.hbs
Original file line number Diff line number Diff line change
@@ -20,11 +20,6 @@ a[href$="/settings/sponsored-families"] {
@extend %vw-hide;
}

/* Hide the `Enterprise Single Sign-On` button on the login page */
a[routerlink="/sso"] {
@extend %vw-hide;
}

/* Hide Two-Factor menu in Organization settings */
bit-nav-item[route="settings/two-factor"],
a[href$="/settings/two-factor"] {
@@ -100,6 +95,20 @@ app-login form div + div + div + div + hr + p {
}
{{/if}}

{{#if sso_only}}
/* Hide Master password login */
.master-password-login {
@extend %vw-hide;
}
{{/if}}

{{#if sso_disabled}}
/* Hide the `Enterprise Single Sign-On` button on the login page */
a[routerlink="/sso"] {
@extend %vw-hide;
}
{{/if}}

{{#unless mail_enabled}}
/* Hide `Email` 2FA if mail is not enabled */
app-two-factor-setup ul.list-group.list-group-2fa li.list-group-item:nth-child(1) {