Merge 6df71d95d4 into 6edceb5f7a

.env.template

@@ -161,6 +161,10 @@
 ## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt.
 ## Defaults to every minute. Set blank to disable this job.
 # DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *"
+#
+## Cron schedule of the job that cleans sso nonce from incomplete flow
+## Defaults to daily (20 minutes after midnight). Set blank to disable this job.
+# PURGE_INCOMPLETE_SSO_NONCE="0 20 0 * * *"
 
 ########################
 ### General settings ###
@@ -444,6 +448,42 @@
 ## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy.
 # ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false
 
+#####################################
+### SSO settings (OpenID Connect) ###
+#####################################
+
+## Controls whether users can login using an OpenID Connect identity provider
+# SSO_ENABLED=false
+## Prevent users from logging in directly without going through SSO
+# SSO_ONLY=false
+## On SSO Signup if a user with a matching email already exists make the association
+# SSO_SIGNUPS_MATCH_EMAIL=true
+## Allow unknown email verification status. Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover.
+# SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false
+## Base URL of the OIDC server (auto-discovery is used)
+##  - Should not include the `/.well-known/openid-configuration` part and no trailing `/`
+##  - ${SSO_AUTHORITY}/.well-known/openid-configuration should return a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
+# SSO_AUTHORITY=https://auth.example.com
+## Authorization request scopes. Optional SSO scopes, override if email and profile are not enough (`openid` is implicit).
+#SSO_SCOPES="email profile"
+## Additionnal authorization url parameters (ex: to obtain a `refresh_token` with Google Auth).
+# SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"
+## Activate PKCE for the Auth Code flow.
+# SSO_PKCE=true
+## Regex to add additionnal trusted audience to Id Token (by default only the client_id is trusted).
+# SSO_AUDIENCE_TRUSTED='^$'
+## Set your Client ID and Client Key
+# SSO_CLIENT_ID=11111
+# SSO_CLIENT_SECRET=AAAAAAAAAAAAAAAAAAAAAAAA
+## Optional Master password policy (minComplexity=[0-4]), `enforceOnLogin` is not supported at the moment.
+# SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}'
+## Use sso only for authentication not the session lifecycle
+# SSO_AUTH_ONLY_NOT_SESSION=false
+## Client cache for discovery endpoint. Duration in seconds (0 to disable).
+# SSO_CLIENT_CACHE_EXPIRATION=0
+## Log all the tokens, LOG_LEVEL=debug is required
+# SSO_DEBUG_TOKENS=false
+
 ########################
 ### MFA/2FA settings ###
 ########################

Cargo.toml

@@ -32,6 +32,10 @@ enable_mimalloc = ["dep:mimalloc"]
 # if you want to turn off the logging for a specific run.
 query_logger = ["dep:diesel_logger"]
 
+# OIDC specific features
+oidc-accept-rfc3339-timestamps = ["openidconnect/accept-rfc3339-timestamps"]
+oidc-accept-string-booleans = ["openidconnect/accept-string-booleans"]
+
 # Enable unstable features, requires nightly
 # Currently only used to enable rusts official ip support
 unstable = []
@@ -156,6 +160,10 @@ pico-args = "0.5.0"
 paste = "1.0.15"
 governor = "0.8.0"
 
+# OIDC for SSO
+openidconnect = { version = "4.0.0", features = ["reqwest", "native-tls"] }
+mini-moka = "0.10.2"
+
 # Check client versions for specific features.
 semver = "1.0.25"
 

SSO.md

@@ -0,0 +1,293 @@
+# SSO using OpenId Connect
+
+To use an external source of authentication your SSO will need to support OpenID Connect :
+
+- An OpenID Connect Discovery endpoint should be available
+- Client authentication will be done using Id and Secret.
+
+A master password will still be required and not controlled by the SSO (depending on your point of view this might be a feature ;).
+This introduces another way to control who can use the vault without having to use invitation or using an LDAP.
+
+## Configuration
+
+The following configurations are available
+
+ - `SSO_ENABLED` : Activate the SSO
+ - `SSO_ONLY` : disable email+Master password authentication
+ - `SSO_SIGNUPS_MATCH_EMAIL`: On SSO Signup if a user with a matching email already exists make the association (default `true`)
+ - `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION`: Allow unknown email verification status (default `false`). Allowing this with `SSO_SIGNUPS_MATCH_EMAIL` open potential account takeover.
+ - `SSO_AUTHORITY` : the OpenID Connect Discovery endpoint of your SSO
+ 	- Should not include the `/.well-known/openid-configuration` part and no trailing `/`
+ 	- $SSO_AUTHORITY/.well-known/openid-configuration should return the a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
+ - `SSO_SCOPES` : Optional, allow to override scopes if needed (default `"email profile"`)
+ - `SSO_AUTHORIZE_EXTRA_PARAMS` : Optional, allow to add extra parameter to the authorize redirection (default `""`)
+ - `SSO_PKCE`: Activate PKCE for the Auth Code flow (default `true`).
+ - `SSO_AUDIENCE_TRUSTED`: Optional, Regex to trust additional audience for the IdToken (`client_id` is always trusted). Use single quote when writing the regex: `'^$'`.
+ - `SSO_CLIENT_ID` : Client Id
+ - `SSO_CLIENT_SECRET` : Client Secret
+ - `SSO_MASTER_PASSWORD_POLICY`: Optional Master password policy (`enforceOnLogin` is not supported).
+ - `SSO_AUTH_ONLY_NOT_SESSION`: Enable to use SSO only for authentication not session lifecycle
+ - `SSO_CLIENT_CACHE_EXPIRATION`: Cache calls to the discovery endpoint, duration in seconds, `0` to disable (default `0`);
+ - `SSO_DEBUG_TOKENS`: Log all tokens (default `false`, `LOG_LEVEL=debug` is required)
+
+The callback url is : `https://your.domain/identity/connect/oidc-signin`
+
+## Account and Email handling
+
+When logging in with SSO an identifier (`{iss}/{sub}` claims from the IdToken) is saved in a separate table (`sso_users`).
+This is used to link to the SSO provider identifier without changing the default Vaultwarden user `uuid`. This is needed because:
+
+ - Storing the SSO identifier is important to prevent account takeover due to email change.
+ - We can't use the identifier as the User uuid since it's way longer (Max 255 chars for the `sub` part, cf [spec](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)).
+ - We want to be able to associate existing account based on `email` but only when the user logs in for the first time (controlled by `SSO_SIGNUPS_MATCH_EMAIL`).
+ - We need to be able to associate with existing stub account, such as the one created when inviting a user to an org (association is possible only if the user does not have a private key).
+
+Additionally:
+
+ - Signup to Vaultwarden will be blocked if the Provider reports the email as `unverified`.
+ - Changing the email needs to be done by the user since it requires updating the `key`.
+ 	 On login if the email returned by the provider is not the one saved in Vaultwarden an email will be sent to the user to ask him to update it.
+ - If set `SIGNUPS_DOMAINS_WHITELIST` is applied on SSO signup and when attempting to change the email.
+
+This means that if you ever need to change the provider url or the provider itself; you'll have to first delete the association
+then ensure that `SSO_SIGNUPS_MATCH_EMAIL` is activated to allow a new association.
+
+To delete the association (this has no impact on the `Vaultwarden` user):
+
+```sql
+TRUNCATE TABLE sso_users;
+```
+
+### On `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION`
+
+If your provider does not send the verification status of emails (`email_verified` [claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims)) you will need to activate this setting.
+
+If set with `SSO_SIGNUPS_MATCH_EMAIL=true` (the default), then a user can associate with an existing, non-SSO account, even if they do not control the email address.
+This allow a user to gain access to sensitive information but the master password is still required to read the passwords.
+
+As such when using `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION` it is recommended to disable `SSO_SIGNUPS_MATCH_EMAIL`.
+If you need to associate non sso users try to keep both settings activated for the shortest time possible.
+
+## Client Cache
+
+By default the client cache is disabled since it can cause issues with the signing keys.
+\
+This means that the discovery endpoint will be called again each time we need to interact with the provider (generating authorize_url, exchange the authorize code, refresh tokens).
+This is suboptimal so the `SSO_CLIENT_CACHE_EXPIRATION` allows you to configure an expiration that should work for your provider.
+
+As a protection against a misconfigured expiration if the validation of the `IdToken` fails then the client cache is invalidated (but you'll periodically have an unlucky user ^^).
+
+### Google example (Rolling keys)
+
+If we take Google as an example checking the discovery [endpoint](https://accounts.google.com/.well-known/openid-configuration) response headers we can see that the `max-age` of the cache control is set to `3600` seconds. And the [jwk_uri](https://www.googleapis.com/oauth2/v3/certs) response headers usually contain a `max-age` with an even bigger value.
+/
+Combined with user [feedback](https://github.com/ramosbugs/openidconnect-rs/issues/152) we can conclude that Google will roll the signing keys each week.
+
+Setting the cache expiration too high has diminishing return but using something like `600` (10 min) should provide plenty benefits.
+
+### Rolling keys manually
+
+If you want to roll the used key, first add a new one but do not immediately start signing with it.
+Wait for the delay you configured in `SSO_CLIENT_CACHE_EXPIRATION` then you can start signing with it.
+
+As mentioned in the Google example setting too high of a value has diminishing return even if you do not plan to roll the keys.
+
+## Keycloak
+
+Default access token lifetime might be only `5min`, set a longer value otherwise it will collide with `VaultWarden` front-end expiration detection which is also set at `5min`.
+\
+At the realm level
+
+- `Realm settings / Tokens / Access Token Lifespan` to at least `10min` (`accessTokenLifespan` setting when using `kcadm.sh`).
+- `Realm settings / Sessions / SSO Session Idle/Max` for the Refresh token lifetime
+
+Or for a specific client in `Clients / Client details / Advanced / Advanced settings` you can find `Access Token Lifespan` and `Client Session Idle/Max`.
+
+Server configuration, nothing specific just set:
+
+- `SSO_AUTHORITY=https://${domain}/realms/${realm_name}`
+- `SSO_CLIENT_ID`
+- `SSO_CLIENT_SECRET`
+
+### Testing
+
+If you want to run a testing instance of Keycloak the Playwright [docker-compose](playwright/docker-compose.yml) can be used.
+\
+More details on how to use it in [README.md](playwright/README.md#openid-connect-test-setup).
+
+
+## Auth0
+
+Not working due to the following issue https://github.com/ramosbugs/openidconnect-rs/issues/23 (they appear not to follow the spec).
+A feature flag is available to bypass the issue but since it's a compile time feature you will have to patch `Vaultwarden` with something like:
+
+```patch
+diff --git a/Cargo.toml b/Cargo.toml
+index 0524a7be..9999e852 100644
+--- a/Cargo.toml
++++ b/Cargo.toml
+@@ -150,7 +150,7 @@ paste = "1.0.15"
+ governor = "0.6.3"
+
+ # OIDC for SSO
+-openidconnect = "3.5.0"
++openidconnect = { version = "3.5.0", features = ["accept-rfc3339-timestamps"] }
+ mini-moka = "0.10.2"
+```
+
+There is no plan at the moment to either always activate the feature nor make a specific distribution for Auth0.
+
+## Authelia
+
+To obtain a `refresh_token` to be able to extend session you'll need to add the `offline_access` scope.
+
+Config will look like:
+
+- `SSO_SCOPES="email profile offline_access"`
+
+
+## Authentik
+
+Default access token lifetime might be only `5min`, set a longer value otherwise it will collide with `VaultWarden` front-end expiration detection which is also set at `5min`.
+\
+To change the tokens expiration go to `Applications / Providers / Edit / Advanced protocol settings`.
+
+Starting with `2024.2` version you will need to add the `offline_access` scope and ensure it's selected in `Applications / Providers / Edit / Advanced protocol settings / Scopes` ([Doc](https://docs.goauthentik.io/docs/providers/oauth2/#authorization_code)).
+
+Server configuration should look like:
+
+- `SSO_AUTHORITY=https://${domain}/application/o/${application_name}/` : trailing `/` is important
+- `SSO_SCOPES="email profile offline_access"`
+- `SSO_CLIENT_ID`
+- `SSO_CLIENT_SECRET`
+
+## Casdoor
+
+Since version [v1.639.0](https://github.com/casdoor/casdoor/releases/tag/v1.639.0) should work (Tested with version [v1.686.0](https://github.com/casdoor/casdoor/releases/tag/v1.686.0)).
+When creating the application you will need to select the `Token format -> JWT-Standard`.
+
+Then configure your server with:
+
+- `SSO_AUTHORITY=https://${provider_host}`
+- `SSO_CLIENT_ID`
+- `SSO_CLIENT_SECRET`
+
+## GitLab
+
+Create an application in your Gitlab Settings with
+
+- `redirectURI`: https://your.domain/identity/connect/oidc-signin
+- `Confidential`: `true`
+- `scopes`: `openid`, `profile`, `email`
+
+Then configure your server with
+
+- `SSO_AUTHORITY=https://gitlab.com`
+- `SSO_CLIENT_ID`
+- `SSO_CLIENT_SECRET`
+
+## Google Auth
+
+Google [Documentation](https://developers.google.com/identity/openid-connect/openid-connect).
+\
+By default without extra [configuration](https://developers.google.com/identity/protocols/oauth2/web-server#creatingclient) you won´t have a `refresh_token` and session will be limited to 1h.
+
+Configure your server with :
+
+- `SSO_AUTHORITY=https://accounts.google.com`
+- `SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"`
+- `SSO_CLIENT_ID`
+- `SSO_CLIENT_SECRET`
+
+## Kanidm
+
+Nothing specific should work with just `SSO_AUTHORITY`, `SSO_CLIENT_ID` and `SSO_CLIENT_SECRET`.
+
+## Microsoft Entra ID
+
+1. Create an "App registration" in [Entra ID](https://entra.microsoft.com/) following [Identity | Applications | App registrations](https://entra.microsoft.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType//sourceType/Microsoft_AAD_IAM).
+2. From the "Overview" of your "App registration", you'll need the "Directory (tenant) ID" for the `SSO_AUTHORITY` variable and the "Application (client) ID" as the `SSO_CLIENT_ID` value.
+3. In "Certificates & Secrets" create an "App secret" , you'll need the "Secret Value" for the `SSO_CLIENT_SECRET` variable.
+4. In "Authentication" add <https://vaultwarden.example.org/identity/connect/oidc-signin> as "Web Redirect URI".
+5. In "API Permissions" make sure you have `profile`, `email` and `offline_access` listed under "API / Permission name" (`offline_access` is required, otherwise no refresh_token is returned, see <https://github.com/MicrosoftDocs/azure-docs/issues/17134>).
+
+Only the v2 endpoint is compliant with the OpenID spec, see <https://github.com/MicrosoftDocs/azure-docs/issues/38427> and <https://github.com/ramosbugs/openidconnect-rs/issues/122>.
+
+Your configuration should look like this:
+
+* `SSO_AUTHORITY=https://login.microsoftonline.com/${Directory (tenant) ID}/v2.0`
+* `SSO_SCOPES="email profile offline_access"`
+* `SSO_CLIENT_ID=${Application (client) ID}`
+* `SSO_CLIENT_SECRET=${Secret Value}`
+
+## Zitadel
+
+To obtain a `refresh_token` to be able to extend session you'll need to add the `offline_access` scope.
+
+Additionally Zitadel include the `Project id` and the `Client Id` in the audience of the Id Token.
+For the validation to work you will need to add the `Resource Id` as a trusted audience (`Client Id` is trusted by default).
+You can control the trusted audience with the config `SSO_AUDIENCE_TRUSTED`
+
+It appears it's not possible to use PKCE with confidential client so it needs to be disabled.
+
+Config will look like:
+
+- `SSO_AUTHORITY=https://${provider_host}`
+- `SSO_SCOPES="email profile offline_access"`
+- `SSO_CLIENT_ID`
+- `SSO_CLIENT_SECRET`
+- `SSO_AUDIENCE_TRUSTED='^${Project Id}$'`
+- `SSO_PKCE=false`
+
+## Session lifetime
+
+Session lifetime is dependant on refresh token and access token returned after calling your SSO token endpoint (grant type `authorization_code`).
+If no refresh token is returned then the session will be limited to the access token lifetime.
+
+Tokens are not persisted in VaultWarden but wrapped in JWT tokens and returned to the application (The `refresh_token` and `access_token` values returned by VW `identity/connect/token` endpoint).
+Note that VaultWarden will always return a `refresh_token` for compatibility reasons with the web front and it presence does not indicate that a refresh token was returned by your SSO (But you can decode its value with <https://jwt.io> and then check if the `token` field contain anything).
+
+With a refresh token present, activity in the application will trigger a refresh of the access token when it's close to expiration ([5min](https://github.com/bitwarden/clients/blob/0bcb45ed5caa990abaff735553a5046e85250f24/libs/common/src/auth/services/token.service.ts#L126) in web client).
+
+Additionally for certain action a token check is performed, if we have a refresh token we will perform a refresh otherwise we'll call the user information endpoint to check the access token validity.
+
+### Disabling SSO session handling
+
+If you are unable to obtain a `refresh_token` or for any other reason you can disable SSO session handling and revert to the default handling.
+You'll need to enable `SSO_AUTH_ONLY_NOT_SESSION=true` then access token will be valid for 2h and refresh token will allow for an idle time of 7 days (which can be indefinitely extended).
+
+### Debug information
+
+Running with `LOG_LEVEL=debug` you'll be able to see information on token expiration.
+
+## Desktop Client
+
+There is some issue to handle redirection from your browser (used for sso login) to the application.
+
+### Chrome
+
+Probably not much hope, an [issue](https://github.com/bitwarden/clients/issues/2606) is open on the subject and it appears that both Linux and Windows are not working.
+
+## Firefox
+
+On Windows you'll be presented with a prompt the first time you log to confirm which application should be launched (But there is a bug at the moment you might end-up with an empty vault after login atm).
+
+
+On Linux it's a bit more tricky.
+First you'll need to add some config in `about:config` :
+
+```conf
+network.protocol-handler.expose.bitwarden=false
+network.protocol-handler.external.bitwarden=true
+```
+
+If you have any doubt you can check `mailto` to see how it's configured.
+
+The redirection will still not work since it appears that the association to an application can only be done on a link/click. You can trigger it with a dummy page such as:
+
+```html
+data:text/html,<a href="bitwarden:///dummy">Click me to register Bitwarden</a>
+```
+
+From now on the redirection should now work.
+If you need to change the application launched you can now find it in `Settings` by using the search function and entering `application`.

migrations/mysql/2023-09-10-133000_add_sso/down.sql

@@ -0,0 +1 @@
+DROP TABLE sso_nonce;

migrations/mysql/2023-09-10-133000_add_sso/up.sql

@@ -0,0 +1,4 @@
+CREATE TABLE sso_nonce (
+  nonce               CHAR(36) NOT NULL PRIMARY KEY,
+  created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+);

migrations/mysql/2023-09-14-133000_add_users_organizations_invited_by_email/down.sql

@@ -0,0 +1 @@
+ALTER TABLE users_organizations DROP COLUMN invited_by_email;

migrations/mysql/2023-09-14-133000_add_users_organizations_invited_by_email/up.sql

