Hi,
I know this question is about a fork so this may not be the best place to ask a question but I found no other place (other than issues in the fork that are not made for help requests).
I want to use Vaultwarden OIDC fork by Timshel GitHub - Timshel/vaultwarden: Fork from dani-garcia/vaultwarden to add OpendID support. with Zitadel as my OIDC provider. I am struggling to get it to work. My compose is the following:
vaultwarden:
image: ghcr.io/timshel/vaultwarden:latest
container_name: vaultwarden
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- SSO_ONLY=true
- DOMAIN=https://vault.${DOMAIN}
- SIGNUPS_ALLOWED=false
- INVITATIONS_ALLOWED=false
- SSO_AUTHORITY=https://auth.${DOMAIN}
- SSO_PKCE=true
- SSO_ROLES_ENABLED=true
- SSO_ENABLED=true
- SSO_AUDIENCE_TRUSTED='^264076946105696259$'
- SSO_SCOPES="email profile offline_access
- SSO_FRONTEND=override
- SSO_CLIENT_ID=redacted
- SSO_CLIENT_SECRET=dummy
networks:
- services
volumes:
- ${CONFIG_FOLDER}/vaultwarden:/data
restart: unless-stopped
When I try to login with SSO, I get a 400 error:
auth.mydomain.com CLIENTIPREDACTED - - [23/Apr/2024:21:44:37 +0200] "GET /oauth/v2/authorize?response_type=code&client_id=REDACTED&state=qgqBM4AwMr7BhhdL3kj7EgAsgoxSgmW5Fw36Q7QfxNotBS8VaWUcwpimwaAJkYx2_identifier%3Dundefined&code_challenge=W4AbiB0tG1GzI-xQYR6TDJczWDGrJT2k_HglACayhGc&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fvault.mydomain.com%2Fidentity%2Fconnect%2Foidc-signin&scope=openid+%22email+profile+offline_access&nonce=Av91kk8hE6JjbVrI1jU2vA HTTP/2.0" 400 184161 "https://vault.mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0"
What I understand from this error is that Vaultwarden is not sending the correct headers to the OIDC endpoint. I suppose that my Vaultwarden configuration is incorrect.
Any help, any answer is welcome.