More review fix

1 week ago · 4faecf2549
4 changed files with 14 additions and 33 deletions
--- a/.env.template
+++ b/.env.template
@ -469,6 +469,7 @@

 ## Controls whether users can login using an OpenID Connect identity provider
 # SSO_ENABLED=false
+
 ## Prevent users from logging in directly without going through SSO
 # SSO_ONLY=false

@ -477,6 +478,7 @@

 ## Allow unknown email verification status. Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover.
 # SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false
+
 ## Base URL of the OIDC server (auto-discovery is used)
 ##  - Should not include the `/.well-known/openid-configuration` part and no trailing `/`
 ##  - ${SSO_AUTHORITY}/.well-known/openid-configuration should return a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
@ -485,13 +487,13 @@
 ## Authorization request scopes. Optional SSO scopes, override if email and profile are not enough (`openid` is implicit).
 #SSO_SCOPES="email profile"

-## Additionnal authorization url parameters (ex: to obtain a `refresh_token` with Google Auth).
+## Additional authorization url parameters (ex: to obtain a `refresh_token` with Google Auth).
 # SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"

 ## Activate PKCE for the Auth Code flow.
 # SSO_PKCE=true

-## Regex to add additionnal trusted audience to Id Token (by default only the client_id is trusted).
+## Regex for additional trusted Id token audience (by default only the client_id is trusted).
 # SSO_AUDIENCE_TRUSTED='^$'

 ## Set your Client ID and Client Key
--- a/playwright/README.md
+++ b/playwright/README.md
@ -105,7 +105,7 @@ DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env build

 # OpenID Connect test setup

-Additionnaly this `docker-compose` template allow to run locally `VaultWarden`, [Keycloak](https://www.keycloak.org/) and [Maildev](https://github.com/timshel/maildev) to test OIDC.
+Additionally this `docker-compose` template allow to run locally `VaultWarden`, [Keycloak](https://www.keycloak.org/) and [Maildev](https://github.com/timshel/maildev) to test OIDC.

 ## Setup

--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@ -43,7 +43,6 @@ pub fn routes() -> Vec<Route> {
        bulk_delete_organization_collections,
        post_bulk_collections,
        get_org_details,
-        get_org_domain_sso_details,
        get_org_domain_sso_verified,
        get_members,
        send_invite,
@ -968,26 +967,6 @@ struct OrgDomainDetails {
    email: String,
 }

-// Returning a Domain/Organization here allow to prefill it and prevent prompting the user
-// So we either return an Org name associated to the user or a dummy value.
-// The `verifiedDate` is required but the value ATM is ignored.
-// DEPRECATED: still present in `v2025.6.0` but appears unused.
-#[post("/organizations/domain/sso/details", data = "<data>")]
-async fn get_org_domain_sso_details(data: Json<OrgDomainDetails>, mut conn: DbConn) -> JsonResult {
-    let data: OrgDomainDetails = data.into_inner();
-
-    let identifier = match Organization::find_main_org_user_email(&data.email, &mut conn).await {
-        Some(org) => org.name,
-        None => crate::sso::FAKE_IDENTIFIER.to_string(),
-    };
-
-    Ok(Json(json!({
-        "organizationIdentifier": identifier,
-        "ssoAvailable": CONFIG.sso_enabled(),
-        "verifiedDate": crate::util::format_date(&chrono::Utc::now().naive_utc()),
-    })))
-}
-
 // Returning a Domain/Organization here allow to prefill it and prevent prompting the user
 // So we either return an Org name associated to the user or a dummy value.
 // In use since `v2025.6.0`, appears to use only the first `organizationIdentifier`
--- a/src/config.rs
+++ b/src/config.rs
@ -690,21 +690,21 @@ make_config! {
        /// Allow unknown email verification status |> Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover.
        sso_allow_unknown_email_verification: bool, false, def, false;
        /// Client ID
-        sso_client_id:                  String, false,   def,    String::new();
+        sso_client_id:                  String, true,   def,    String::new();
        /// Client Key
-        sso_client_secret:              Pass,   false,   def,    String::new();
+        sso_client_secret:              Pass,   true,   def,    String::new();
        /// Authority Server |> Base url of the OIDC provider discovery endpoint (without `/.well-known/openid-configuration`)
-        sso_authority:                  String, false,   def,    String::new();
+        sso_authority:                  String, true,   def,    String::new();
        /// Authorization request scopes |> List the of the needed scope (`openid` is implicit)
-        sso_scopes:                     String, false,  def,   "email profile".to_string();
+        sso_scopes:                     String, true,  def,   "email profile".to_string();
        /// Authorization request extra parameters
-        sso_authorize_extra_params:     String, false,  def,    String::new();
+        sso_authorize_extra_params:     String, true,  def,    String::new();
        /// Use PKCE during Authorization flow
-        sso_pkce:                       bool,   false,   def,    true;
-        /// Regex for additionnal trusted Id token audience |> By default only the client_id is trusted.
-        sso_audience_trusted:           String, false,  option;
+        sso_pkce:                       bool,   true,   def,    true;
+        /// Regex for additional trusted Id token audience |> By default only the client_id is trusted.
+        sso_audience_trusted:           String, true,  option;
        /// CallBack Path |> Generated from Domain.
-        sso_callback_path:              String, false,  generated, |c| generate_sso_callback_path(&c.domain);
+        sso_callback_path:              String, true,  generated, |c| generate_sso_callback_path(&c.domain);
        /// Optional SSO master password policy |> Ex format: '{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}'
        sso_master_password_policy:     String, true,  option;
        /// Use SSO only for auth not the session lifecycle |> Use default Vaultwarden session lifecycle (Idle refresh token valid for 30days)