@@ -0,0 +1 @@
+ALTER TABLE users_organizations ADD COLUMN invited_by_email TEXT DEFAULT NULL;

migrations/mysql/2024-02-14-170000_add_state_to_sso_nonce/down.sql

@@ -0,0 +1,6 @@
+DROP TABLE IF EXISTS sso_nonce;
+
+CREATE TABLE sso_nonce (
+  nonce               CHAR(36) NOT NULL PRIMARY KEY,
+  created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+);

migrations/mysql/2024-02-14-170000_add_state_to_sso_nonce/up.sql

@@ -0,0 +1,8 @@
+DROP TABLE IF EXISTS sso_nonce;
+
+CREATE TABLE sso_nonce (
+	state               VARCHAR(512) NOT NULL PRIMARY KEY,
+  	nonce               TEXT NOT NULL,
+  	redirect_uri 		TEXT NOT NULL,
+  	created_at          TIMESTAMP NOT NULL DEFAULT now()
+);

migrations/mysql/2024-02-26-170000_add_pkce_to_sso_nonce/down.sql

@@ -0,0 +1,8 @@
+DROP TABLE IF EXISTS sso_nonce;
+
+CREATE TABLE sso_nonce (
+    state               VARCHAR(512) NOT NULL PRIMARY KEY,
+    nonce               TEXT NOT NULL,
+    redirect_uri        TEXT NOT NULL,
+    created_at          TIMESTAMP NOT NULL DEFAULT now()
+);

migrations/mysql/2024-02-26-170000_add_pkce_to_sso_nonce/up.sql

@@ -0,0 +1,9 @@
+DROP TABLE IF EXISTS sso_nonce;
+
+CREATE TABLE sso_nonce (
+    state               VARCHAR(512) NOT NULL PRIMARY KEY,
+  	nonce               TEXT NOT NULL,
+    verifier            TEXT,
+  	redirect_uri 		TEXT NOT NULL,
+  	created_at          TIMESTAMP NOT NULL DEFAULT now()
+);

migrations/mysql/2024-03-06-170000_add_sso_users/down.sql

@@ -0,0 +1 @@
+DROP TABLE IF EXISTS sso_users;

migrations/mysql/2024-03-06-170000_add_sso_users/up.sql

@@ -0,0 +1,7 @@
+CREATE TABLE sso_users (
+  user_uuid           CHAR(36) NOT NULL PRIMARY KEY,
+  identifier          VARCHAR(768) NOT NULL UNIQUE,
+  created_at          TIMESTAMP NOT NULL DEFAULT now(),
+
+  FOREIGN KEY(user_uuid) REFERENCES users(uuid)
+);

migrations/mysql/2024-03-13-170000_sso_users_cascade/up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE sso_users DROP FOREIGN KEY `sso_users_ibfk_1`;
+ALTER TABLE sso_users ADD FOREIGN KEY(user_uuid) REFERENCES users(uuid) ON UPDATE CASCADE ON DELETE CASCADE;

migrations/postgresql/2023-09-10-133000_add_sso/down.sql

@@ -0,0 +1 @@
+DROP TABLE sso_nonce;

migrations/postgresql/2023-09-10-133000_add_sso/up.sql

@@ -0,0 +1,4 @@
+CREATE TABLE sso_nonce (
+  nonce               CHAR(36) NOT NULL PRIMARY KEY,
+  created_at          TIMESTAMP NOT NULL DEFAULT now()
+);

migrations/postgresql/2023-09-14-133000_add_users_organizations_invited_by_email/down.sql

@@ -0,0 +1 @@
+ALTER TABLE users_organizations DROP COLUMN invited_by_email;

migrations/postgresql/2023-09-14-133000_add_users_organizations_invited_by_email/up.sql

@@ -0,0 +1 @@
+ALTER TABLE users_organizations ADD COLUMN invited_by_email TEXT DEFAULT NULL;

migrations/postgresql/2024-02-14-170000_add_state_to_sso_nonce/down.sql

@@ -0,0 +1,6 @@
+DROP TABLE sso_nonce;
+
+CREATE TABLE sso_nonce (
+  nonce               CHAR(36) NOT NULL PRIMARY KEY,
+  created_at          TIMESTAMP NOT NULL DEFAULT now()
+);

migrations/postgresql/2024-02-14-170000_add_state_to_sso_nonce/up.sql

@@ -0,0 +1,8 @@
+DROP TABLE sso_nonce;
+
+CREATE TABLE sso_nonce (
+	state               TEXT NOT NULL PRIMARY KEY,
+  	nonce               TEXT NOT NULL,
+  	redirect_uri 		TEXT NOT NULL,
+  	created_at          TIMESTAMP NOT NULL DEFAULT now()
+);

migrations/postgresql/2024-02-26-170000_add_pkce_to_sso_nonce/down.sql

@@ -0,0 +1,8 @@
+DROP TABLE IF EXISTS sso_nonce;
+
+CREATE TABLE sso_nonce (
+    state               TEXT NOT NULL PRIMARY KEY,
+    nonce               TEXT NOT NULL,
+    redirect_uri        TEXT NOT NULL,
+    created_at          TIMESTAMP NOT NULL DEFAULT now()
+);

migrations/postgresql/2024-02-26-170000_add_pkce_to_sso_nonce/up.sql

@@ -0,0 +1,9 @@
+DROP TABLE IF EXISTS sso_nonce;
+
+CREATE TABLE sso_nonce (
+    state               TEXT NOT NULL PRIMARY KEY,
+    nonce               TEXT NOT NULL,
+    verifier            TEXT,
+    redirect_uri        TEXT NOT NULL,
+    created_at          TIMESTAMP NOT NULL DEFAULT now()
+);

migrations/postgresql/2024-03-06-170000_add_sso_users/down.sql

@@ -0,0 +1 @@
+DROP TABLE IF EXISTS sso_users;

migrations/postgresql/2024-03-06-170000_add_sso_users/up.sql

@@ -0,0 +1,7 @@
+CREATE TABLE sso_users (
+  user_uuid           CHAR(36) NOT NULL PRIMARY KEY,
+  identifier          TEXT NOT NULL UNIQUE,
+  created_at          TIMESTAMP NOT NULL DEFAULT now(),
+
+  FOREIGN KEY(user_uuid) REFERENCES users(uuid)
+);

migrations/postgresql/2024-03-13-170000_sso_users_cascade/up.sql

@@ -0,0 +1,3 @@
+ALTER TABLE sso_users
+  DROP CONSTRAINT "sso_users_user_uuid_fkey",
+  ADD CONSTRAINT "sso_users_user_uuid_fkey" FOREIGN KEY(user_uuid) REFERENCES users(uuid) ON UPDATE CASCADE ON DELETE CASCADE;

migrations/sqlite/2023-09-10-133000_add_sso/down.sql

@@ -0,0 +1 @@
+DROP TABLE sso_nonce;

migrations/sqlite/2023-09-10-133000_add_sso/up.sql

@@ -0,0 +1,4 @@
+CREATE TABLE sso_nonce (
+  nonce               CHAR(36) NOT NULL PRIMARY KEY,
+  created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+);

migrations/sqlite/2023-09-14-133000_add_users_organizations_invited_by_email/down.sql

@@ -0,0 +1 @@
+ALTER TABLE users_organizations DROP COLUMN invited_by_email;

migrations/sqlite/2023-09-14-133000_add_users_organizations_invited_by_email/up.sql

@@ -0,0 +1 @@
+ALTER TABLE users_organizations ADD COLUMN invited_by_email TEXT DEFAULT NULL;

migrations/sqlite/2024-02-14-170000_add_state_to_sso_nonce/down.sql

@@ -0,0 +1,6 @@
+DROP TABLE sso_nonce;
+
+CREATE TABLE sso_nonce (
+  nonce               CHAR(36) NOT NULL PRIMARY KEY,
+  created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+);

migrations/sqlite/2024-02-14-170000_add_state_to_sso_nonce/up.sql

@@ -0,0 +1,8 @@
+DROP TABLE sso_nonce;
+
+CREATE TABLE sso_nonce (
+  state               TEXT NOT NULL PRIMARY KEY,
+  nonce               TEXT NOT NULL,
+  redirect_uri        TEXT NOT NULL,
+  created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+);

migrations/sqlite/2024-02-26-170000_add_pkce_to_sso_nonce/down.sql

@@ -0,0 +1,8 @@
+DROP TABLE IF EXISTS sso_nonce;
+
+CREATE TABLE sso_nonce (
+  state               TEXT NOT NULL PRIMARY KEY,
+  nonce               TEXT NOT NULL,
+  redirect_uri        TEXT NOT NULL,
+  created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+);

migrations/sqlite/2024-02-26-170000_add_pkce_to_sso_nonce/up.sql

@@ -0,0 +1,9 @@
+DROP TABLE IF EXISTS sso_nonce;
+
+CREATE TABLE sso_nonce (
+  state               TEXT NOT NULL PRIMARY KEY,
+  nonce               TEXT NOT NULL,
+  verifier            TEXT,
+  redirect_uri        TEXT NOT NULL,
+  created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+);

migrations/sqlite/2024-03-06-170000_add_sso_users/down.sql

@@ -0,0 +1 @@
+DROP TABLE IF EXISTS sso_users;

migrations/sqlite/2024-03-06-170000_add_sso_users/up.sql

@@ -0,0 +1,7 @@
+CREATE TABLE sso_users (
+  user_uuid           CHAR(36) NOT NULL PRIMARY KEY,
+  identifier          TEXT NOT NULL UNIQUE,
+  created_at          TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+  FOREIGN KEY(user_uuid) REFERENCES users(uuid)
+);

migrations/sqlite/2024-03-13_170000_sso_userscascade/up.sql

@@ -0,0 +1,9 @@
+DROP TABLE IF EXISTS sso_users;
+
+CREATE TABLE sso_users (
+  user_uuid           CHAR(36) NOT NULL PRIMARY KEY,
+  identifier          TEXT NOT NULL UNIQUE,
+  created_at          TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+  FOREIGN KEY(user_uuid) REFERENCES users(uuid) ON UPDATE CASCADE ON DELETE CASCADE
+);

playwright/.env.template

@@ -0,0 +1,63 @@
+#################################
+### Conf to run dev instances ###
+#################################
+ENV=dev
+DC_ENV_FILE=.env
+COMPOSE_IGNORE_ORPHANS=True
+DOCKER_BUILDKIT=1
+
+################
+# Users Config #
+################
+TEST_USER=test
+TEST_USER_PASSWORD=${TEST_USER}
+TEST_USER_MAIL=${TEST_USER}@yopmail.com
+
+TEST_USER2=test2
+TEST_USER2_PASSWORD=${TEST_USER2}
+TEST_USER2_MAIL=${TEST_USER2}@yopmail.com
+
+TEST_USER3=test3
+TEST_USER3_PASSWORD=${TEST_USER3}
+TEST_USER3_MAIL=${TEST_USER3}@yopmail.com
+
+###################
+# Keycloak Config #
+###################
+KEYCLOAK_ADMIN=admin
+KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN}
+KC_HTTP_HOST=127.0.0.1
+KC_HTTP_PORT=8080
+
+# Script parameters (use Keycloak and VaultWarden config too)
+TEST_REALM=test
+DUMMY_REALM=dummy
+DUMMY_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${DUMMY_REALM}
+
+######################
+# Vaultwarden Config #
+######################
+ROCKET_ADDRESS=0.0.0.0
+ROCKET_PORT=8000
+DOMAIN=http://127.0.0.1:${ROCKET_PORT}
+I_REALLY_WANT_VOLATILE_STORAGE=true
+
+SSO_ENABLED=true
+SSO_ONLY=false
+SSO_CLIENT_ID=VaultWarden
+SSO_CLIENT_SECRET=VaultWarden
+SSO_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${TEST_REALM}
+
+SMTP_HOST=127.0.0.1
+SMTP_PORT=1025
+SMTP_SECURITY=off
+SMTP_TIMEOUT=5
+SMTP_FROM=vaultwarden@test
+SMTP_FROM_NAME=Vaultwarden
+
+########################################################
+# DUMMY values for docker-compose to stop bothering us #
+########################################################
+MARIADB_PORT=3305
+MYSQL_PORT=3307
+POSTGRES_PORT=5432

playwright/.gitignore

@@ -0,0 +1,6 @@
+logs
+node_modules/
+/test-results/
+/playwright-report/
+/playwright/.cache/
+temp

playwright/README.md

@@ -0,0 +1,177 @@
+# Integration tests
+
+This allows running integration tests using [Playwright](https://playwright.dev/).
+\
+It usse its own [test.env](/test/scenarios/test.env) with different ports to not collide with a running dev instance.
+
+## Install
+
+This rely on `docker` and the `compose` [plugin](https://docs.docker.com/compose/install/).
+Databases (`Mariadb`, `Mysql` and `Postgres`) and `Playwright` will run in containers.
+
+### Running Playwright outside docker
+
+It's possible to run `Playwright` outside of the container, this remove the need to rebuild the image for each change.
+You'll additionally need `nodejs` then run:
+
+```bash
+npm install
+npx playwright install-deps
+npx playwright install firefox
+```
+
+## Usage
+
+To run all the tests:
+
+```bash
+DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright
+```
+
+To force a rebuild of the Playwright image:
+```bash
+DOCKER_BUILDKIT=1 docker compose --env-file test.env build Playwright
+```
+
+To access the ui to easily run test individually and debug if needed (will not work in docker):
+
+```bash
+npx playwright test --ui
+```
+
+### DB
+
+Projects are configured to allow to run tests only on specific database.
+\
+You can use:
+
+```bash
+DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=mariadb
+DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=mysql
+DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=postgres
+DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=sqlite
+```
+
+### SSO
+
+To run the SSO tests:
+
+```bash
+DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project sso-sqlite
+```
+
+### Keep services running
+
+If you want you can keep the Db and Keycloak runnning (states are not impacted by the tests):
+
+```bash
+PW_KEEP_SERVICE_RUNNNING=true npx playwright test
+```
+
+### Running specific tests
+
+To run a whole file you can :
+
+```bash
+DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=sqlite tests/login.spec.ts
+DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=sqlite login
+```
+
+To run only a specifc test (It might fail if it has dependency):
+
+```bash
+DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=sqlite -g "Account creation"
+DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=sqlite tests/login.spec.ts:16
+```
+
+## Writing scenario
+
+When creating new scenario use the recorder to more easily identify elements (in general try to rely on visible hint to identify elements and not hidden ids).
+This does not start the server, you will need to start it manually.
+
+```bash
+npx playwright codegen "http://127.0.0.1:8000"
+```
+
+## Override web-vault
+
+It's possible to change the `web-vault` used by referencing a different `bw_web_builds` commit.
+
+```bash
+export PW_WV_REPO_URL=https://github.com/Timshel/oidc_web_builds.git
+export PW_WV_COMMIT_HASH=8707dc76df3f0cceef2be5bfae37bb29bd17fae6
+DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env build Playwright
+```
+
+# OpenID Connect test setup
+
+Additionnaly this `docker-compose` template allow to run locally `VaultWarden`, [Keycloak](https://www.keycloak.org/) and [Maildev](https://github.com/timshel/maildev) to test OIDC.
+
+## Setup
+
+This rely on `docker` and the `compose` [plugin](https://docs.docker.com/compose/install/).
+First create a copy of `.env.template` as `.env` (This is done to prevent commiting your custom settings, Ex `SMTP_`).
+
+## Usage
+
+Then start the stack (the `profile` is required to run `Vaultwarden`) :
+
+```bash
+> docker compose --profile vaultwarden --env-file .env up
+....
+keycloakSetup_1  | Logging into http://127.0.0.1:8080 as user admin of realm master
+keycloakSetup_1  | Created new realm with id 'test'
+keycloakSetup_1  | 74af4933-e386-4e64-ba15-a7b61212c45e
+oidc_keycloakSetup_1 exited with code 0
+```
+
+Wait until `oidc_keycloakSetup_1 exited with code 0` which indicate the correct setup of the Keycloak realm, client and user (It's normal for this container to stop once the configuration is done).
+
+Then you can access :
+
+- `VaultWarden` on http://0.0.0.0:8000 with the default user `test@yopmail.com/test`.
+- `Keycloak` on http://0.0.0.0:8080/admin/master/console/ with the default user `admin/admin`
+- `Maildev` on http://0.0.0.0:1080
+
+To proceed with an SSO login after you enter the email, on the screen prompting for `Master Password` the SSO button should be visible.
+To use your computer external ip (for example when testing with a phone) you will have to configure `KC_HTTP_HOST` and `DOMAIN`.
+
+## Running only Keycloak
+
+You can run just `Keycloak` with `--profile keycloak`:
+
+```bash
+> docker compose --profile keycloak --env-file .env up
+```
+
+When running with a local VaultWarden and the default `web-vault` you'll need to make the SSO button visible using :
+
+```bash
+sed -i 's#a\[routerlink="/sso"\],##' web-vault/app/main.*.css
+```
+
+Otherwise you'll need to reveal the SSO login button using the debug console (F12)
+
+ ```js
+ document.querySelector('a[routerlink="/sso"]').style.setProperty("display", "inline-block", "important");
+ ```
+
+## Rebuilding the Vaultwarden
+
+To force rebuilding the Vaultwarden image you can run
+
+```bash
+docker compose --profile vaultwarden --env-file .env build VaultwardenPrebuild Vaultwarden
+```
+
+## Configuration
+
+All configuration for `keycloak` / `VaultWarden` / `keycloak_setup.sh` can be found in [.env](.env.template).
+The content of the file will be loaded as environment variables in all containers.
+
+- `keycloak` [configuration](https://www.keycloak.org/server/all-config) include `KEYCLOAK_ADMIN` / `KEYCLOAK_ADMIN_PASSWORD` and any variable prefixed `KC_` ([more information](https://www.keycloak.org/server/configuration#_example_configuring_the_db_url_host_parameter)).
+- All `VaultWarden` configuration can be set (EX: `SMTP_*`)
+
+## Cleanup
+
+Use `docker compose --profile vaultWarden down`.

playwright/compose/keycloak/Dockerfile

@@ -0,0 +1,40 @@
+FROM docker.io/library/debian:bookworm-slim as build
+
+ENV DEBIAN_FRONTEND=noninteractive
+ARG KEYCLOAK_VERSION
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+RUN apt-get update \
+    && apt-get install -y ca-certificates curl wget \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /
+
+RUN wget -c https://github.com/keycloak/keycloak/releases/download/${KEYCLOAK_VERSION}/keycloak-${KEYCLOAK_VERSION}.tar.gz -O - | tar -xz
+
+FROM docker.io/library/debian:bookworm-slim
+
+ENV DEBIAN_FRONTEND=noninteractive
+ARG KEYCLOAK_VERSION
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+RUN apt-get update \
+    && apt-get install -y ca-certificates curl wget \
+    && rm -rf /var/lib/apt/lists/*
+
+ARG JAVA_URL
+ARG JAVA_VERSION
+
+ENV JAVA_VERSION=${JAVA_VERSION}
+
+RUN mkdir -p /opt/openjdk && cd /opt/openjdk \
+    && wget -c "${JAVA_URL}"  -O - | tar -xz
+
+WORKDIR /
+
+COPY setup.sh /setup.sh
+COPY --from=build /keycloak-${KEYCLOAK_VERSION}/bin /opt/keycloak/bin
+
+CMD "/setup.sh"

playwright/compose/keycloak/setup.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+export PATH=/opt/keycloak/bin:/opt/openjdk/jdk-${JAVA_VERSION}/bin:$PATH
+export JAVA_HOME=/opt/openjdk/jdk-${JAVA_VERSION}
+
+STATUS_CODE=0
+while [[ "$STATUS_CODE" != "404" ]] ; do
+    echo "Will retry in 2 seconds"
+    sleep 2
+
+    STATUS_CODE=$(curl -s -o /dev/null -w "%{http_code}"  "$DUMMY_AUTHORITY")
+
+    if [[ "$STATUS_CODE" = "200" ]]; then
+        echo "Setup should already be done. Will not run."
+        exit 0
+    fi
+done
+
+set -e
+
+kcadm.sh config credentials --server "http://${KC_HTTP_HOST}:${KC_HTTP_PORT}" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD" --client admin-cli
+
+kcadm.sh create realms -s realm="$TEST_REALM" -s enabled=true -s "accessTokenLifespan=600"
+kcadm.sh create clients -r test -s "clientId=$SSO_CLIENT_ID" -s "secret=$SSO_CLIENT_SECRET" -s "redirectUris=[\"$DOMAIN/*\"]" -i
+
+TEST_USER_ID=$(kcadm.sh create users -r "$TEST_REALM" -s "username=$TEST_USER" -s "firstName=$TEST_USER" -s "lastName=$TEST_USER" -s "email=$TEST_USER_MAIL"  -s emailVerified=true -s enabled=true -i)
+kcadm.sh update users/$TEST_USER_ID/reset-password -r "$TEST_REALM" -s type=password -s "value=$TEST_USER_PASSWORD" -n
+
+TEST_USER2_ID=$(kcadm.sh create users -r "$TEST_REALM" -s "username=$TEST_USER2" -s "firstName=$TEST_USER2" -s "lastName=$TEST_USER2" -s "email=$TEST_USER2_MAIL"  -s emailVerified=true -s enabled=true -i)
+kcadm.sh update users/$TEST_USER2_ID/reset-password -r "$TEST_REALM" -s type=password -s "value=$TEST_USER2_PASSWORD" -n
+
+TEST_USER3_ID=$(kcadm.sh create users -r "$TEST_REALM" -s "username=$TEST_USER3" -s "firstName=$TEST_USER3" -s "lastName=$TEST_USER3" -s "email=$TEST_USER3_MAIL"  -s emailVerified=true -s enabled=true -i)
+kcadm.sh update users/$TEST_USER3_ID/reset-password -r "$TEST_REALM" -s type=password -s "value=$TEST_USER3_PASSWORD" -n
+
+# Dummy realm to mark end of setup
+kcadm.sh create realms -s realm="$DUMMY_REALM" -s enabled=true -s "accessTokenLifespan=600"

