diff --git a/.env.template b/.env.template index ceebaa0f..a3e4ef85 100644 --- a/.env.template +++ b/.env.template @@ -469,6 +469,7 @@ ## Controls whether users can login using an OpenID Connect identity provider # SSO_ENABLED=false + ## Prevent users from logging in directly without going through SSO # SSO_ONLY=false @@ -477,6 +478,7 @@ ## Allow unknown email verification status. Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover. # SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false + ## Base URL of the OIDC server (auto-discovery is used) ## - Should not include the `/.well-known/openid-configuration` part and no trailing `/` ## - ${SSO_AUTHORITY}/.well-known/openid-configuration should return a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse @@ -485,13 +487,13 @@ ## Authorization request scopes. Optional SSO scopes, override if email and profile are not enough (`openid` is implicit). #SSO_SCOPES="email profile" -## Additionnal authorization url parameters (ex: to obtain a `refresh_token` with Google Auth). +## Additional authorization url parameters (ex: to obtain a `refresh_token` with Google Auth). # SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent" ## Activate PKCE for the Auth Code flow. # SSO_PKCE=true -## Regex to add additionnal trusted audience to Id Token (by default only the client_id is trusted). +## Regex for additional trusted Id token audience (by default only the client_id is trusted). # SSO_AUDIENCE_TRUSTED='^$' ## Set your Client ID and Client Key diff --git a/playwright/README.md b/playwright/README.md index 3f8bef40..47a1efe6 100644 --- a/playwright/README.md +++ b/playwright/README.md @@ -105,7 +105,7 @@ DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env build # OpenID Connect test setup -Additionnaly this `docker-compose` template allow to run locally `VaultWarden`, [Keycloak](https://www.keycloak.org/) and [Maildev](https://github.com/timshel/maildev) to test OIDC. +Additionally this `docker-compose` template allow to run locally `VaultWarden`, [Keycloak](https://www.keycloak.org/) and [Maildev](https://github.com/timshel/maildev) to test OIDC. ## Setup diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index a0e79fc4..0478821d 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -43,7 +43,6 @@ pub fn routes() -> Vec { bulk_delete_organization_collections, post_bulk_collections, get_org_details, - get_org_domain_sso_details, get_org_domain_sso_verified, get_members, send_invite, @@ -968,26 +967,6 @@ struct OrgDomainDetails { email: String, } -// Returning a Domain/Organization here allow to prefill it and prevent prompting the user -// So we either return an Org name associated to the user or a dummy value. -// The `verifiedDate` is required but the value ATM is ignored. -// DEPRECATED: still present in `v2025.6.0` but appears unused. -#[post("/organizations/domain/sso/details", data = "")] -async fn get_org_domain_sso_details(data: Json, mut conn: DbConn) -> JsonResult { - let data: OrgDomainDetails = data.into_inner(); - - let identifier = match Organization::find_main_org_user_email(&data.email, &mut conn).await { - Some(org) => org.name, - None => crate::sso::FAKE_IDENTIFIER.to_string(), - }; - - Ok(Json(json!({ - "organizationIdentifier": identifier, - "ssoAvailable": CONFIG.sso_enabled(), - "verifiedDate": crate::util::format_date(&chrono::Utc::now().naive_utc()), - }))) -} - // Returning a Domain/Organization here allow to prefill it and prevent prompting the user // So we either return an Org name associated to the user or a dummy value. // In use since `v2025.6.0`, appears to use only the first `organizationIdentifier` diff --git a/src/config.rs b/src/config.rs index 34dfb298..9a45298c 100644 --- a/src/config.rs +++ b/src/config.rs @@ -690,21 +690,21 @@ make_config! { /// Allow unknown email verification status |> Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover. sso_allow_unknown_email_verification: bool, false, def, false; /// Client ID - sso_client_id: String, false, def, String::new(); + sso_client_id: String, true, def, String::new(); /// Client Key - sso_client_secret: Pass, false, def, String::new(); + sso_client_secret: Pass, true, def, String::new(); /// Authority Server |> Base url of the OIDC provider discovery endpoint (without `/.well-known/openid-configuration`) - sso_authority: String, false, def, String::new(); + sso_authority: String, true, def, String::new(); /// Authorization request scopes |> List the of the needed scope (`openid` is implicit) - sso_scopes: String, false, def, "email profile".to_string(); + sso_scopes: String, true, def, "email profile".to_string(); /// Authorization request extra parameters - sso_authorize_extra_params: String, false, def, String::new(); + sso_authorize_extra_params: String, true, def, String::new(); /// Use PKCE during Authorization flow - sso_pkce: bool, false, def, true; - /// Regex for additionnal trusted Id token audience |> By default only the client_id is trusted. - sso_audience_trusted: String, false, option; + sso_pkce: bool, true, def, true; + /// Regex for additional trusted Id token audience |> By default only the client_id is trusted. + sso_audience_trusted: String, true, option; /// CallBack Path |> Generated from Domain. - sso_callback_path: String, false, generated, |c| generate_sso_callback_path(&c.domain); + sso_callback_path: String, true, generated, |c| generate_sso_callback_path(&c.domain); /// Optional SSO master password policy |> Ex format: '{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}' sso_master_password_policy: String, true, option; /// Use SSO only for auth not the session lifecycle |> Use default Vaultwarden session lifecycle (Idle refresh token valid for 30days)