playwright/compose/playwright/Dockerfile

@@ -0,0 +1,40 @@
+FROM docker.io/library/debian:bookworm-slim
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update \
+    && apt-get install -y ca-certificates curl \
+    && curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc \
+    && chmod a+r /etc/apt/keyrings/docker.asc \
+    && echo "deb [signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian bookworm stable" | tee /etc/apt/sources.list.d/docker.list \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends \
+        containerd.io \
+        docker-buildx-plugin \
+        docker-ce \
+        docker-ce-cli \
+        docker-compose-plugin \
+        git \
+        libmariadb-dev-compat \
+        libpq5 \
+        nodejs \
+        npm \
+        openssl \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /playwright
+WORKDIR /playwright
+
+COPY package.json .
+RUN npm install && npx playwright install-deps && npx playwright install firefox
+
+COPY docker-compose.yml test.env ./
+COPY compose ./compose
+
+COPY *.ts test.env ./
+COPY tests ./tests
+
+ENTRYPOINT ["/usr/bin/npx", "playwright"]
+CMD ["test"]

playwright/compose/vaultwarden/Dockerfile

@@ -0,0 +1,39 @@
+FROM playwright_oidc_vaultwarden_prebuilt AS vaultwarden
+
+FROM node:18-bookworm AS build
+
+arg REPO_URL
+arg COMMIT_HASH
+
+ENV REPO_URL=$REPO_URL
+ENV COMMIT_HASH=$COMMIT_HASH
+
+COPY --from=vaultwarden /web-vault /web-vault
+COPY build.sh /build.sh
+RUN /build.sh
+
+######################## RUNTIME IMAGE  ########################
+FROM docker.io/library/debian:bookworm-slim
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Create data folder and Install needed libraries
+RUN mkdir /data && \
+    apt-get update && apt-get install -y \
+        --no-install-recommends \
+        ca-certificates \
+        curl \
+        libmariadb-dev-compat \
+        libpq5 \
+        openssl && \
+    rm -rf /var/lib/apt/lists/*
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+
+COPY --from=vaultwarden /start.sh .
+COPY --from=vaultwarden /vaultwarden .
+COPY --from=build /web-vault ./web-vault
+
+ENTRYPOINT ["/start.sh"]

playwright/compose/vaultwarden/build.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+echo $REPO_URL
+echo $COMMIT_HASH
+
+if [[ ! -z "$REPO_URL" ]] && [[ ! -z "$COMMIT_HASH" ]] ; then
+    rm -rf /web-vault
+
+    mkdir bw_web_builds;
+    cd bw_web_builds;
+
+    git -c init.defaultBranch=main init
+    git remote add origin "$REPO_URL"
+    git fetch --depth 1 origin "$COMMIT_HASH"
+    git -c advice.detachedHead=false checkout FETCH_HEAD
+
+    export VAULT_VERSION=$(cat Dockerfile | grep "ARG VAULT_VERSION" | cut -d "=" -f2)
+    ./scripts/checkout_web_vault.sh
+    ./scripts/patch_web_vault.sh
+    ./scripts/build_web_vault.sh
+    printf '{"version":"%s"}' "$COMMIT_HASH" > ./web-vault/apps/web/build/vw-version.json
+
+    mv ./web-vault/apps/web/build /web-vault
+fi

playwright/docker-compose.yml

@@ -0,0 +1,121 @@
+services:
+  VaultwardenPrebuild:
+    profiles: ["playwright", "vaultwarden"]
+    container_name: playwright_oidc_vaultwarden_prebuilt
+    image: playwright_oidc_vaultwarden_prebuilt
+    build:
+      context: ..
+      dockerfile: Dockerfile
+    entrypoint: /bin/bash
+    restart: "no"
+
+  Vaultwarden:
+    profiles: ["playwright", "vaultwarden"]
+    container_name: playwright_oidc_vaultwarden-${ENV:-dev}
+    image: playwright_oidc_vaultwarden-${ENV:-dev}
+    network_mode: "host"
+    build:
+      context: compose/vaultwarden
+      dockerfile: Dockerfile
+      args:
+        REPO_URL: ${PW_WV_REPO_URL:-}
+        COMMIT_HASH: ${PW_WV_COMMIT_HASH:-}
+    env_file: ${DC_ENV_FILE:-.env}
+    environment:
+      - DATABASE_URL
+      - I_REALLY_WANT_VOLATILE_STORAGE
+      - SMTP_HOST
+      - SMTP_FROM
+      - SMTP_DEBUG
+      - SSO_FRONTEND
+      - SSO_ENABLED
+      - SSO_ONLY
+    restart: "no"
+    depends_on:
+      - VaultwardenPrebuild
+
+  Playwright:
+    profiles: ["playwright"]
+    container_name: playwright_oidc_playwright
+    image: playwright_oidc_playwright
+    network_mode: "host"
+    build:
+      context: .
+      dockerfile: compose/playwright/Dockerfile
+    environment:
+      - PW_WV_REPO_URL
+      - PW_WV_COMMIT_HASH
+    restart: "no"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ..:/project
+
+  Mariadb:
+    profiles: ["playwright"]
+    container_name: playwright_mariadb
+    image: mariadb:11.2.4
+    env_file: test.env
+    healthcheck:
+      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
+      start_period: 10s
+      interval: 10s
+    ports:
+      - ${MARIADB_PORT}:3306
+
+  Mysql:
+    profiles: ["playwright"]
+    container_name: playwright_mysql
+    image: mysql:8.4.1
+    env_file: test.env
+    healthcheck:
+      test: ["CMD", "mysqladmin" ,"ping", "-h", "localhost"]
+      start_period: 10s
+      interval: 10s
+    ports:
+      - ${MYSQL_PORT}:3306
+
+  Postgres:
+    profiles: ["playwright"]
+    container_name: playwright_postgres
+    image: postgres:16.3
+    env_file: test.env
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+    ports:
+      - ${POSTGRES_PORT}:5432
+
+  Maildev:
+    profiles: ["vaultwarden", "maildev"]
+    container_name: maildev
+    image: timshel/maildev:3.0.4
+    ports:
+      - ${SMTP_PORT}:1025
+      - 1080:1080
+
+  Keycloak:
+    profiles: ["keycloak", "vaultwarden"]
+    container_name: keycloak-${ENV:-dev}
+    image: quay.io/keycloak/keycloak:25.0.4
+    network_mode: "host"
+    command:
+      - start-dev
+    env_file: ${DC_ENV_FILE:-.env}
+
+  KeycloakSetup:
+    profiles: ["keycloak", "vaultwarden"]
+    container_name: keycloakSetup-${ENV:-dev}
+    image: keycloak_setup-${ENV:-dev}
+    build:
+      context: compose/keycloak
+      dockerfile: Dockerfile
+      args:
+        KEYCLOAK_VERSION: 25.0.4
+        JAVA_URL: https://download.java.net/java/GA/jdk21.0.2/f2283984656d49d69e91c558476027ac/13/GPL/openjdk-21.0.2_linux-x64_bin.tar.gz
+        JAVA_VERSION: 21.0.2
+    network_mode: "host"
+    depends_on:
+      - Keycloak
+    restart: "no"
+    env_file: ${DC_ENV_FILE:-.env}

playwright/global-setup.ts

@@ -0,0 +1,22 @@
+import { firefox, type FullConfig } from '@playwright/test';
+import { execSync } from 'node:child_process';
+import fs from 'fs';
+
+const utils = require('./global-utils');
+
+utils.loadEnv();
+
+async function globalSetup(config: FullConfig) {
+    // Are we running in docker and the project is mounted ?
+    const path = (fs.existsSync("/project/playwright/playwright.config.ts") ? "/project/playwright" : ".");
+    execSync(`docker compose --project-directory ${path} --profile playwright --env-file test.env build VaultwardenPrebuild`, {
+        env: { ...process.env },
+        stdio: "inherit"
+    });
+    execSync(`docker compose --project-directory ${path} --profile playwright --env-file test.env build Vaultwarden`, {
+        env: { ...process.env },
+        stdio: "inherit"
+    });
+}
+
+export default globalSetup;

playwright/global-utils.ts

@@ -0,0 +1,212 @@
+import { expect, type Browser, type TestInfo } from '@playwright/test';
+import { EventEmitter } from "events";
+import { type Mail, MailServer } from 'maildev';
+import { execSync } from 'node:child_process';
+
+import dotenv from 'dotenv';
+import dotenvExpand from 'dotenv-expand';
+
+const fs = require("fs");
+const { spawn } = require('node:child_process');
+
+export function loadEnv(){
+    var myEnv = dotenv.config({ path: 'test.env' });
+    dotenvExpand.expand(myEnv);
+
+    return {
+        user1: {
+            email: process.env.TEST_USER_MAIL,
+            name: process.env.TEST_USER,
+            password: process.env.TEST_USER_PASSWORD,
+        },
+        user2: {
+            email: process.env.TEST_USER2_MAIL,
+            name: process.env.TEST_USER2,
+            password: process.env.TEST_USER2_PASSWORD,
+        },
+        user3: {
+            email: process.env.TEST_USER3_MAIL,
+            name: process.env.TEST_USER3,
+            password: process.env.TEST_USER3_PASSWORD,
+        },
+    }
+}
+
+export async function waitFor(url: String, browser: Browser) {
+    var ready = false;
+    var context;
+
+    do {
+        try {
+            context = await browser.newContext();
+            const page = await context.newPage();
+            await page.waitForTimeout(500);
+            const result = await page.goto(url);
+            ready = result.status() === 200;
+        } catch(e) {
+            if( !e.message.includes("CONNECTION_REFUSED") ){
+                throw e;
+            }
+        } finally {
+            await context.close();
+        }
+    } while(!ready);
+}
+
+export function startComposeService(serviceName: String){
+    console.log(`Starting ${serviceName}`);
+    execSync(`docker compose --profile playwright --env-file test.env  up -d ${serviceName}`);
+}
+
+export function stopComposeService(serviceName: String){
+    console.log(`Stopping ${serviceName}`);
+    execSync(`docker compose --profile playwright --env-file test.env  stop ${serviceName}`);
+}
+
+function wipeSqlite(){
+    console.log(`Delete Vaultwarden container to wipe sqlite`);
+    execSync(`docker compose --env-file test.env stop Vaultwarden`);
+    execSync(`docker compose --env-file test.env rm -f Vaultwarden`);
+}
+
+async function wipeMariaDB(){
+    var mysql = require('mysql2/promise');
+    var ready = false;
+    var connection;
+
+    do {
+        try {
+            connection = await mysql.createConnection({
+                user: process.env.MARIADB_USER,
+                host: "127.0.0.1",
+                database: process.env.MARIADB_DATABASE,
+                password: process.env.MARIADB_PASSWORD,
+                port: process.env.MARIADB_PORT,
+            });
+
+            await connection.execute(`DROP DATABASE ${process.env.MARIADB_DATABASE}`);
+            await connection.execute(`CREATE DATABASE ${process.env.MARIADB_DATABASE}`);
+            console.log('Successfully wiped mariadb');
+            ready = true;
+        } catch (err) {
+            console.log(`Error when wiping mariadb: ${err}`);
+        } finally {
+            if( connection ){
+                connection.end();
+            }
+        }
+        await new Promise(r => setTimeout(r, 1000));
+    } while(!ready);
+}
+
+async function wipeMysqlDB(){
+    var mysql = require('mysql2/promise');
+    var ready = false;
+    var connection;
+
+    do{
+        try {
+            connection = await mysql.createConnection({
+                user: process.env.MYSQL_USER,
+                host: "127.0.0.1",
+                database: process.env.MYSQL_DATABASE,
+                password: process.env.MYSQL_PASSWORD,
+                port: process.env.MYSQL_PORT,
+            });
+
+            await connection.execute(`DROP DATABASE ${process.env.MYSQL_DATABASE}`);
+            await connection.execute(`CREATE DATABASE ${process.env.MYSQL_DATABASE}`);
+            console.log('Successfully wiped mysql');
+            ready = true;
+        } catch (err) {
+            console.log(`Error when wiping mysql: ${err}`);
+        } finally {
+            if( connection ){
+                connection.end();
+            }
+        }
+        await new Promise(r => setTimeout(r, 1000));
+    } while(!ready);
+}
+
+async function wipePostgres(){
+    const { Client } = require('pg');
+
+    const client = new Client({
+        user: process.env.POSTGRES_USER,
+        host: "127.0.0.1",
+        database: "postgres",
+        password: process.env.POSTGRES_PASSWORD,
+        port: process.env.POSTGRES_PORT,
+    });
+
+    try {
+        await client.connect();
+        await client.query(`DROP DATABASE ${process.env.POSTGRES_DB}`);
+        await client.query(`CREATE DATABASE ${process.env.POSTGRES_DB}`);
+        console.log('Successfully wiped postgres');
+    } catch (err) {
+        console.log(`Error when wiping postgres: ${err}`);
+    } finally {
+        client.end();
+    }
+}
+
+function dbConfig(testInfo: TestInfo){
+    switch(testInfo.project.name) {
+        case "postgres": return {
+            DATABASE_URL: `postgresql://${process.env.POSTGRES_USER}:${process.env.POSTGRES_PASSWORD}@127.0.0.1:${process.env.POSTGRES_PORT}/${process.env.POSTGRES_DB}`
+        }
+        case "mariadb": return {
+            DATABASE_URL: `mysql://${process.env.MARIADB_USER}:${process.env.MARIADB_PASSWORD}@127.0.0.1:${process.env.MARIADB_PORT}/${process.env.MARIADB_DATABASE}`
+        }
+        case "mysql": return {
+            DATABASE_URL: `mysql://${process.env.MYSQL_USER}:${process.env.MYSQL_PASSWORD}@127.0.0.1:${process.env.MYSQL_PORT}/${process.env.MYSQL_DATABASE}`
+        }
+        default: return { I_REALLY_WANT_VOLATILE_STORAGE: true }
+    }
+}
+
+/**
+ *  All parameters passed in `env` need to be added to the docker-compose.yml
+ **/
+export async function startVaultwarden(browser: Browser, testInfo: TestInfo, env = {}, resetDB: Boolean = true) {
+    if( resetDB ){
+        switch(testInfo.project.name) {
+            case "postgres":
+                await wipePostgres();
+                break;
+            case "mariadb":
+                await wipeMariaDB();
+                break;
+            case "mysql":
+                await wipeMysqlDB();
+                break;
+            default:
+                wipeSqlite();
+        }
+    }
+
+    console.log(`Starting Vaultwarden`);
+    execSync(`docker compose --profile playwright --env-file test.env up -d Vaultwarden`, {
+        env: { ...env, ...dbConfig(testInfo) },
+    });
+    await waitFor("/", browser);
+    console.log(`Vaultwarden running on: ${process.env.DOMAIN}`);
+}
+
+export async function stopVaultwarden() {
+    console.log(`Vaultwarden stopping`);
+    execSync(`docker compose --profile playwright --env-file test.env stop Vaultwarden`);
+}
+
+export async function restartVaultwarden(page: Page, testInfo: TestInfo, env, resetDB: Boolean = true) {
+    stopVaultwarden();
+    return startVaultwarden(page.context().browser(), testInfo, env, resetDB);
+}
+
+export async function checkNotification(page: Page, hasText: string) {
+    await expect(page.locator('bit-toast').filter({ hasText })).toBeVisible();
+    await page.locator('bit-toast').filter({ hasText }).getByRole('button').click();
+    await expect(page.locator('bit-toast').filter({ hasText })).toHaveCount(0);
+}

playwright/package.json

@@ -0,0 +1,21 @@
+{
+    "name": "scenarios",
+    "version": "1.0.0",
+    "description": "",
+    "main": "index.js",
+    "scripts": {},
+    "keywords": [],
+    "author": "",
+    "license": "ISC",
+    "devDependencies": {
+        "@playwright/test": "^1.49.1",
+        "dotenv": "^16.4.7",
+        "dotenv-expand": "^11.0.7",
+        "maildev": "github:timshel/maildev#3.0.4"
+    },
+    "dependencies": {
+        "mysql2": "^3.12.0",
+        "otpauth": "^9.3.6",
+        "pg": "^8.13.1"
+    }
+}

playwright/playwright.config.ts

@@ -0,0 +1,137 @@
+import { defineConfig, devices } from '@playwright/test';
+import { exec } from 'node:child_process';
+
+const utils = require('./global-utils');
+
+utils.loadEnv();
+
+/**
+ * See https://playwright.dev/docs/test-configuration.
+ */
+export default defineConfig({
+    testDir: './.',
+    /* Run tests in files in parallel */
+    fullyParallel: false,
+
+    /* Fail the build on CI if you accidentally left test.only in the source code. */
+    forbidOnly: !!process.env.CI,
+
+    /* Retry on CI only */
+    retries: 0,
+    workers: 1,
+
+    /* Reporter to use. See https://playwright.dev/docs/test-reporters */
+    reporter: 'html',
+    timeout: 20 * 1000,
+    expect: { timeout: 10 * 1000 },
+
+    /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */
+    use: {
+        /* Base URL to use in actions like `await page.goto('/')`. */
+        baseURL: process.env.DOMAIN,
+        browserName: 'firefox',
+        locale: 'en-GB',
+        timezoneId: 'Europe/London',
+        /* Collect trace when retrying the failed test. See https://playwright.dev/docs/trace-viewer */
+        trace: 'on-first-retry',
+        viewport: {
+            width: 1920,
+            height: 1080
+        },
+        video: "on",
+    },
+
+    /* Configure projects for major browsers */
+    projects: [
+        {
+            name: 'mariadb-setup',
+            testMatch: 'tests/setups/db-setup.ts',
+            use: { serviceName: "Mariadb" },
+            teardown: 'mariadb-teardown',
+        },
+        {
+            name: 'mysql-setup',
+            testMatch: 'tests/setups/db-setup.ts',
+            use: { serviceName: "Mysql" },
+            teardown: 'mysql-teardown',
+        },
+        {
+            name: 'postgres-setup',
+            testMatch: 'tests/setups/db-setup.ts',
+            use: { serviceName: "Postgres" },
+            teardown: 'postgres-teardown',
+        },
+        {
+            name: 'sso-setup',
+            testMatch: 'tests/setups/sso-setup.ts',
+            teardown: 'sso-teardown',
+        },
+
+        {
+            name: 'mariadb',
+            testMatch: 'tests/*.spec.ts',
+            testIgnore: 'tests/sso_*.spec.ts',
+            dependencies: ['mariadb-setup'],
+        },
+        {
+            name: 'mysql',
+            testMatch: 'tests/*.spec.ts',
+            testIgnore: 'tests/sso_*.spec.ts',
+            dependencies: ['mysql-setup'],
+        },
+        {
+            name: 'postgres',
+            testMatch: 'tests/*.spec.ts',
+            testIgnore: 'tests/sso_*.spec.ts',
+            dependencies: ['postgres-setup'],
+        },
+        {
+            name: 'sqlite',
+            testMatch: 'tests/*.spec.ts',
+            testIgnore: 'tests/sso_*.spec.ts',
+        },
+
+        {
+            name: 'sso-mariadb',
+            testMatch: 'tests/sso_*.spec.ts',
+            dependencies: ['sso-setup', 'mariadb-setup'],
+        },
+        {
+            name: 'sso-mysql',
+            testMatch: 'tests/sso_*.spec.ts',
+            dependencies: ['sso-setup', 'mysql-setup'],
+        },
+        {
+            name: 'sso-postgres',
+            testMatch: 'tests/sso_*.spec.ts',
+            dependencies: ['sso-setup', 'postgres-setup'],
+        },
+        {
+            name: 'sso-sqlite',
+            testMatch: 'tests/sso_*.spec.ts',
+            dependencies: ['sso-setup'],
+        },
+
+        {
+            name: 'mariadb-teardown',
+            testMatch: 'tests/setups/db-teardown.ts',
+            use: { serviceName: "Mariadb" },
+        },
+        {
+            name: 'mysql-teardown',
+            testMatch: 'tests/setups/db-teardown.ts',
+            use: { serviceName: "Mysql" },
+        },
+        {
+            name: 'postgres-teardown',
+            testMatch: 'tests/setups/db-teardown.ts',
+            use: { serviceName: "Postgres" },
+        },
+        {
+            name: 'sso-teardown',
+            testMatch: 'tests/setups/sso-teardown.ts',
+        },
+    ],
+
+    globalSetup: require.resolve('./global-setup'),
+});

playwright/test.env

@@ -0,0 +1,89 @@
+##################################################################
+### Shared Playwright conf test file Vaultwarden and Databases ###
+##################################################################
+
+ENV=test
+DC_ENV_FILE=test.env
+COMPOSE_IGNORE_ORPHANS=True
+DOCKER_BUILDKIT=1
+
+#####################
+# Playwright Config #
+#####################
+PW_KEEP_SERVICE_RUNNNING=${PW_KEEP_SERVICE_RUNNNING:-false}
+VAULTWARDEN_SMTP_FROM=vaultwarden@playwright.test
+
+#####################
+# Maildev Config 	#
+#####################
+MAILDEV_HTTP_PORT=1081
+MAILDEV_SMTP_PORT=1026
+MAILDEV_HOST=127.0.0.1
+
+################
+# Users Config #
+################
+TEST_USER=test
+TEST_USER_PASSWORD=Master Password
+TEST_USER_MAIL=${TEST_USER}@example.com
+
+TEST_USER2=test2
+TEST_USER2_PASSWORD=Master Password
+TEST_USER2_MAIL=${TEST_USER2}@example.com
+
+TEST_USER3=test3
+TEST_USER3_PASSWORD=Master Password
+TEST_USER3_MAIL=${TEST_USER3}@example.com
+
+###################
+# Keycloak Config #
+###################
+KEYCLOAK_ADMIN=admin
+KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN}
+KC_HTTP_HOST=127.0.0.1
+KC_HTTP_PORT=8081
+
+# Script parameters (use Keycloak and VaultWarden config too)
+TEST_REALM=test
+DUMMY_REALM=dummy
+DUMMY_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${DUMMY_REALM}
+
+######################
+# Vaultwarden Config #
+######################
+ROCKET_PORT=8003
+DOMAIN=http://127.0.0.1:${ROCKET_PORT}
+SMTP_SECURITY=off
+SMTP_PORT=${MAILDEV_SMTP_PORT}
+SMTP_FROM_NAME=Vaultwarden
+SMTP_TIMEOUT=5
+
+SSO_CLIENT_ID=VaultWarden
+SSO_CLIENT_SECRET=VaultWarden
+SSO_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${TEST_REALM}
+
+###########################
+# Docker MariaDb container#
+###########################
+MARIADB_PORT=3307
+MARIADB_ROOT_PASSWORD=vaultwarden
+MARIADB_USER=vaultwarden
+MARIADB_PASSWORD=vaultwarden
+MARIADB_DATABASE=vaultwarden
+
+###########################
+# Docker Mysql container#
+###########################
+MYSQL_PORT=3309
+MYSQL_ROOT_PASSWORD=vaultwarden
+MYSQL_USER=vaultwarden
+MYSQL_PASSWORD=vaultwarden
+MYSQL_DATABASE=vaultwarden
+
+############################
+# Docker Postgres container#
+############################
+POSTGRES_PORT=5433
+POSTGRES_USER=vaultwarden
+POSTGRES_PASSWORD=vaultwarden
+POSTGRES_DB=vaultwarden

playwright/tests/collection.spec.ts

@@ -0,0 +1,38 @@
+import { test, expect, type TestInfo } from '@playwright/test';
+
+import * as utils from "../global-utils";
+import { createAccount, logUser } from './setups/user';
+
+let users = utils.loadEnv();
+
+test.beforeAll('Setup', async ({ browser }, testInfo: TestInfo) => {
+    await utils.startVaultwarden(browser, testInfo);
+});
+
+test.afterAll('Teardown', async ({}) => {
+    utils.stopVaultwarden();
+});
+
+test('Create', async ({ page }) => {
+    await createAccount(test, page, users.user1);
+    await logUser(test, page, users.user1);
+
+    await test.step('Create Org', async () => {
+        await page.getByRole('link', { name: 'New organisation' }).click();
+        await page.getByLabel('Organisation name (required)').fill('Test');
+        await page.getByRole('button', { name: 'Submit' }).click();
+        await page.locator('div').filter({ hasText: 'Members' }).nth(2).click();
+
+        await utils.checkNotification(page, 'Organisation created');
+    });
+
+    await test.step('Create Collection', async () => {
+        await page.getByRole('link', { name: 'Collections' }).click();
+        await page.getByRole('button', { name: 'New' }).click();
+        await page.getByRole('menuitem', { name: 'Collection' }).click();
+        await page.getByLabel('Name (required)').fill('RandomCollec');
+        await page.getByRole('button', { name: 'Save' }).click();
+        await utils.checkNotification(page, 'Created collection RandomCollec');
+        await expect(page.getByRole('button', { name: 'RandomCollec' })).toBeVisible();
+    });
+});

playwright/tests/login.smtp.spec.ts

@@ -0,0 +1,130 @@
+import { test, expect, type TestInfo } from '@playwright/test';
+import { MailDev } from 'maildev';
+
+const utils = require('../global-utils');
+import { createAccount, logUser } from './setups/user';
+
+let users = utils.loadEnv();
+
+let mailserver;
+
+test.beforeAll('Setup', async ({ browser }, testInfo: TestInfo) => {
+    mailserver = new MailDev({
+        port: process.env.MAILDEV_SMTP_PORT,
+        web: { port: process.env.MAILDEV_HTTP_PORT },
+    })
+
+    await mailserver.listen();
+
+    await utils.startVaultwarden(browser, testInfo, {
+        SMTP_HOST: process.env.MAILDEV_HOST,
+        SMTP_FROM: process.env.VAULTWARDEN_SMTP_FROM,
+    });
+});
+
+test.afterAll('Teardown', async ({}) => {
+    utils.stopVaultwarden();
+    if( mailserver ){
+        await mailserver.close();
+    }
+});
+
+test('Account creation', async ({ page }) => {
+    const mailBuffer = mailserver.buffer(users.user1.email);
+    await createAccount(test, page, users.user1, mailBuffer);
+    mailBuffer.close();
+});
+
+test('Login', async ({ context, page }) => {
+    const mailBuffer = mailserver.buffer(users.user1.email);
+
+    await logUser(test, page, users.user1, mailBuffer);
+
+    await test.step('verify email', async () => {
+        await page.getByText('Verify your account\'s email').click();
+        await expect(page.getByText('Verify your account\'s email')).toBeVisible();
+        await page.getByRole('button', { name: 'Send email' }).click();
+
+        await utils.checkNotification(page, 'Check your email inbox for a verification link');
+
+        const verify = await mailBuffer.next((m) => m.subject === "Verify Your Email");
+        expect(verify.from[0]?.address).toBe(process.env.VAULTWARDEN_SMTP_FROM);
+
+        const page2 = await context.newPage();
+        await page2.setContent(verify.html);
+        const link = await page2.getByTestId("verify").getAttribute("href");
+        await page2.close();
+
+        await page.goto(link);
+        await utils.checkNotification(page, 'Account email verified');
+    });
+
+    mailBuffer.close();
+});
+
+test('Activaite 2fa', async ({ context, page }) => {
+    const emails = mailserver.buffer(users.user1.email);
+
+    await logUser(test, page, users.user1);
+
+    await page.getByRole('button', { name: users.user1.name }).click();
+    await page.getByRole('menuitem', { name: 'Account settings' }).click();
+    await page.getByRole('link', { name: 'Security' }).click();
+    await page.getByRole('link', { name: 'Two-step login' }).click();
+    await page.locator('li').filter({ hasText: 'Email' }).getByRole('button').click();
+    await page.getByLabel('Master password (required)').fill(users.user1.password);
+    await page.getByRole('button', { name: 'Continue' }).click();
+    await page.getByRole('button', { name: 'Send email' }).click();
+
+    const codeMail = await emails.next((mail) => mail.subject === "Vaultwarden Login Verification Code");
+    const page2 = await context.newPage();
+    await page2.setContent(codeMail.html);
+    const code = await page2.getByTestId("2fa").innerText();
+    await page2.close();
+
+    await page.getByLabel('2. Enter the resulting 6').fill(code);
+    await page.getByRole('button', { name: 'Turn on' }).click();
+    await page.getByRole('heading', { name: 'Turned on', exact: true });
+
+    emails.close();
+});
+
+test('2fa', async ({ context, page }) => {
+    const emails = mailserver.buffer(users.user1.email);
+
+    await test.step('login', async () => {
+        await page.goto('/');
+
+        await page.getByLabel(/Email address/).fill(users.user1.email);
+        await page.getByRole('button', { name: 'Continue' }).click();
+        await page.getByLabel('Master password').fill(users.user1.password);
+        await page.getByRole('button', { name: 'Log in with master password' }).click();
+
+        const codeMail = await emails.next((mail) => mail.subject === "Vaultwarden Login Verification Code");
+        const page2 = await context.newPage();
+        await page2.setContent(codeMail.html);
+        const code = await page2.getByTestId("2fa").innerText();
+        await page2.close();
+
+        await page.getByLabel('Verification code').fill(code);
+        await page.getByRole('button', { name: 'Continue' }).click();
+
+        await expect(page).toHaveTitle(/Vaultwarden Web/);
+    })
+
+    await test.step('disable', async () => {
+        await page.getByRole('button', { name: 'Test' }).click();
+        await page.getByRole('menuitem', { name: 'Account settings' }).click();
+        await page.getByRole('link', { name: 'Security' }).click();
+        await page.getByRole('link', { name: 'Two-step login' }).click();
+        await page.locator('li').filter({ hasText: 'Email' }).getByRole('button').click();
+        await page.getByLabel('Master password (required)').click();
+        await page.getByLabel('Master password (required)').fill(users.user1.password);
+        await page.getByRole('button', { name: 'Continue' }).click();
+        await page.getByRole('button', { name: 'Turn off' }).click();
+        await page.getByRole('button', { name: 'Yes' }).click();
+        await utils.checkNotification(page, 'Two-step login provider turned off');
+    });
+
+    emails.close();
+});

playwright/tests/login.spec.ts

@@ -0,0 +1,94 @@
+import { test, expect, type Page, type TestInfo } from '@playwright/test';
+import * as OTPAuth from "otpauth";
+
+import * as utils from "../global-utils";
+import { createAccount, logUser } from './setups/user';
+
+let users = utils.loadEnv();
+let totp;
+
+test.beforeAll('Setup', async ({ browser }, testInfo: TestInfo) => {
+    await utils.startVaultwarden(browser, testInfo, {});
+});
+
+test.afterAll('Teardown', async ({}, testInfo: TestInfo) => {
+    utils.stopVaultwarden(testInfo);
+});
+
+test('Account creation', async ({ page }) => {
+    // Landing page
+    await createAccount(test, page, users.user1);
+
+    await page.getByRole('button', { name: 'Continue' }).click();
+
+    // Unlock page
+    await page.getByLabel('Master password').fill(users.user1.password);
+    await page.getByRole('button', { name: 'Log in with master password' }).click();
+
+    // We are now in the default vault page
+    await expect(page).toHaveTitle(/Vaultwarden Web/);
+});
+
+test('Master password login', async ({ page }) => {
+    await logUser(test, page, users.user1);
+});
+
+test('Authenticator 2fa', async ({ context, page }) => {
+    let totp;
+
+    await test.step('Login', async () => {
+        await logUser(test, page, users.user1);
+    });
+
+    await test.step('Activate', async () => {
+        await page.getByRole('button', { name: users.user1.name }).click();
+        await page.getByRole('menuitem', { name: 'Account settings' }).click();
+        await page.getByRole('link', { name: 'Security' }).click();
+        await page.getByRole('link', { name: 'Two-step login' }).click();
+        await page.locator('li').filter({ hasText: 'TOTP Authenticator' }).getByRole('button').click();
+        await page.getByLabel('Master password (required)').fill(users.user1.password);
+        await page.getByRole('button', { name: 'Continue' }).click();
+
+        const secret = await page.getByLabel('Key').innerText();
+        totp = new OTPAuth.TOTP({ secret, period: 30 });
+
+        await page.getByLabel('Verification code (required)').fill(totp.generate());
+        await page.getByRole('button', { name: 'Turn on' }).click();
+        await page.getByRole('heading', { name: 'Turned on', exact: true });
+        await page.getByLabel('Close').click();
+    })
+
+    await test.step('logout', async () => {
+        await page.getByRole('button', { name: users.user1.name }).click();
+        await page.getByRole('menuitem', { name: 'Log out' }).click();
+    });
+
+    await test.step('login', async () => {
+        let timestamp = Date.now(); // Need to use the next token
+        timestamp = timestamp + (totp.period - (Math.floor(timestamp / 1000) % totp.period) + 1) * 1000;
+
+        await page.getByLabel(/Email address/).fill(users.user1.email);
+        await page.getByRole('button', { name: 'Continue' }).click();
+        await page.getByLabel('Master password').fill(users.user1.password);
+        await page.getByRole('button', { name: 'Log in with master password' }).click();
+
+        await page.getByLabel('Verification code').fill(totp.generate({timestamp}));
+        await page.getByRole('button', { name: 'Continue' }).click();
+
+        await expect(page).toHaveTitle(/Vaultwarden Web/);
+    });
+
+    await test.step('disable', async () => {
+        await page.getByRole('button', { name: 'Test' }).click();
+        await page.getByRole('menuitem', { name: 'Account settings' }).click();
+        await page.getByRole('link', { name: 'Security' }).click();
+        await page.getByRole('link', { name: 'Two-step login' }).click();
+        await page.locator('li').filter({ hasText: 'TOTP Authenticator' }).getByRole('button').click();
+        await page.getByLabel('Master password (required)').click();
+        await page.getByLabel('Master password (required)').fill(users.user1.password);
+        await page.getByRole('button', { name: 'Continue' }).click();
+        await page.getByRole('button', { name: 'Turn off' }).click();
+        await page.getByRole('button', { name: 'Yes' }).click();
+        await utils.checkNotification(page, 'Two-step login provider turned off');
+    });
+});

playwright/tests/organization.smtp.spec.ts

@@ -0,0 +1,126 @@
+import { test, expect, type TestInfo } from '@playwright/test';
+import { MailDev } from 'maildev';
+
+import * as utils from '../global-utils';
+import * as orgs from './setups/orgs';
+import { createAccount, logUser } from './setups/user';
+
+let users = utils.loadEnv();
+
+let mailServer, mail1Buffer, mail2Buffer, mail3Buffer;
+
+test.beforeAll('Setup', async ({ browser }, testInfo: TestInfo) => {
+    mailServer = new MailDev({
+        port: process.env.MAILDEV_SMTP_PORT,
+        web: { port: process.env.MAILDEV_HTTP_PORT },
+    })
+
+    await mailServer.listen();
+
+    await utils.startVaultwarden(browser, testInfo, {
+        SMTP_HOST: process.env.MAILDEV_HOST,
+        SMTP_FROM: process.env.VAULTWARDEN_SMTP_FROM,
+    });
+
+    mail1Buffer = mailServer.buffer(users.user1.email);
+    mail2Buffer = mailServer.buffer(users.user2.email);
+    mail3Buffer = mailServer.buffer(users.user3.email);
+});
+
+test.afterAll('Teardown', async ({}, testInfo: TestInfo) => {
+    utils.stopVaultwarden(testInfo);
+    [mail1Buffer, mail2Buffer, mail3Buffer, mailServer].map((m) => m?.close());
+});
+
+test('Create user3', async ({ page }) => {
+    await createAccount(test, page, users.user3, mail3Buffer);
+});
+
+test('Invite users', async ({ page }) => {
+    await createAccount(test, page, users.user1, mail1Buffer);
+    await logUser(test, page, users.user1, mail1Buffer);
+
+    await orgs.create(test, page, 'Test');
+    await orgs.members(test, page, 'Test');
+    await orgs.invite(test, page, 'Test', users.user2.email);
+    await orgs.invite(test, page, 'Test', users.user3.email, {
+        navigate: false,
+    });
+});
+
+test('invited with new account', async ({ page }) => {
+    const invited = await mail2Buffer.next((mail) => mail.subject === 'Join Test');
+
+    await test.step('Create account', async () => {
+        await page.setContent(invited.html);
+        const link = await page.getByTestId('invite').getAttribute('href');
+        await page.goto(link);
+        await expect(page).toHaveTitle(/Create account | Vaultwarden Web/);
+
+        await page.getByLabel('Name').fill(users.user2.name);
+        await page.getByLabel('Master password\n   (required)', { exact: true }).fill(users.user2.password);
+        await page.getByLabel('Re-type master password').fill(users.user2.password);
+        await page.getByRole('button', { name: 'Create account' }).click();
+
+        // Back to the login page
+        await utils.checkNotification(page, 'Your new account has been created');
+    });
+
+    await test.step('Login', async () => {
+        await page.getByLabel(/Email address/).fill(users.user2.email);
+        await page.getByRole('button', { name: 'Continue' }).click();
+
+        // Unlock page
+        await page.getByLabel('Master password').fill(users.user2.password);
+        await page.getByRole('button', { name: 'Log in with master password' }).click();
+
+        // We are now in the default vault page
+        await expect(page).toHaveTitle(/Vaultwarden Web/);
+        await utils.checkNotification(page, 'Invitation accepted');
+    });
+
+    await test.step('Check mails', async () => {
+        await expect(mail2Buffer.next((m) => m.subject === 'Welcome')).resolves.toBeDefined();
+        await expect(mail2Buffer.next((m) => m.subject === 'New Device Logged In From Firefox')).resolves.toBeDefined();
+        await expect(mail1Buffer.next((m) => m.subject.includes('Invitation to Test accepted'))).resolves.toBeDefined();
+    });
+});
+
+test('invited with existing account', async ({ page }) => {
+    const invited = await mail3Buffer.next((mail) => mail.subject === 'Join Test');
+
+    await page.setContent(invited.html);
+    const link = await page.getByTestId('invite').getAttribute('href');
+
+    await page.goto(link);
+
+    // We should be on login page with email prefilled
+    await expect(page).toHaveTitle(/Vaultwarden Web/);
+    await page.getByRole('button', { name: 'Continue' }).click();
+
+    // Unlock page
+    await page.getByLabel('Master password').fill(users.user3.password);
+    await page.getByRole('button', { name: 'Log in with master password' }).click();
+
+    // We are now in the default vault page
+    await expect(page).toHaveTitle(/Vaultwarden Web/);
+    await utils.checkNotification(page, 'Invitation accepted');
+
+    await expect(mail3Buffer.next((m) => m.subject === 'New Device Logged In From Firefox')).resolves.toBeDefined();
+    await expect(mail1Buffer.next((m) => m.subject.includes('Invitation to Test accepted'))).resolves.toBeDefined();
+});
+
+test('Confirm invited user', async ({ page }) => {
+    await logUser(test, page, users.user1, mail1Buffer);
+
+    await orgs.members(test, page, 'Test');
+    await orgs.confirm(test, page, 'Test', users.user2.name);
+
+    await expect(mail2Buffer.next((m) => m.subject.includes('Invitation to Test confirmed'))).resolves.toBeDefined();
+});
+
+test('Organization is visible', async ({ page }) => {
+    await logUser(test, page, users.user2, mail2Buffer);
+    await page.getByLabel('vault: Test').click();
+    await expect(page.getByLabel('Filter: Default collection')).toBeVisible();
+});

playwright/tests/organization.spec.ts

@@ -0,0 +1,91 @@
+import { test, expect, type TestInfo } from '@playwright/test';
+import { MailDev } from 'maildev';
+
+import * as utils from "../global-utils";
+import { createAccount, logUser } from './setups/user';
+
+let users = utils.loadEnv();
+
+test.beforeAll('Setup', async ({ browser }, testInfo: TestInfo) => {
+    await utils.startVaultwarden(browser, testInfo);
+});
+
+test.afterAll('Teardown', async ({}, testInfo: TestInfo) => {
+    utils.stopVaultwarden(testInfo);
+});
+
+test('Create user3', async ({ page }) => {
+    await createAccount(test, page, users.user3);
+});
+
+test('Invite users', async ({ page }) => {
+    await createAccount(test, page, users.user1);
+    await logUser(test, page, users.user1);
+
+    await test.step('Create Org', async () => {
+        await page.getByRole('link', { name: 'New organisation' }).click();
+        await page.getByLabel('Organisation name (required)').fill('Test');
+        await page.getByRole('button', { name: 'Submit' }).click();
+        await page.locator('div').filter({ hasText: 'Members' }).nth(2).click();
+    });
+
+    await test.step('Invite user2', async () => {
+        await page.getByRole('button', { name: 'Invite member' }).click();
+        await page.getByLabel('Email (required)').fill(users.user2.email);
+        await page.getByRole('tab', { name: 'Collections' }).click();
+        await page.getByLabel('Permission').selectOption('edit');
+        await page.getByLabel('Select collections').click();
+        await page.getByLabel('Options list').getByText('Default collection').click();
+        await page.getByRole('button', { name: 'Save' }).click();
+        await utils.checkNotification(page, 'User(s) invited');
+        await expect(page.getByRole('row', { name: users.user2.email })).toHaveText(/Invited/);
+    });
+
+    await test.step('Invite user3', async () => {
+        await page.getByRole('button', { name: 'Invite member' }).click();
+        await page.getByLabel('Email (required)').fill(users.user3.email);
+        await page.getByRole('tab', { name: 'Collections' }).click();
+        await page.getByLabel('Permission').selectOption('edit');
+        await page.getByLabel('Select collections').click();
+        await page.getByLabel('Options list').getByText('Default collection').click();
+        await page.getByRole('button', { name: 'Save' }).click();
+        await utils.checkNotification(page, 'User(s) invited');
+        await expect(page.getByRole('row', { name: users.user3.name })).toHaveText(/Needs confirmation/);
+    });
+
+    await test.step('Confirm existing user3', async () => {
+        await page.getByRole('row', { name: users.user3.name }).getByLabel('Options').click();
+        await page.getByRole('menuitem', { name: 'Confirm' }).click();
+        await page.getByRole('button', { name: 'Confirm' }).click();
+        await utils.checkNotification(page, 'confirmed');
+    });
+});
+
+test('Create invited account', async ({ page }) => {
+    await createAccount(test, page, users.user2);
+});
+
+test('Confirm invited user', async ({ page }) => {
+    await logUser(test, page, users.user1);
+    await page.getByLabel('Switch products').click();
+    await page.getByRole('link', { name: ' Admin Console' }).click();
+    await page.getByRole('link', { name: 'Members' }).click();
+
+    await test.step('Confirm user2', async () => {
+        await page.getByRole('row', { name: users.user2.name }).getByLabel('Options').click();
+        await page.getByRole('menuitem', { name: 'Confirm' }).click();
+        await page.getByRole('button', { name: 'Confirm' }).click();
+        await utils.checkNotification(page, 'confirmed');
+    });
+});
+
+test('Organization is visible', async ({ context, page }) => {
+    await logUser(test, page, users.user2);
+    await page.getByLabel('vault: Test').click();
+    await expect(page.getByLabel('Filter: Default collection')).toBeVisible();
+
+    const page2 = await context.newPage();
+    await logUser(test, page2, users.user3);
+    await page2.getByLabel('vault: Test').click();
+    await expect(page2.getByLabel('Filter: Default collection')).toBeVisible();
+});

playwright/tests/setups/db-setup.ts

@@ -0,0 +1,7 @@
+import { test } from './db-test';
+
+const utils = require('../../global-utils');
+
+test('DB start', async ({ serviceName }) => {
+	utils.startComposeService(serviceName);
+});

playwright/tests/setups/db-teardown.ts

@@ -0,0 +1,11 @@
+import { test } from './db-test';
+
+const utils = require('../../global-utils');
+
+utils.loadEnv();
+
+test('DB teardown ?', async ({ serviceName }) => {
+    if( process.env.PW_KEEP_SERVICE_RUNNNING !== "true" ) {
+        utils.stopComposeService(serviceName);
+    }
+});

playwright/tests/setups/db-test.ts

@@ -0,0 +1,9 @@
+import { test as base } from '@playwright/test';
+
+export type TestOptions = {
+  serviceName: string;
+};
+
+export const test = base.extend<TestOptions>({
+  serviceName: ['', { option: true }],
+});

playwright/tests/setups/orgs.ts

@@ -0,0 +1,62 @@
+import { expect, type Browser,Page } from '@playwright/test';
+
+import * as utils from '../../global-utils';
+
+export async function create(test, page: Page, name: string) {
+    await test.step('Create Org', async () => {
+        await page.locator('a').filter({ hasText: 'Password Manager' }).first().click();
+        await expect(page.getByTitle('All vaults', { exact: true })).toBeVisible();
+        await page.getByRole('link', { name: 'New organisation' }).click();
+        await page.getByLabel('Organisation name (required)').fill(name);
+        await page.getByRole('button', { name: 'Submit' }).click();
+
+        await utils.checkNotification(page, 'Organisation created');
+    });
+}
+
+export async function members(test, page: Page, name: string) {
+    await test.step(`Navigate to ${name}`, async () => {
+        await page.locator('a').filter({ hasText: 'Admin Console' }).first().click();
+        await page.locator('org-switcher').getByLabel(/Toggle collapse/).click();
+        await page.locator('org-switcher').getByRole('link', { name: `${name}` }).first().click();
+        await expect(page.getByRole('heading', { name: `${name} collections` })).toBeVisible();
+        await page.locator('div').filter({ hasText: 'Members' }).nth(2).click();
+        await expect(page.getByRole('heading', { name: 'Members' })).toBeVisible();
+    });
+}
+
+export async function invite(test, page: Page, name: string, email: string) {
+    await test.step(`Invite ${email}`, async () => {
+        await expect(page.getByRole('heading', { name: 'Members' })).toBeVisible();
+        await page.getByRole('button', { name: 'Invite member' }).click();
+        await page.getByLabel('Email (required)').fill(email);
+        await page.getByRole('tab', { name: 'Collections' }).click();
+        await page.getByLabel('Permission').selectOption('edit');
+        await page.getByLabel('Select collections').click();
+        await page.getByLabel('Options list').getByText('Default collection').click();
+        await page.getByRole('button', { name: 'Save' }).click();
+        await utils.checkNotification(page, 'User(s) invited');
+    });
+}
+
+export async function confirm(test, page: Page, name: string, user_name: string) {
+    await test.step(`Confirm ${user_name}`, async () => {
+        await expect(page.getByRole('heading', { name: 'Members' })).toBeVisible();
+        await page.getByRole('row', { name: user_name }).getByLabel('Options').click();
+        await page.getByRole('menuitem', { name: 'Confirm' }).click();
+        await expect(page.getByRole('heading', { name: 'Confirm user' })).toBeVisible();
+        await page.getByRole('button', { name: 'Confirm' }).click();
+        await utils.checkNotification(page, 'confirmed');
+    });
+}
+
+export async function revoke(test, page: Page, name: string, user_name: string) {
+    await test.step(`Revoke ${user_name}`, async () => {
+        await expect(page.getByRole('heading', { name: 'Members' })).toBeVisible();
+        await page.getByRole('row', { name: user_name }).getByLabel('Options').click();
+        await page.getByRole('menuitem', { name: 'Revoke access' }).click();
+        await expect(page.getByRole('heading', { name: 'Revoke access' })).toBeVisible();
+        await page.getByRole('button', { name: 'Revoke access' }).click();
+        await utils.checkNotification(page, 'Revoked organisation access');
+    });
+}

playwright/tests/setups/sso-setup.ts

@@ -0,0 +1,19 @@
+import { test, expect, type TestInfo } from '@playwright/test';
+
+const { exec } = require('node:child_process');
+const utils = require('../../global-utils');
+
+utils.loadEnv();
+
+test.beforeAll('Setup', async () => {
+    console.log("Starting Keycloak");
+    exec(`docker compose --profile keycloak --env-file test.env up`);
+});
+
+test('Keycloak is up', async ({ page }) => {
+    test.setTimeout(60000);
+    await utils.waitFor(process.env.SSO_AUTHORITY, page.context().browser());
+    // Dummy authority is created at the end of the setup
+    await utils.waitFor(process.env.DUMMY_AUTHORITY, page.context().browser());
+    console.log(`Keycloak running on: ${process.env.SSO_AUTHORITY}`);
+});

playwright/tests/setups/sso-teardown.ts

@@ -0,0 +1,15 @@
+import { test, type FullConfig } from '@playwright/test';
+
+const { execSync } = require('node:child_process');
+const utils = require('../../global-utils');
+
+utils.loadEnv();
+
+test('Keycloak teardown', async () => {
+    if( process.env.PW_KEEP_SERVICE_RUNNNING === "true" ) {
+        console.log("Keep Keycloak running");
+    } else {
+        console.log("Keycloak stopping");
+        execSync(`docker compose --profile keycloak --env-file test.env stop Keycloak`);
+    }
+});

playwright/tests/setups/sso.ts

@@ -0,0 +1,113 @@
+import { expect, type Page, Test } from '@playwright/test';
+import { type MailBuffer, MailServer } from 'maildev';
+
+import * as utils from '../../global-utils';
+
+/**
+ * If a MailBuffer is passed it will be used and consume the expected emails
+ */
+export async function logNewUser(
+    test: Test,
+    page: Page,
+    user: { email: string, name: string, password: string },
+    options: { mailBuffer?: MailBuffer, mailServer?: MailServer } = {}
+) {
+    let mailBuffer = options.mailBuffer ?? options.mailServer?.buffer(user.email);
+    try {
+        await test.step('Create user', async () => {
+            await test.step('Landing page', async () => {
+                await page.goto('/');
+                await page.getByLabel(/Email address/).fill(user.email);
+                await page.getByRole('button', 'Continue').click();
+            });
+
+            await test.step('SSo start page', async () => {
+                await page.getByRole('link', { name: /Enterprise single sign-on/ }).click();
+            });
+
+            await test.step('Keycloak login', async () => {
+                await expect(page.getByRole('heading', { name: 'Sign in to your account' })).toBeVisible();
+                await page.getByLabel(/Username/).fill(user.name);
+                await page.getByLabel('Password', { exact: true }).fill(user.password);
+                await page.getByRole('button', { name: 'Sign In' }).click();
+            });
+
+            await test.step('Create Vault account', async () => {
+                await expect(page.getByText('Set master password')).toBeVisible();
+                await page.getByLabel('Master password', { exact: true }).fill(user.password);
+                await page.getByLabel('Re-type master password').fill(user.password);
+                await page.getByRole('button', { name: 'Submit' }).click();
+            });
+
+            await test.step('Default vault page', async () => {
+                await expect(page).toHaveTitle(/Vaultwarden Web/);
+                await expect(page.getByTitle('All vaults', { exact: true })).toBeVisible();
+            });
+
+            if( mailBuffer ){
+                await test.step('Check emails', async () => {
+                    await expect(mailBuffer.next((m) => m.subject === "Welcome")).resolves.toBeDefined();
+                    await expect(mailBuffer.next((m) => m.subject.includes("New Device Logged"))).resolves.toBeDefined();
+                });
+            }
+        });
+    } finally {
+        if( options.mailServer ){
+            mailBuffer.close();
+        }
+    }
+}
+
+/**
+ * If a MailBuffer is passed it will be used and consume the expected emails
+ */
+export async function logUser(
+    test: Test,
+    page: Page,
+    user: { email: string, password: string },
+    options: { mailBuffer ?: MailBuffer, mailServer?: MailServer} = {}
+) {
+    let mailBuffer = options.mailBuffer ?? options.mailServer?.buffer(user.email);
+    try {
+        await test.step('Log user', async () => {
+            await test.step('Landing page', async () => {
+                await page.goto('/');
+                await page.getByLabel(/Email address/).fill(user.email);
+                await page.getByRole('button', 'Continue').click();
+            });
+
+            await test.step('SSo start page', async () => {
+                await page.getByRole('link', { name: /Enterprise single sign-on/ }).click();
+            });
+
+            await test.step('Keycloak login', async () => {
+                await expect(page.getByRole('heading', { name: 'Sign in to your account' })).toBeVisible();
+                await page.getByLabel(/Username/).fill(user.name);
+                await page.getByLabel('Password', { exact: true }).fill(user.password);
+                await page.getByRole('button', { name: 'Sign In' }).click();
+            });
+
+            await test.step('Unlock vault', async () => {
+                await expect(page).toHaveTitle('Vaultwarden Web');
+                await expect(page.getByRole('heading', { name: 'Your vault is locked' })).toBeVisible();
+                await page.getByLabel('Master password').fill(user.password);
+                await page.getByRole('button', { name: 'Unlock' }).click();
+            });
+
+            await test.step('Default vault page', async () => {
+                await expect(page).toHaveTitle(/Vaultwarden Web/);
+                await expect(page.getByTitle('All vaults', { exact: true })).toBeVisible();
+            });
+
+            if( options.emails ){
+                await test.step('Check email', async () => {
+                    await expect(mailBuffer.next((m) => m.subject.includes("New Device Logged"))).resolves.toBeDefined();
+                });
+            }
+        });
+    } finally {
+        if( options.mailServer ){
+            mailBuffer.close();
+        }
+    }
+}

playwright/tests/setups/user.ts

@@ -0,0 +1,48 @@
+import { expect, type Browser,Page } from '@playwright/test';
+import { type MailBuffer } from 'maildev';
+
+import * as utils from '../../global-utils';
+
+export async function createAccount(test, page: Page, user: { email: string, name: string, password: string }, mailBuffer?: MailBuffer) {
+    await test.step('Create user', async () => {
+        // Landing page
+        await page.goto('/');
+        await page.getByRole('link', { name: 'Create account' }).click();
+
+        // Back to Vault create account
+        await expect(page).toHaveTitle(/Create account | Vaultwarden Web/);
+        await page.getByLabel(/Email address/).fill(user.email);
+        await page.getByLabel('Name').fill(user.name);
+        await page.getByLabel('Master password\n   (required)', { exact: true }).fill(user.password);
+        await page.getByLabel('Re-type master password').fill(user.password);
+        await page.getByRole('button', { name: 'Create account' }).click();
+
+        // Back to the login page
+        await expect(page).toHaveTitle('Vaultwarden Web');
+        await utils.checkNotification(page, 'Your new account has been created');
+
+        if( mailBuffer ){
+            await expect(mailBuffer.next((m) => m.subject === "Welcome")).resolves.toBeDefined();
+        }
+    });
+}
+
+export async function logUser(test, page: Page, user: { email: string, password: string }, mailBuffer?: MailBuffer) {
+    await test.step('Log user', async () => {
+        // Landing page
+        await page.goto('/');
+        await page.getByLabel(/Email address/).fill(user.email);
+        await page.getByRole('button', { name: 'Continue' }).click();
+
+        // Unlock page
+        await page.getByLabel('Master password').fill(user.password);
+        await page.getByRole('button', { name: 'Log in with master password' }).click();
+
+        // We are now in the default vault page
+        await expect(page).toHaveTitle(/Vaultwarden Web/);
+
+        if( mailBuffer ){
+            await expect(mailBuffer.next((m) => m.subject === 'New Device Logged In From Firefox')).resolves.toBeDefined();
+        }
+    });
+}

playwright/tests/sso_login.spec.ts

@@ -0,0 +1,77 @@
+import { test, expect, type TestInfo } from '@playwright/test';
+import { logNewUser, logUser } from './setups/sso';
+import * as utils from "../global-utils";
+
+let users = utils.loadEnv();
+
+test.beforeAll('Setup', async ({ browser }, testInfo: TestInfo) => {
+    await utils.startVaultwarden(browser, testInfo, {
+        SSO_ENABLED: true,
+        SSO_ONLY: false
+    });
+});
+
+test.afterAll('Teardown', async ({}) => {
+    utils.stopVaultwarden();
+});
+
+test('Account creation using SSO', async ({ page }) => {
+    // Landing page
+    await logNewUser(test, page, users.user1);
+});
+
+test('SSO login', async ({ page }) => {
+    await logUser(test, page, users.user1);
+});
+
+test('Non SSO login', async ({ page }) => {
+    // Landing page
+    await page.goto('/');
+    await page.getByLabel(/Email address/).fill(users.user1.email);
+    await page.getByRole('button', { name: 'Continue' }).click();
+
+    // Unlock page
+    await page.getByLabel('Master password').fill(users.user1.password);
+    await page.getByRole('button', { name: 'Log in with master password' }).click();
+
+    // We are now in the default vault page
+    await expect(page).toHaveTitle(/Vaultwarden Web/);
+});
+
+test('Non SSO login impossible', async ({ page, browser }, testInfo: TestInfo) => {
+    await utils.restartVaultwarden(page, testInfo, {
+        SSO_ENABLED: true,
+        SSO_ONLY: true
+    }, false);
+
+    // Landing page
+    await page.goto('/');
+    await page.getByLabel(/Email address/).fill(users.user1.email);
+    await page.getByRole('button', { name: 'Continue' }).click();
+
+    // Unlock page
+    await page.getByLabel('Master password').fill(users.user1.password);
+    await page.getByRole('button', { name: 'Log in with master password' }).click();
+
+    // An error should appear
+    await page.getByLabel('SSO sign-in is required')
+
+    // Check the selector for the next test
+    await expect(page.getByRole('link', { name: /Enterprise single sign-on/ })).toHaveCount(1);
+});
+
+
+test('No SSO login', async ({ page }, testInfo: TestInfo) => {
+    await utils.restartVaultwarden(page, testInfo, {
+        SSO_ENABLED: false
+    }, false);
+
+    // Landing page
+    await page.goto('/');
+    await page.getByLabel(/Email address/).fill(users.user1.email);
+    await page.getByRole('button', { name: 'Continue' }).click();
+
+    // No SSO button (rely on a correct selector checked in previous test)
+    await page.getByLabel('Master password');
+    await expect(page.getByRole('link', { name: /Enterprise single sign-on/ })).toHaveCount(0);
+});

playwright/tests/sso_organization.smtp.spec.ts

@@ -0,0 +1,142 @@
+import { test, expect, type TestInfo } from '@playwright/test';
+import { MailDev } from 'maildev';
+
+import * as utils from "../global-utils";
+import { logNewUser, logUser } from './setups/sso';
+
+let users = utils.loadEnv();
+
+let mailServer, mail1Buffer, mail2Buffer, mail3Buffer;
+
+test.beforeAll('Setup', async ({ browser }, testInfo: TestInfo) => {
+    mailServer = new MailDev({
+        port: process.env.MAILDEV_SMTP_PORT,
+        web: { port: process.env.MAILDEV_HTTP_PORT },
+    })
+
+    await mailServer.listen();
+
+    await utils.startVaultwarden(browser, testInfo, {
+        SMTP_HOST: process.env.MAILDEV_HOST,
+        SMTP_FROM: process.env.VAULTWARDEN_SMTP_FROM,
+        SSO_ENABLED: true,
+        SSO_ONLY: true,
+    });
+
+    mail1Buffer = mailServer.buffer(users.user1.email);
+    mail2Buffer = mailServer.buffer(users.user2.email);
+    mail3Buffer = mailServer.buffer(users.user3.email);
+});
+
+test.afterAll('Teardown', async ({}) => {
+    utils.stopVaultwarden();
+    [mail1Buffer, mail2Buffer, mail3Buffer, mailServer].map((m) => m?.close());
+});
+
+test('Create user3', async ({ page }) => {
+    await logNewUser(test, page, users.user3, { mailBuffer: mail3Buffer });
+});
+
+test('Invite users', async ({ page }) => {
+    await logNewUser(test, page, users.user1, { mailBuffer: mail1Buffer });
+
+    await test.step('Create Org', async () => {
+        await page.getByRole('link', { name: 'New organisation' }).click();
+        await page.getByLabel('Organisation name (required)').fill('Test');
+        await page.getByRole('button', { name: 'Submit' }).click();
+        await page.locator('div').filter({ hasText: 'Members' }).nth(2).click();
+    });
+
+    await test.step('Invite user2', async () => {
+        await page.getByRole('button', { name: 'Invite member' }).click();
+        await page.getByLabel('Email (required)').fill(users.user2.email);
+        await page.getByRole('tab', { name: 'Collections' }).click();
+        await page.getByLabel('Permission').selectOption('edit');
+        await page.getByLabel('Select collections').click();
+        await page.getByLabel('Options list').getByText('Default collection').click();
+        await page.getByRole('button', { name: 'Save' }).click();
+        await utils.checkNotification(page, 'User(s) invited');
+    });
+
+    await test.step('Invite user3', async () => {
+        await page.getByRole('button', { name: 'Invite member' }).click();
+        await page.getByLabel('Email (required)').fill(users.user3.email);
+        await page.getByRole('tab', { name: 'Collections' }).click();
+        await page.getByLabel('Permission').selectOption('edit');
+        await page.getByLabel('Select collections').click();
+        await page.getByLabel('Options list').getByText('Default collection').click();
+        await page.getByRole('button', { name: 'Save' }).click();
+        await utils.checkNotification(page, 'User(s) invited');
+    });
+});
+
+test('invited with new account', async ({ page }) => {
+    const link = await test.step('Extract email link', async () => {
+        const invited = await mail2Buffer.next((m) => m.subject === "Join Test");
+        await page.setContent(invited.html);
+        return await page.getByTestId("invite").getAttribute("href");
+    });
+
+    await test.step('Redirect to Keycloak', async () => {
+        await page.goto(link);
+    });
+
+    await test.step('Keycloak login', async () => {
+        await expect(page.getByRole('heading', { name: 'Sign in to your account' })).toBeVisible();
+        await page.getByLabel(/Username/).fill(users.user2.name);
+        await page.getByLabel('Password', { exact: true }).fill(users.user2.password);
+        await page.getByRole('button', { name: 'Sign In' }).click();
+    });
+
+    await test.step('Create Vault account', async () => {
+        await expect(page.getByText('Set master password')).toBeVisible();
+        await page.getByLabel('Master password', { exact: true }).fill(users.user2.password);
+        await page.getByLabel('Re-type master password').fill(users.user2.password);
+        await page.getByRole('button', { name: 'Submit' }).click();
+    });
+
+    await test.step('Default vault page', async () => {
+        await expect(page).toHaveTitle(/Vaultwarden Web/);
+        // await utils.checkNotification(page, 'Invitation accepted');
+    });
+
+    await test.step('Check mails', async () => {
+        await expect(mail2Buffer.next((m) => m.subject.includes("New Device Logged"))).resolves.toBeDefined();
+        await expect(mail1Buffer.next((m) => m.subject === "Invitation to Test accepted")).resolves.toBeDefined();
+    });
+});
+
+test('invited with existing account', async ({ page }) => {
+    const link = await test.step('Extract email link', async () => {
+        const invited = await mail3Buffer.next((m) => m.subject === "Join Test");
+        await page.setContent(invited.html);
+        return await page.getByTestId("invite").getAttribute("href");
+    });
+
+    await test.step('Redirect to Keycloak', async () => {
+        await page.goto(link);
+    });
+
+    await test.step('Keycloak login', async () => {
+        await expect(page.getByRole('heading', { name: 'Sign in to your account' })).toBeVisible();
+        await page.getByLabel(/Username/).fill(users.user3.name);
+        await page.getByLabel('Password', { exact: true }).fill(users.user3.password);
+        await page.getByRole('button', { name: 'Sign In' }).click();
+    });
+
+    await test.step('Unlock vault', async () => {
+        await expect(page).toHaveTitle('Vaultwarden Web');
+        await page.getByLabel('Master password').fill(users.user3.password);
+        await page.getByRole('button', { name: 'Unlock' }).click();
+    });
+
+    await test.step('Default vault page', async () => {
+        await expect(page).toHaveTitle(/Vaultwarden Web/);
+        await utils.checkNotification(page, 'Invitation accepted');
+    });
+
+    await test.step('Check mails', async () => {
+        await expect(mail3Buffer.next((m) => m.subject.includes("New Device Logged"))).resolves.toBeDefined();
+        await expect(mail1Buffer.next((m) => m.subject === "Invitation to Test accepted")).resolves.toBeDefined();
+    });
+});

playwright/tests/sso_organization.spec.ts

@@ -0,0 +1,90 @@
+import { test, expect, type TestInfo } from '@playwright/test';
+import { MailDev } from 'maildev';
+
+import * as utils from "../global-utils";
+import { logNewUser, logUser } from './setups/sso';
+
+let users = utils.loadEnv();
+
+test.beforeAll('Setup', async ({ browser }, testInfo: TestInfo) => {
+    await utils.startVaultwarden(browser, testInfo, {
+        SSO_ENABLED: true,
+        SSO_ONLY: true,
+    });
+});
+
+test.afterAll('Teardown', async ({}) => {
+    utils.stopVaultwarden();
+});
+
+test('Create user3', async ({ page }) => {
+    await logNewUser(test, page, users.user3);
+});
+
+test('Invite users', async ({ page }) => {
+    await logNewUser(test, page, users.user1);
+
+    await test.step('Create Org', async () => {
+        await page.getByRole('link', { name: 'New organisation' }).click();
+        await page.getByLabel('Organisation name (required)').fill('Test');
+        await page.getByRole('button', { name: 'Submit' }).click();
+        await page.locator('div').filter({ hasText: 'Members' }).nth(2).click();
+    });
+
+    await test.step('Invite user2', async () => {
+        await page.getByRole('button', { name: 'Invite member' }).click();
+        await page.getByLabel('Email (required)').fill(users.user2.email);
+        await page.getByRole('tab', { name: 'Collections' }).click();
+        await page.getByLabel('Permission').selectOption('edit');
+        await page.getByLabel('Select collections').click();
+        await page.getByLabel('Options list').getByText('Default collection').click();
+        await page.getByRole('button', { name: 'Save' }).click();
+        await utils.checkNotification(page, 'User(s) invited');
+        await expect(page.getByRole('row', { name: users.user2.email })).toHaveText(/Invited/);
+    });
+
+    await test.step('Invite user3', async () => {
+        await page.getByRole('button', { name: 'Invite member' }).click();
+        await page.getByLabel('Email (required)').fill(users.user3.email);
+        await page.getByRole('tab', { name: 'Collections' }).click();
+        await page.getByLabel('Permission').selectOption('edit');
+        await page.getByLabel('Select collections').click();
+        await page.getByLabel('Options list').getByText('Default collection').click();
+        await page.getByRole('button', { name: 'Save' }).click();
+        await utils.checkNotification(page, 'User(s) invited');
+        await expect(page.getByRole('row', { name: users.user3.name })).toHaveText(/Needs confirmation/);
+    });
+
+    await test.step('Confirm existing user3', async () => {
+        await page.getByRole('row', { name: users.user3.name }).getByLabel('Options').click();
+        await page.getByRole('menuitem', { name: 'Confirm' }).click();
+        await page.getByRole('button', { name: 'Confirm' }).click();
+        await utils.checkNotification(page, 'confirmed');
+    });
+});
+
+test('Create invited account', async ({ page }) => {
+    await logNewUser(test, page, users.user2);
+});
+
+test('Confirm invited user', async ({ page }) => {
+    await logUser(test, page, users.user1);
+    await page.getByLabel('Switch products').click();
+    await page.getByRole('link', { name: ' Admin Console' }).click();
+    await page.getByRole('link', { name: 'Members' }).click();
+
+    await expect(page.getByRole('row', { name: users.user2.name })).toHaveText(/Needs confirmation/);
+
+    await test.step('Confirm user2', async () => {
+        await page.getByRole('row', { name: users.user2.name }).getByLabel('Options').click();
+        await page.getByRole('menuitem', { name: 'Confirm' }).click();
+        await page.getByRole('button', { name: 'Confirm' }).click();
+        await utils.checkNotification(page, 'confirmed');
+    });
+});
+
+test('Organization is visible', async ({ page }) => {
+    await logUser(test, page, users.user2);
+    await page.getByLabel('vault: Test').click();
+    await expect(page.getByLabel('Filter: Default collection')).toBeVisible();
+});

src/api/admin.rs

@@ -296,7 +296,7 @@ async fn invite_user(data: Json<InviteData>, _token: AdminToken, mut conn: DbCon
         err_code!("User already exists", Status::Conflict.code)
     }
 
-    let mut user = User::new(data.email);
+    let mut user = User::new(data.email, None);
 
     async fn _generate_invite(user: &User, conn: &mut DbConn) -> EmptyResult {
         if CONFIG.mail_enabled() {

src/api/core/accounts.rs

@@ -7,9 +7,9 @@ use serde_json::Value;
 
 use crate::{
     api::{
-        core::{log_user_event, two_factor::email},
-        register_push_device, unregister_push_device, AnonymousNotify, EmptyResult, JsonResult, Notify,
-        PasswordOrOtpData, UpdateType,
+        core::{accept_org_invite, log_user_event, two_factor::email},
+        master_password_policy, register_push_device, unregister_push_device, AnonymousNotify, ApiResult, EmptyResult,
+        JsonResult, Notify, PasswordOrOtpData, UpdateType,
     },
     auth::{decode_delete, decode_invite, decode_verify_email, ClientHeaders, Headers},
     crypto,
@@ -34,6 +34,7 @@ pub fn routes() -> Vec<rocket::Route> {
         get_public_keys,
         post_keys,
         post_password,
+        post_set_password,
         post_kdf,
         post_rotatekey,
         post_sstamp,
@@ -84,6 +85,20 @@ pub struct RegisterData {
     organization_user_id: Option<MembershipId>,
 }
 
+#[derive(Debug, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct SetPasswordData {
+    kdf: Option<i32>,
+    kdf_iterations: Option<i32>,
+    kdf_memory: Option<i32>,
+    kdf_parallelism: Option<i32>,
+    key: String,
+    keys: Option<KeysData>,
+    master_password_hash: String,
+    master_password_hint: Option<String>,
+    org_identifier: Option<String>,
+}
+
 #[derive(Debug, Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct KeysData {
@@ -163,10 +178,7 @@ pub async fn _register(data: Json<RegisterData>, mut conn: DbConn) -> JsonResult
                     err!("Registration email does not match invite email")
                 }
             } else if Invitation::take(&email, &mut conn).await {
-                for membership in Membership::find_invited_by_user(&user.uuid, &mut conn).await.iter_mut() {
-                    membership.status = MembershipStatus::Accepted as i32;
-                    membership.save(&mut conn).await?;
-                }
+                Membership::accept_user_invitations(&user.uuid, &mut conn).await?;
                 user
             } else if CONFIG.is_signup_allowed(&email)
                 || (CONFIG.emergency_access_allowed()
@@ -182,7 +194,7 @@ pub async fn _register(data: Json<RegisterData>, mut conn: DbConn) -> JsonResult
             // because the vaultwarden admin can invite anyone, regardless
             // of other signup restrictions.
             if Invitation::take(&email, &mut conn).await || CONFIG.is_signup_allowed(&email) {
-                User::new(email.clone())
+                User::new(email.clone(), None)
             } else {
                 err!("Registration not allowed or user already exists")
             }
@@ -246,6 +258,77 @@ pub async fn _register(data: Json<RegisterData>, mut conn: DbConn) -> JsonResult
     })))
 }
 
+#[post("/accounts/set-password", data = "<data>")]
+async fn post_set_password(data: Json<SetPasswordData>, headers: Headers, mut conn: DbConn) -> JsonResult {
+    let data: SetPasswordData = data.into_inner();
+    let mut user = headers.user;
+
+    if user.private_key.is_some() {
+        err!("Account already intialized cannot set password")
+    }
+
+    // Check against the password hint setting here so if it fails, the user
+    // can retry without losing their invitation below.
+    let password_hint = clean_password_hint(&data.master_password_hint);
+    enforce_password_hint_setting(&password_hint)?;
+
+    if let Some(client_kdf_iter) = data.kdf_iterations {
+        user.client_kdf_iter = client_kdf_iter;
+    }
+
+    if let Some(client_kdf_type) = data.kdf {
+        user.client_kdf_type = client_kdf_type;
+    }
+
+    user.client_kdf_memory = data.kdf_memory;
+    user.client_kdf_parallelism = data.kdf_parallelism;
+
+    user.set_password(
+        &data.master_password_hash,
+        Some(data.key),
+        false,
+        Some(vec![String::from("revision_date")]), // We need to allow revision-date to use the old security_timestamp
+    );
+    user.password_hint = password_hint;
+
+    if let Some(keys) = data.keys {
+        user.private_key = Some(keys.encrypted_private_key);
+        user.public_key = Some(keys.public_key);
+    }
+
+    if let Some(identifier) = data.org_identifier {
+        if identifier != crate::sso::FAKE_IDENTIFIER {
+            let org = match Organization::find_by_name(&identifier, &mut conn).await {
+                None => err!("Failed to retrieve the associated organization"),
+                Some(org) => org,
+            };
+
+            let membership = match Membership::find_by_user_and_org(&user.uuid, &org.uuid, &mut conn).await {
+                None => err!("Failed to retrieve the invitation"),
+                Some(org) => org,
+            };
+
+            accept_org_invite(&user, membership, None, &mut conn).await?;
+        }
+    }
+
+    if CONFIG.mail_enabled() {
+        mail::send_welcome(&user.email.to_lowercase()).await?;
+    } else {
+        Membership::accept_user_invitations(&user.uuid, &mut conn).await?;
+    }
+
+    log_user_event(EventType::UserChangedPassword as i32, &user.uuid, headers.device.atype, &headers.ip.ip, &mut conn)
+        .await;
+
+    user.save(&mut conn).await?;
+
+    Ok(Json(json!({
+      "Object": "set-password",
+      "CaptchaBypassToken": "",
+    })))
+}
+
 #[get("/accounts/profile")]
 async fn profile(headers: Headers, mut conn: DbConn) -> Json<Value> {
     Json(headers.user.to_json(&mut conn).await)
@@ -982,16 +1065,35 @@ struct SecretVerificationRequest {
     master_password_hash: String,
 }
 
+// Change the KDF Iterations if necessary
+pub async fn kdf_upgrade(user: &mut User, pwd_hash: &str, conn: &mut DbConn) -> ApiResult<()> {
+    if user.password_iterations != CONFIG.password_iterations() {
+        user.password_iterations = CONFIG.password_iterations();
+        user.set_password(pwd_hash, None, false, None);
+
+        if let Err(e) = user.save(conn).await {
+            error!("Error updating user: {:#?}", e);
+        }
+    }
+    Ok(())
+}
+
+// It appears that at the moment the return policy is required but ignored.
+// As such the `enforceOnLogin` part is not working.
 #[post("/accounts/verify-password", data = "<data>")]
-fn verify_password(data: Json<SecretVerificationRequest>, headers: Headers) -> EmptyResult {
+async fn verify_password(data: Json<SecretVerificationRequest>, headers: Headers, mut conn: DbConn) -> JsonResult {
     let data: SecretVerificationRequest = data.into_inner();
-    let user = headers.user;
+    let mut user = headers.user;
 
     if !user.check_valid_password(&data.master_password_hash) {
         err!("Invalid password")
     }
 
-    Ok(())
+    kdf_upgrade(&mut user, &data.master_password_hash, &mut conn).await?;
+
+    Ok(Json(json!({
+      "MasterPasswordPolicy": master_password_policy(&user, &conn).await,
+    })))
 }
 
 async fn _api_key(data: Json<PasswordOrOtpData>, rotate: bool, headers: Headers, mut conn: DbConn) -> JsonResult {

src/api/core/emergency_access.rs

@@ -239,7 +239,7 @@ async fn send_invite(data: Json<EmergencyAccessInviteData>, headers: Headers, mu
                 invitation.save(&mut conn).await?;
             }
 
-            let mut user = User::new(email.clone());
+            let mut user = User::new(email.clone(), None);
             user.save(&mut conn).await?;
             (user, true)
         }

src/api/core/mod.rs

@@ -50,11 +50,12 @@ pub fn events_routes() -> Vec<Route> {
 use rocket::{serde::json::Json, serde::json::Value, Catcher, Route};
 
 use crate::{
-    api::{JsonResult, Notify, UpdateType},
+    api::{EmptyResult, JsonResult, Notify, UpdateType},
     auth::Headers,
-    db::DbConn,
+    db::{models::*, DbConn},
     error::Error,
     http_client::make_http_request,
+    mail,
     util::parse_experimental_client_feature_flags,
 };
 
@@ -218,7 +219,7 @@ fn config() -> Json<Value> {
           "url": "https://github.com/dani-garcia/vaultwarden"
         },
         "settings": {
-            "disableUserRegistration": !crate::CONFIG.signups_allowed() && crate::CONFIG.signups_domains_whitelist().is_empty(),
+            "disableUserRegistration": crate::CONFIG.is_signup_disabled(),
         },
         "environment": {
           "vault": domain,
@@ -246,3 +247,49 @@ fn api_not_found() -> Json<Value> {
         }
     }))
 }
+
+async fn accept_org_invite(
+    user: &User,
+    mut member: Membership,
+    reset_password_key: Option<String>,
+    conn: &mut DbConn,
+) -> EmptyResult {
+    if member.status != MembershipStatus::Invited as i32 {
+        err!("User already accepted the invitation");
+    }
+
+    // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
+    // It returns different error messages per function.
+    if member.atype < MembershipType::Admin {
+        match OrgPolicy::is_user_allowed(&member.user_uuid, &member.org_uuid, false, conn).await {
+            Ok(_) => {}
+            Err(OrgPolicyErr::TwoFactorMissing) => {
+                if crate::CONFIG.email_2fa_auto_fallback() {
+                    two_factor::email::activate_email_2fa(user, conn).await?;
+                } else {
+                    err!("You cannot join this organization until you enable two-step login on your user account");
+                }
+            }
+            Err(OrgPolicyErr::SingleOrgEnforced) => {
+                err!("You cannot join this organization because you are a member of an organization which forbids it");
+            }
+        }
+    }
+
+    member.status = MembershipStatus::Accepted as i32;
+    member.reset_password_key = reset_password_key;
+
+    member.save(conn).await?;
+
+    if crate::CONFIG.mail_enabled() {
+        let org = match Organization::find_by_uuid(&member.org_uuid, conn).await {
+            Some(org) => org,
+            None => err!("Organization not found."),
+        };
+        // User was invited to an organization, so they must be confirmed manually after acceptance
+        mail::send_invite_accepted(&user.email, &member.invited_by_email.unwrap_or(org.billing_email), &org.name)
+            .await?;
+    }
+
+    Ok(())
+}

src/api/core/organizations.rs

@@ -7,7 +7,7 @@ use std::collections::{HashMap, HashSet};
 use crate::api::admin::FAKE_ADMIN_UUID;
 use crate::{
     api::{
-        core::{log_event, two_factor, CipherSyncData, CipherSyncType},
+        core::{accept_org_invite, log_event, two_factor, CipherSyncData, CipherSyncType},
         EmptyResult, JsonResult, Notify, PasswordOrOtpData, UpdateType,
     },
     auth::{
@@ -16,7 +16,7 @@ use crate::{
     },
     db::{models::*, DbConn},
     mail,
-    util::{convert_json_key_lcase_first, NumberOrString},
+    util::{convert_json_key_lcase_first, get_uuid, NumberOrString},
     CONFIG,
 };
 
@@ -46,6 +46,7 @@ pub fn routes() -> Vec<Route> {
         bulk_delete_organization_collections,
         post_bulk_collections,
         get_org_details,
+        get_org_domain_sso_details,
         get_members,
         send_invite,
         reinvite_member,
@@ -63,6 +64,7 @@ pub fn routes() -> Vec<Route> {
         post_org_import,
         list_policies,
         list_policies_token,
+        get_master_password_policy,
         get_policy,
         put_policy,
         get_organization_tax,
@@ -106,6 +108,7 @@ pub fn routes() -> Vec<Route> {
         api_key,
         rotate_api_key,
         get_billing_metadata,
+        get_auto_enroll_status,
     ]
 }
 
@@ -195,7 +198,7 @@ async fn create_organization(headers: Headers, data: Json<OrgData>, mut conn: Db
     };
 
     let org = Organization::new(data.name, data.billing_email, private_key, public_key);
-    let mut member = Membership::new(headers.user.uuid, org.uuid.clone());
+    let mut member = Membership::new(headers.user.uuid, org.uuid.clone(), None);
     let collection = Collection::new(org.uuid.clone(), data.collection_name, None);
 
     member.akey = data.key;
@@ -338,6 +341,34 @@ async fn get_user_collections(headers: Headers, mut conn: DbConn) -> Json<Value>
     }))
 }
 
+// Called during the SSO enrollment
+// The `identifier` should be the value returned by `get_org_domain_sso_details`
+// The returned `Id` will then be passed to `get_master_password_policy` which will mainly ignore it
+#[get("/organizations/<identifier>/auto-enroll-status")]
+async fn get_auto_enroll_status(identifier: &str, headers: Headers, mut conn: DbConn) -> JsonResult {
+    let org = if identifier == crate::sso::FAKE_IDENTIFIER {
+        match Membership::find_main_user_org(&headers.user.uuid, &mut conn).await {
+            Some(member) => Organization::find_by_uuid(&member.org_uuid, &mut conn).await,
+            None => None,
+        }
+    } else {
+        Organization::find_by_name(identifier, &mut conn).await
+    };
+
+    let (id, identifier, rp_auto_enroll) = match org {
+        None => (get_uuid(), identifier.to_string(), false),
+        Some(org) => {
+            (org.uuid.to_string(), org.name, OrgPolicy::org_is_reset_password_auto_enroll(&org.uuid, &mut conn).await)
+        }
+    };
+
+    Ok(Json(json!({
+        "Id": id,
+        "Identifier": identifier,
+        "ResetPasswordEnabled": rp_auto_enroll,
+    })))
+}
+
 #[get("/organizations/<org_id>/collections")]
 async fn get_org_collections(org_id: OrganizationId, headers: ManagerHeadersLoose, mut conn: DbConn) -> JsonResult {
     if org_id != headers.membership.org_uuid {
@@ -918,6 +949,31 @@ async fn _get_org_details(org_id: &OrganizationId, host: &str, user_id: &UserId,
     json!(ciphers_json)
 }
 
+#[derive(Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct OrgDomainDetails {
+    email: String,
+}
+
+// Returning a Domain/Organization here allow to prefill it and prevent prompting the user
+// So we either return an Org name associated to the user or a dummy value.
+// The `verifiedDate` is required but the value ATM is ignored.
+#[post("/organizations/domain/sso/details", data = "<data>")]
+async fn get_org_domain_sso_details(data: Json<OrgDomainDetails>, mut conn: DbConn) -> JsonResult {
+    let data: OrgDomainDetails = data.into_inner();
+
+    let identifier = match Organization::find_main_org_user_email(&data.email, &mut conn).await {
+        Some(org) => org.name,
+        None => crate::sso::FAKE_IDENTIFIER.to_string(),
+    };
+
+    Ok(Json(json!({
+        "organizationIdentifier": identifier,
+        "ssoAvailable": CONFIG.sso_enabled(),
+        "verifiedDate": crate::util::format_date(&chrono::Utc::now().naive_utc()),
+    })))
+}
+
 #[derive(FromForm)]
 struct GetOrgUserData {
     #[field(name = "includeCollections")]
@@ -1055,7 +1111,7 @@ async fn send_invite(
                     Invitation::new(email).save(&mut conn).await?;
                 }
 
-                let mut new_user = User::new(email.clone());
+                let mut new_user = User::new(email.clone(), None);
                 new_user.save(&mut conn).await?;
                 user_created = true;
                 new_user
@@ -1073,7 +1129,7 @@ async fn send_invite(
             }
         };
 
-        let mut new_member = Membership::new(user.uuid.clone(), org_id.clone());
+        let mut new_member = Membership::new(user.uuid.clone(), org_id.clone(), Some(headers.user.email.clone()));
         let access_all = data.access_all;
         new_member.access_all = access_all;
         new_member.atype = new_type;
@@ -1257,71 +1313,39 @@ async fn accept_invite(
         err!("Invitation was issued to a different account", "Claim does not match user_id")
     }
 
+    // If a claim org_id does not match the one in from the URI, something is wrong.
+    if !claims.org_id.eq(&org_id) {
+        err!("Error accepting the invitation", "Claim does not match the org_id")
+    }
+
     // If a claim does not have a member_id or it does not match the one in from the URI, something is wrong.
     if !claims.member_id.eq(&member_id) {
         err!("Error accepting the invitation", "Claim does not match the member_id")
     }
 
-    let member = &claims.member_id;
-    let org = &claims.org_id;
-
+    let member_id = &claims.member_id;
     Invitation::take(&claims.email, &mut conn).await;
 
     // skip invitation logic when we were invited via the /admin panel
-    if **member != FAKE_ADMIN_UUID {
-        let Some(mut member) = Membership::find_by_uuid_and_org(member, org, &mut conn).await else {
+    if **member_id != FAKE_ADMIN_UUID {
+        let Some(mut member) = Membership::find_by_uuid_and_org(member_id, &claims.org_id, &mut conn).await else {
             err!("Error accepting the invitation")
         };
 
-        if member.status != MembershipStatus::Invited as i32 {
-            err!("User already accepted the invitation")
-        }
-
-        let master_password_required = OrgPolicy::org_is_reset_password_auto_enroll(org, &mut conn).await;
-        if data.reset_password_key.is_none() && master_password_required {
-            err!("Reset password key is required, but not provided.");
-        }
-
-        // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
-        // It returns different error messages per function.
-        if member.atype < MembershipType::Admin {
-            match OrgPolicy::is_user_allowed(&member.user_uuid, &org_id, false, &mut conn).await {
-                Ok(_) => {}
-                Err(OrgPolicyErr::TwoFactorMissing) => {
-                    if CONFIG.email_2fa_auto_fallback() {
-                        two_factor::email::activate_email_2fa(&headers.user, &mut conn).await?;
-                    } else {
-                        err!("You cannot join this organization until you enable two-step login on your user account");
-                    }
-                }
-                Err(OrgPolicyErr::SingleOrgEnforced) => {
-                    err!("You cannot join this organization because you are a member of an organization which forbids it");
-                }
-            }
-        }
-
-        member.status = MembershipStatus::Accepted as i32;
-
-        if master_password_required {
-            member.reset_password_key = data.reset_password_key;
-        }
+        let reset_password_key = match OrgPolicy::org_is_reset_password_auto_enroll(&member.org_uuid, &mut conn).await {
+            true if data.reset_password_key.is_none() => err!("Reset password key is required, but not provided."),
+            true => data.reset_password_key,
+            false => None,
+        };
 
-        member.save(&mut conn).await?;
-    }
+        // In case the user was invited before the mail was saved in db.
+        member.invited_by_email = member.invited_by_email.or(claims.invited_by_email);
 
-    if CONFIG.mail_enabled() {
-        if let Some(invited_by_email) = &claims.invited_by_email {
-            let org_name = match Organization::find_by_uuid(&claims.org_id, &mut conn).await {
-                Some(org) => org.name,
-                None => err!("Organization not found."),
-            };
-            // User was invited to an organization, so they must be confirmed manually after acceptance
-            mail::send_invite_accepted(&claims.email, invited_by_email, &org_name).await?;
-        } else {
-            // User was invited from /admin, so they are automatically confirmed
-            let org_name = CONFIG.invitation_org_name();
-            mail::send_invite_confirmed(&claims.email, &org_name).await?;
-        }
+        accept_org_invite(&headers.user, member, reset_password_key, &mut conn).await?;
+    } else if CONFIG.mail_enabled() {
+        // User was invited from /admin, so they are automatically confirmed
+        let org_name = CONFIG.invitation_org_name();
+        mail::send_invite_confirmed(&claims.email, &org_name).await?;
     }
 
     Ok(())
@@ -1985,18 +2009,36 @@ async fn list_policies_token(org_id: OrganizationId, token: &str, mut conn: DbCo
     })))
 }
 
-#[get("/organizations/<org_id>/policies/<pol_type>")]
+// Called during the SSO enrollment.
+// Return the org policy if it exists, otherwise use the default one.
+#[get("/organizations/<org_id>/policies/master-password", rank = 1)]
+async fn get_master_password_policy(org_id: OrganizationId, _headers: Headers, mut conn: DbConn) -> JsonResult {
+    let policy =
+        OrgPolicy::find_by_org_and_type(&org_id, OrgPolicyType::MasterPassword, &mut conn).await.unwrap_or_else(|| {
+            let data = match CONFIG.sso_master_password_policy() {
+                Some(policy) => policy,
+                None => "null".to_string(),
+            };
+
+            OrgPolicy::new(org_id, OrgPolicyType::MasterPassword, CONFIG.sso_master_password_policy().is_some(), data)
+        });
+
+    Ok(Json(policy.to_json()))
+}
+
+#[get("/organizations/<org_id>/policies/<pol_type>", rank = 2)]
 async fn get_policy(org_id: OrganizationId, pol_type: i32, headers: AdminHeaders, mut conn: DbConn) -> JsonResult {
     if org_id != headers.org_id {
         err!("Organization not found", "Organization id's do not match");
     }
+
     let Some(pol_type_enum) = OrgPolicyType::from_i32(pol_type) else {
         err!("Invalid or unsupported policy type")
     };
 
     let policy = match OrgPolicy::find_by_org_and_type(&org_id, pol_type_enum, &mut conn).await {
         Some(p) => p,
-        None => OrgPolicy::new(org_id.clone(), pol_type_enum, "null".to_string()),
+        None => OrgPolicy::new(org_id.clone(), pol_type_enum, false, "null".to_string()),
     };
 
     Ok(Json(policy.to_json()))
@@ -2107,7 +2149,7 @@ async fn put_policy(
 
     let mut policy = match OrgPolicy::find_by_org_and_type(&org_id, pol_type_enum, &mut conn).await {
         Some(p) => p,
-        None => OrgPolicy::new(org_id.clone(), pol_type_enum, "{}".to_string()),
+        None => OrgPolicy::new(org_id.clone(), pol_type_enum, false, "{}".to_string()),
     };
 
     policy.enabled = data.enabled;
@@ -2266,7 +2308,8 @@ async fn import(org_id: OrganizationId, data: Json<OrgImportData>, headers: Head
                     MembershipStatus::Accepted as i32 // Automatically mark user as accepted if no email invites
                 };
 
-                let mut new_member = Membership::new(user.uuid.clone(), org_id.clone());
+                let mut new_member =
+                    Membership::new(user.uuid.clone(), org_id.clone(), Some(headers.user.email.clone()));
                 new_member.access_all = false;
                 new_member.atype = MembershipType::User as i32;
                 new_member.status = member_status;

src/api/core/public.rs

@@ -89,7 +89,7 @@ async fn ldap_import(data: Json<OrgImportData>, token: PublicToken, mut conn: Db
                 Some(user) => user, // exists in vaultwarden
                 None => {
                     // User does not exist yet
-                    let mut new_user = User::new(user_data.email.clone());
+                    let mut new_user = User::new(user_data.email.clone(), None);
                     new_user.save(&mut conn).await?;
 
                     if !CONFIG.mail_enabled() {
@@ -105,7 +105,12 @@ async fn ldap_import(data: Json<OrgImportData>, token: PublicToken, mut conn: Db
                 MembershipStatus::Accepted as i32 // Automatically mark user as accepted if no email invites
             };
 
-            let mut new_member = Membership::new(user.uuid.clone(), org_id.clone());
+            let (org_name, org_email) = match Organization::find_by_uuid(&org_id, &mut conn).await {
+                Some(org) => (org.name, org.billing_email),
+                None => err!("Error looking up organization"),
+            };
+
+            let mut new_member = Membership::new(user.uuid.clone(), org_id.clone(), Some(org_email.clone()));
             new_member.set_external_id(Some(user_data.external_id.clone()));
             new_member.access_all = false;
             new_member.atype = MembershipType::User as i32;
@@ -114,11 +119,6 @@ async fn ldap_import(data: Json<OrgImportData>, token: PublicToken, mut conn: Db
             new_member.save(&mut conn).await?;
 
             if CONFIG.mail_enabled() {
-                let (org_name, org_email) = match Organization::find_by_uuid(&org_id, &mut conn).await {
-                    Some(org) => (org.name, org.billing_email),
-                    None => err!("Error looking up organization"),
-                };
-
                 if let Err(e) =
                     mail::send_invite(&user, org_id.clone(), new_member.uuid.clone(), &org_name, Some(org_email)).await
                 {

src/api/identity.rs

@@ -1,8 +1,10 @@
-use chrono::Utc;
+use chrono::{NaiveDateTime, Utc};
 use num_traits::FromPrimitive;
-use rocket::serde::json::Json;
 use rocket::{
     form::{Form, FromForm},
+    http::Status,
+    response::Redirect,
+    serde::json::Json,
     Route,
 };
 use serde_json::Value;
@@ -10,21 +12,25 @@ use serde_json::Value;
 use crate::{
     api::{
         core::{
-            accounts::{PreloginData, RegisterData, _prelogin, _register},
+            accounts::{PreloginData, RegisterData, _prelogin, _register, kdf_upgrade},
             log_user_event,
             two_factor::{authenticator, duo, duo_oidc, email, enforce_2fa_policy, webauthn, yubikey},
         },
+        master_password_policy,
         push::register_push_device,
         ApiResult, EmptyResult, JsonResult,
     },
-    auth::{generate_organization_api_key_login_claims, ClientHeaders, ClientIp},
+    auth,
+    auth::{AuthMethod, ClientHeaders, ClientIp},
     db::{models::*, DbConn},
     error::MapResult,
-    mail, util, CONFIG,
+    mail, sso,
+    sso::{OIDCCode, OIDCState},
+    util, CONFIG,
 };
 
 pub fn routes() -> Vec<Route> {
-    routes![login, prelogin, identity_register]
+    routes![login, prelogin, identity_register, _prevalidate, prevalidate, authorize, oidcsignin, oidcsignin_error]
 }
 
 #[post("/connect/token", data = "<data>")]
@@ -38,6 +44,7 @@ async fn login(data: Form<ConnectData>, client_header: ClientHeaders, mut conn:
             _check_is_some(&data.refresh_token, "refresh_token cannot be blank")?;
             _refresh_login(data, &mut conn).await
         }
+        "password" if CONFIG.sso_enabled() && CONFIG.sso_only() => err!("SSO sign-in is required"),
         "password" => {
             _check_is_some(&data.client_id, "client_id cannot be blank")?;
             _check_is_some(&data.password, "password cannot be blank")?;
@@ -61,6 +68,17 @@ async fn login(data: Form<ConnectData>, client_header: ClientHeaders, mut conn:
 
             _api_key_login(data, &mut user_id, &mut conn, &client_header.ip).await
         }
+        "authorization_code" if CONFIG.sso_enabled() => {
+            _check_is_some(&data.client_id, "client_id cannot be blank")?;
+            _check_is_some(&data.code, "code cannot be blank")?;
+
+            _check_is_some(&data.device_identifier, "device_identifier cannot be blank")?;
+            _check_is_some(&data.device_name, "device_name cannot be blank")?;
+            _check_is_some(&data.device_type, "device_type cannot be blank")?;
+
+            _sso_login(data, &mut user_id, &mut conn, &client_header.ip).await
+        }
+        "authorization_code" => err!("SSO sign-in is not available"),
         t => err!("Invalid type", t),
     };
 
@@ -94,49 +112,186 @@ async fn login(data: Form<ConnectData>, client_header: ClientHeaders, mut conn:
     login_result
 }
 
+// Return Status::Unauthorized to trigger logout
 async fn _refresh_login(data: ConnectData, conn: &mut DbConn) -> JsonResult {
     // Extract token
-    let token = data.refresh_token.unwrap();
-
-    // Get device by refresh token
-    let mut device = Device::find_by_refresh_token(&token, conn).await.map_res("Invalid refresh token")?;
-
-    let scope = "api offline_access";
-    let scope_vec = vec!["api".into(), "offline_access".into()];
+    let refresh_token = match data.refresh_token {
+        Some(token) => token,
+        None => err_code!("Missing refresh_token", Status::Unauthorized.code),
+    };
 
-    // Common
-    let user = User::find_by_uuid(&device.user_uuid, conn).await.unwrap();
     // ---
     // Disabled this variable, it was used to generate the JWT
     // Because this might get used in the future, and is add by the Bitwarden Server, lets keep it, but then commented out
     // See: https://github.com/dani-garcia/vaultwarden/issues/4156
     // ---
     // let members = Membership::find_confirmed_by_user(&user.uuid, conn).await;
-    let (access_token, expires_in) = device.refresh_tokens(&user, scope_vec);
-    device.save(conn).await?;
+    match auth::refresh_tokens(&refresh_token, conn).await {
+        Err(err) => {
+            err_code!(format!("Unable to refresh login credentials: {}", err.message()), Status::Unauthorized.code)
+        }
+        Ok((mut device, auth_tokens)) => {
+            // Save to update `device.updated_at` to track usage
+            device.save(conn).await?;
+
+            let result = json!({
+                "refresh_token": auth_tokens.refresh_token(),
+                "access_token": auth_tokens.access_token(),
+                "expires_in": auth_tokens.expires_in(),
+                "token_type": "Bearer",
+                "scope": auth_tokens.scope(),
+            });
+
+            Ok(Json(result))
+        }
+    }
+}
 
-    let result = json!({
-        "access_token": access_token,
-        "expires_in": expires_in,
-        "token_type": "Bearer",
-        "refresh_token": device.refresh_token,
+// After exchanging the code we need to check first if 2FA is needed before continuing
+async fn _sso_login(data: ConnectData, user_id: &mut Option<UserId>, conn: &mut DbConn, ip: &ClientIp) -> JsonResult {
+    AuthMethod::Sso.check_scope(data.scope.as_ref())?;
 
-        "scope": scope,
-    });
+    // Ratelimit the login
+    crate::ratelimit::check_limit_login(&ip.ip)?;
 
-    Ok(Json(result))
-}
+    let code = match data.code.as_ref() {
+        None => err!(
+            "Got no code in OIDC data",
+            ErrorEvent {
+                event: EventType::UserFailedLogIn
+            }
+        ),
+        Some(code) => code,
+    };
+
+    let user_infos = sso::exchange_code(code, conn).await?;
+    let user_with_sso = match SsoUser::find_by_identifier(&user_infos.identifier, conn).await {
+        None => match SsoUser::find_by_mail(&user_infos.email, conn).await {
+            None => None,
+            Some((user, Some(_))) => {
+                error!(
+                    "Login failure ({}), existing SSO user ({}) with same email ({})",
+                    user_infos.identifier, user.uuid, user.email
+                );
+                err_silent!(
+                    "Existing SSO user with same email",
+                    ErrorEvent {
+                        event: EventType::UserFailedLogIn
+                    }
+                )
+            }
+            Some((user, None)) if user.private_key.is_some() && !CONFIG.sso_signups_match_email() => {
+                error!(
+                    "Login failure ({}), existing non SSO user ({}) with same email ({}) and association is disabled",
+                    user_infos.identifier, user.uuid, user.email
+                );
+                err_silent!(
+                    "Existing non SSO user with same email",
+                    ErrorEvent {
+                        event: EventType::UserFailedLogIn
+                    }
+                )
+            }
+            Some((user, None)) => Some((user, None)),
+        },
+        Some((user, sso_user)) => Some((user, Some(sso_user))),
+    };
+
+    let now = Utc::now().naive_utc();
+    // Will trigger 2FA flow if needed
+    let (user, mut device, new_device, twofactor_token, sso_user) = match user_with_sso {
+        None => {
+            if !CONFIG.is_email_domain_allowed(&user_infos.email) {
+                err!(
+                    "Email domain not allowed",
+                    ErrorEvent {
+                        event: EventType::UserFailedLogIn
+                    }
+                );
+            }
+
+            match user_infos.email_verified {
+                None if !CONFIG.sso_allow_unknown_email_verification() => err!(
+                    "Your provider does not send email verification status.\n\
+                    You will need to change the server configuration (check `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION`) to log in.",
+                    ErrorEvent {
+                        event: EventType::UserFailedLogIn
+                    }
+                ),
+                Some(false) => err!(
+                    "You need to verify your email with your provider before you can log in",
+                    ErrorEvent {
+                        event: EventType::UserFailedLogIn
+                    }
+                ),
+                _ => (),
+            }
+
+            let mut user = User::new(user_infos.email, user_infos.user_name);
+            user.verified_at = Some(now);
+            user.save(conn).await?;
+
+            let (device, new_device) = get_device(&data, conn, &user).await?;
 
-#[derive(Default, Deserialize, Serialize)]
-#[serde(rename_all = "camelCase")]
-struct MasterPasswordPolicy {
-    min_complexity: u8,
-    min_length: u32,
-    require_lower: bool,
-    require_upper: bool,
-    require_numbers: bool,
-    require_special: bool,
-    enforce_on_login: bool,
+            (user, device, new_device, None, None)
+        }
+        Some((user, _)) if !user.enabled => {
+            err!(
+                "This user has been disabled",
+                format!("IP: {}. Username: {}.", ip.ip, user.name),
+                ErrorEvent {
+                    event: EventType::UserFailedLogIn
+                }
+            )
+        }
+        Some((mut user, sso_user)) => {
+            let (mut device, new_device) = get_device(&data, conn, &user).await?;
+            let twofactor_token = twofactor_auth(&user, &data, &mut device, ip, conn).await?;
+
+            if user.private_key.is_none() {
+                // User was invited a stub was created
+                user.verified_at = Some(now);
+                if let Some(user_name) = user_infos.user_name {
+                    user.name = user_name;
+                }
+
+                user.save(conn).await?;
+            }
+
+            if user.email != user_infos.email {
+                if CONFIG.mail_enabled() {
+                    mail::send_sso_change_email(&user_infos.email).await?;
+                }
+                info!("User {} email changed in SSO provider from {} to {}", user.uuid, user.email, user_infos.email);
+            }
+
+            (user, device, new_device, twofactor_token, sso_user)
+        }
+    };
+
+    // We passed 2FA get full user informations
+    let auth_user = sso::redeem(&user_infos.state, conn).await?;
+
+    if sso_user.is_none() {
+        let user_sso = SsoUser {
+            user_uuid: user.uuid.clone(),
+            identifier: user_infos.identifier,
+        };
+        user_sso.save(conn).await?;
+    }
+
+    // Set the user_uuid here to be passed back used for event logging.
+    *user_id = Some(user.uuid.clone());
+
+    let auth_tokens = sso::create_auth_tokens(
+        &device,
+        &user,
+        auth_user.refresh_token,
+        &auth_user.access_token,
+        auth_user.expires_in,
+    )?;
+
+    authenticated_response(&user, &mut device, new_device, auth_tokens, twofactor_token, &now, conn, ip).await
 }
 
 async fn _password_login(
@@ -146,11 +301,7 @@ async fn _password_login(
     ip: &ClientIp,
 ) -> JsonResult {
     // Validate scope
-    let scope = data.scope.as_ref().unwrap();
-    if scope != "api offline_access" {
-        err!("Scope not supported")
-    }
-    let scope_vec = vec!["api".into(), "offline_access".into()];
+    AuthMethod::Password.check_scope(data.scope.as_ref())?;
 
     // Ratelimit the login
     crate::ratelimit::check_limit_login(&ip.ip)?;
@@ -217,13 +368,8 @@ async fn _password_login(
     }
 
     // Change the KDF Iterations (only when not logging in with an auth request)
-    if data.auth_request.is_none() && user.password_iterations != CONFIG.password_iterations() {
-        user.password_iterations = CONFIG.password_iterations();
-        user.set_password(password, None, false, None);
-
-        if let Err(e) = user.save(conn).await {
-            error!("Error updating user: {:#?}", e);
-        }
+    if data.auth_request.is_none() {
+        kdf_upgrade(&mut user, password, conn).await?;
     }
 
     let now = Utc::now().naive_utc();
@@ -260,12 +406,28 @@ async fn _password_login(
         )
     }
 
-    let (mut device, new_device) = get_device(&data, conn, &user).await;
+    let (mut device, new_device) = get_device(&data, conn, &user).await?;
 
     let twofactor_token = twofactor_auth(&user, &data, &mut device, ip, conn).await?;
 
+    let auth_tokens = auth::AuthTokens::new(&device, &user, AuthMethod::Password);
+
+    authenticated_response(&user, &mut device, new_device, auth_tokens, twofactor_token, &now, conn, ip).await
+}
+
+#[allow(clippy::too_many_arguments)]
+async fn authenticated_response(
+    user: &User,
+    device: &mut Device,
+    new_device: bool,
+    auth_tokens: auth::AuthTokens,
+    twofactor_token: Option<String>,
+    now: &NaiveDateTime,
+    conn: &mut DbConn,
+    ip: &ClientIp,
+) -> JsonResult {
     if CONFIG.mail_enabled() && new_device {
-        if let Err(e) = mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), &now, &device).await {
+        if let Err(e) = mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), now, device).await {
             error!("Error sending new device email: {:#?}", e);
 
             if CONFIG.require_device_email() {
@@ -281,78 +443,43 @@ async fn _password_login(
 
     // register push device
     if !new_device {
-        register_push_device(&mut device, conn).await?;
+        register_push_device(device, conn).await?;
     }
 
-    // Common
-    // ---
-    // Disabled this variable, it was used to generate the JWT
-    // Because this might get used in the future, and is add by the Bitwarden Server, lets keep it, but then commented out
-    // See: https://github.com/dani-garcia/vaultwarden/issues/4156
-    // ---
-    // let members = Membership::find_confirmed_by_user(&user.uuid, conn).await;
-    let (access_token, expires_in) = device.refresh_tokens(&user, scope_vec);
+    // Save to update `device.updated_at` to track usage
     device.save(conn).await?;
 
-    // Fetch all valid Master Password Policies and merge them into one with all true's and larges numbers as one policy
-    let master_password_policies: Vec<MasterPasswordPolicy> =
-        OrgPolicy::find_accepted_and_confirmed_by_user_and_active_policy(
-            &user.uuid,
-            OrgPolicyType::MasterPassword,
-            conn,
-        )
-        .await
-        .into_iter()
-        .filter_map(|p| serde_json::from_str(&p.data).ok())
-        .collect();
-
-    let master_password_policy = if !master_password_policies.is_empty() {
-        let mut mpp_json = json!(master_password_policies.into_iter().reduce(|acc, policy| {
-            MasterPasswordPolicy {
-                min_complexity: acc.min_complexity.max(policy.min_complexity),
-                min_length: acc.min_length.max(policy.min_length),
-                require_lower: acc.require_lower || policy.require_lower,
-                require_upper: acc.require_upper || policy.require_upper,
-                require_numbers: acc.require_numbers || policy.require_numbers,
-                require_special: acc.require_special || policy.require_special,
-                enforce_on_login: acc.enforce_on_login || policy.enforce_on_login,
-            }
-        }));
-        mpp_json["object"] = json!("masterPasswordPolicy");
-        mpp_json
-    } else {
-        json!({"object": "masterPasswordPolicy"})
-    };
+    let mp_policy = master_password_policy(user, conn).await;
 
     let mut result = json!({
-        "access_token": access_token,
-        "expires_in": expires_in,
+        "access_token": auth_tokens.access_token(),
+        "expires_in": auth_tokens.expires_in(),
         "token_type": "Bearer",
-        "refresh_token": device.refresh_token,
-        "Key": user.akey,
+        "refresh_token": auth_tokens.refresh_token(),
         "PrivateKey": user.private_key,
-        //"TwoFactorToken": "11122233333444555666777888999"
-
         "Kdf": user.client_kdf_type,
         "KdfIterations": user.client_kdf_iter,
         "KdfMemory": user.client_kdf_memory,
         "KdfParallelism": user.client_kdf_parallelism,
         "ResetMasterPassword": false, // TODO: Same as above
         "ForcePasswordReset": false,
-        "MasterPasswordPolicy": master_password_policy,
-
-        "scope": scope,
+        "MasterPasswordPolicy": mp_policy,
+        "scope": auth_tokens.scope(),
         "UserDecryptionOptions": {
             "HasMasterPassword": !user.password_hash.is_empty(),
             "Object": "userDecryptionOptions"
         },
     });
 
+    if !user.akey.is_empty() {
+        result["Key"] = Value::String(user.akey.clone());
+    }
+
     if let Some(token) = twofactor_token {
         result["TwoFactorToken"] = Value::String(token);
     }
 
-    info!("User {} logged in successfully. IP: {}", username, ip.ip);
+    info!("User {} logged in successfully. IP: {}", user.email, ip.ip);
     Ok(Json(result))
 }
 
@@ -366,9 +493,9 @@ async fn _api_key_login(
     crate::ratelimit::check_limit_login(&ip.ip)?;
 
     // Validate scope
-    match data.scope.as_ref().unwrap().as_ref() {
-        "api" => _user_api_key_login(data, user_id, conn, ip).await,
-        "api.organization" => _organization_api_key_login(data, conn, ip).await,
+    match data.scope.as_ref() {
+        Some(scope) if scope == &AuthMethod::UserApiKey.scope() => _user_api_key_login(data, user_id, conn, ip).await,
+        Some(scope) if scope == &AuthMethod::OrgApiKey.scope() => _organization_api_key_login(data, conn, ip).await,
         _ => err!("Scope not supported"),
     }
 }
@@ -415,7 +542,7 @@ async fn _user_api_key_login(
         )
     }
 
-    let (mut device, new_device) = get_device(&data, conn, &user).await;
+    let (mut device, new_device) = get_device(&data, conn, &user).await?;
 
     if CONFIG.mail_enabled() && new_device {
         let now = Utc::now().naive_utc();
@@ -433,15 +560,15 @@ async fn _user_api_key_login(
         }
     }
 
-    // Common
-    let scope_vec = vec!["api".into()];
     // ---
     // Disabled this variable, it was used to generate the JWT
     // Because this might get used in the future, and is add by the Bitwarden Server, lets keep it, but then commented out
     // See: https://github.com/dani-garcia/vaultwarden/issues/4156
     // ---
-    // let members = Membership::find_confirmed_by_user(&user.uuid, conn).await;
-    let (access_token, expires_in) = device.refresh_tokens(&user, scope_vec);
+    // let orgs = Membership::find_confirmed_by_user(&user.uuid, conn).await;
+    let access_claims = auth::LoginJwtClaims::default(&device, &user, &AuthMethod::UserApiKey);
+
+    // Save to update `device.updated_at` to track usage
     device.save(conn).await?;
 
     info!("User {} logged in successfully via API key. IP: {}", user.email, ip.ip);
@@ -449,8 +576,8 @@ async fn _user_api_key_login(
     // Note: No refresh_token is returned. The CLI just repeats the
     // client_credentials login flow when the existing token expires.
     let result = json!({
-        "access_token": access_token,
-        "expires_in": expires_in,
+        "access_token": access_claims.token(),
+        "expires_in": access_claims.expires_in(),
         "token_type": "Bearer",
         "Key": user.akey,
         "PrivateKey": user.private_key,
@@ -460,7 +587,7 @@ async fn _user_api_key_login(
         "KdfMemory": user.client_kdf_memory,
         "KdfParallelism": user.client_kdf_parallelism,
         "ResetMasterPassword": false, // TODO: according to official server seems something like: user.password_hash.is_empty(), but would need testing
-        "scope": "api",
+        "scope": AuthMethod::UserApiKey.scope(),
     });
 
     Ok(Json(result))
@@ -483,19 +610,19 @@ async fn _organization_api_key_login(data: ConnectData, conn: &mut DbConn, ip: &
         err!("Incorrect client_secret", format!("IP: {}. Organization: {}.", ip.ip, org_api_key.org_uuid))
     }
 
-    let claim = generate_organization_api_key_login_claims(org_api_key.uuid, org_api_key.org_uuid);
-    let access_token = crate::auth::encode_jwt(&claim);
+    let claim = auth::generate_organization_api_key_login_claims(org_api_key.uuid, org_api_key.org_uuid);
+    let access_token = auth::encode_jwt(&claim);
 
     Ok(Json(json!({
         "access_token": access_token,
         "expires_in": 3600,
         "token_type": "Bearer",
-        "scope": "api.organization",
+        "scope": AuthMethod::OrgApiKey.scope(),
     })))
 }
 
 /// Retrieves an existing device or creates a new device from ConnectData and the User
-async fn get_device(data: &ConnectData, conn: &mut DbConn, user: &User) -> (Device, bool) {
+async fn get_device(data: &ConnectData, conn: &mut DbConn, user: &User) -> ApiResult<(Device, bool)> {
     // On iOS, device_type sends "iOS", on others it sends a number
     // When unknown or unable to parse, return 14, which is 'Unknown Browser'
     let device_type = util::try_parse_string(data.device_type.as_ref()).unwrap_or(14);
@@ -507,12 +634,13 @@ async fn get_device(data: &ConnectData, conn: &mut DbConn, user: &User) -> (Devi
     let device = match Device::find_by_uuid_and_user(&device_id, &user.uuid, conn).await {
         Some(device) => device,
         None => {
+            let device = Device::new(device_id, user.uuid.clone(), device_name, device_type);
             new_device = true;
-            Device::new(device_id, user.uuid.clone(), device_name, device_type)
+            device
         }
     };
 
-    (device, new_device)
+    Ok((device, new_device))
 }
 
 async fn twofactor_auth(
@@ -537,9 +665,7 @@ async fn twofactor_auth(
 
     let twofactor_code = match data.two_factor_token {
         Some(ref code) => code,
-        None => {
-            err_json!(_json_err_twofactor(&twofactor_ids, &user.uuid, data, conn).await?, "2FA token not provided")
-        }
+        None => err_json!(_json_err_twofactor(&twofactor_ids, &user.uuid, data, conn).await?, "2FA token not provided"),
     };
 
     let selected_twofactor = twofactors.into_iter().find(|tf| tf.atype == selected_id && tf.enabled);
@@ -601,12 +727,13 @@ async fn twofactor_auth(
 
     TwoFactorIncomplete::mark_complete(&user.uuid, &device.uuid, conn).await?;
 
-    if !CONFIG.disable_2fa_remember() && remember == 1 {
-        Ok(Some(device.refresh_twofactor_remember()))
+    let two_factor = if !CONFIG.disable_2fa_remember() && remember == 1 {
+        Some(device.refresh_twofactor_remember())
     } else {
         device.delete_twofactor_remember();
-        Ok(None)
-    }
+        None
+    };
+    Ok(two_factor)
 }
 
 fn _selected_data(tf: Option<TwoFactor>) -> ApiResult<String> {
@@ -770,11 +897,137 @@ struct ConnectData {
     two_factor_remember: Option<i32>,
     #[field(name = uncased("authrequest"))]
     auth_request: Option<AuthRequestId>,
+    // Needed for authorization code
+    #[form(field = uncased("code"))]
+    code: Option<String>,
 }
-
 fn _check_is_some<T>(value: &Option<T>, msg: &str) -> EmptyResult {
     if value.is_none() {
         err!(msg)
     }
     Ok(())
 }
+
+// Deprecated but still needed for Mobile apps
+#[get("/account/prevalidate")]
+fn _prevalidate() -> JsonResult {
+    prevalidate()
+}
+
+#[get("/sso/prevalidate")]
+fn prevalidate() -> JsonResult {
+    if CONFIG.sso_enabled() {
+        let sso_token = sso::encode_ssotoken_claims();
+        Ok(Json(json!({
+            "token": sso_token,
+        })))
+    } else {
+        err!("SSO sign-in is not available")
+    }
+}
+
+#[get("/connect/oidc-signin?<code>&<state>", rank = 1)]
+async fn oidcsignin(code: OIDCCode, state: String, conn: DbConn) -> ApiResult<Redirect> {
+    oidcsignin_redirect(
+        state,
+        |decoded_state| sso::OIDCCodeWrapper::Ok {
+            state: decoded_state,
+            code,
+        },
+        &conn,
+    )
+    .await
+}
+
+// Bitwarden client appear to only care for code and state so we pipe it through
+// cf: https://github.com/bitwarden/clients/blob/8e46ef1ae5be8b62b0d3d0b9d1b1c62088a04638/libs/angular/src/auth/components/sso.component.ts#L68C11-L68C23)
+#[get("/connect/oidc-signin?<state>&<error>&<error_description>", rank = 2)]
+async fn oidcsignin_error(
+    state: String,
+    error: String,
+    error_description: Option<String>,
+    conn: DbConn,
+) -> ApiResult<Redirect> {
+    oidcsignin_redirect(
+        state,
+        |decoded_state| sso::OIDCCodeWrapper::Error {
+            state: decoded_state,
+            error,
+            error_description,
+        },
+        &conn,
+    )
+    .await
+}
+
+// The state was encoded using Base64 to ensure no issue with providers.
+// iss and scope parameters are needed for redirection to work on IOS.
+async fn oidcsignin_redirect(
+    base64_state: String,
+    wrapper: impl FnOnce(OIDCState) -> sso::OIDCCodeWrapper,
+    conn: &DbConn,
+) -> ApiResult<Redirect> {
+    let state = sso::deocde_state(base64_state)?;
+    let code = sso::encode_code_claims(wrapper(state.clone()));
+
+    let nonce = match SsoNonce::find(&state, conn).await {
+        Some(n) => n,
+        None => err!(format!("Failed to retrive redirect_uri with {state}")),
+    };
+
+    let mut url = match url::Url::parse(&nonce.redirect_uri) {
+        Ok(url) => url,
+        Err(err) => err!(format!("Failed to parse redirect uri ({}): {err}", nonce.redirect_uri)),
+    };
+
+    url.query_pairs_mut()
+        .append_pair("code", &code)
+        .append_pair("state", &state)
+        .append_pair("scope", &AuthMethod::Sso.scope())
+        .append_pair("iss", &CONFIG.domain());
+
+    debug!("Redirection to {url}");
+
+    Ok(Redirect::temporary(String::from(url)))
+}
+
+#[derive(Debug, Clone, Default, FromForm)]
+struct AuthorizeData {
+    #[field(name = uncased("client_id"))]
+    #[field(name = uncased("clientid"))]
+    client_id: String,
+    #[field(name = uncased("redirect_uri"))]
+    #[field(name = uncased("redirecturi"))]
+    redirect_uri: String,
+    #[allow(unused)]
+    response_type: Option<String>,
+    #[allow(unused)]
+    scope: Option<String>,
+    state: OIDCState,
+    #[allow(unused)]
+    code_challenge: Option<String>,
+    #[allow(unused)]
+    code_challenge_method: Option<String>,
+    #[allow(unused)]
+    response_mode: Option<String>,
+    #[allow(unused)]
+    domain_hint: Option<String>,
+    #[allow(unused)]
+    #[field(name = uncased("ssoToken"))]
+    sso_token: Option<String>,
+}
+
+// The `redirect_uri` will change depending of the client (web, android, ios ..)
+#[get("/connect/authorize?<data..>")]
+async fn authorize(data: AuthorizeData, conn: DbConn) -> ApiResult<Redirect> {
+    let AuthorizeData {
+        client_id,
+        redirect_uri,
+        state,
+        ..
+    } = data;
+
+    let auth_url = sso::authorize_url(state, &client_id, &redirect_uri, conn).await?;
+
+    Ok(Redirect::temporary(String::from(auth_url)))
+}

src/api/mod.rs

@@ -32,10 +32,14 @@ pub use crate::api::{
     web::routes as web_routes,
     web::static_files,
 };
-use crate::db::{models::User, DbConn};
+use crate::db::{
+    models::{OrgPolicy, OrgPolicyType, User},
+    DbConn,
+};
+use crate::CONFIG;
 
 // Type aliases for API methods results
-type ApiResult<T> = Result<T, crate::error::Error>;
+pub type ApiResult<T> = Result<T, crate::error::Error>;
 pub type JsonResult = ApiResult<Json<Value>>;
 pub type EmptyResult = ApiResult<()>;
 
@@ -68,3 +72,50 @@ impl PasswordOrOtpData {
         Ok(())
     }
 }
+
+#[derive(Default, Deserialize, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct MasterPasswordPolicy {
+    min_complexity: u8,
+    min_length: u32,
+    require_lower: bool,
+    require_upper: bool,
+    require_numbers: bool,
+    require_special: bool,
+    enforce_on_login: bool,
+}
+
+// Fetch all valid Master Password Policies and merge them into one with all true's and larges numbers as one policy
+async fn master_password_policy(user: &User, conn: &DbConn) -> Value {
+    let master_password_policies: Vec<MasterPasswordPolicy> =
+        OrgPolicy::find_accepted_and_confirmed_by_user_and_active_policy(
+            &user.uuid,
+            OrgPolicyType::MasterPassword,
+            conn,
+        )
+        .await
+        .into_iter()
+        .filter_map(|p| serde_json::from_str(&p.data).ok())
+        .collect();
+
+    let mut mpp_json = if !master_password_policies.is_empty() {
+        json!(master_password_policies.into_iter().reduce(|acc, policy| {
+            MasterPasswordPolicy {
+                min_complexity: acc.min_complexity.max(policy.min_complexity),
+                min_length: acc.min_length.max(policy.min_length),
+                require_lower: acc.require_lower || policy.require_lower,
+                require_upper: acc.require_upper || policy.require_upper,
+                require_numbers: acc.require_numbers || policy.require_numbers,
+                require_special: acc.require_special || policy.require_special,
+                enforce_on_login: acc.enforce_on_login || policy.enforce_on_login,
+            }
+        }))
+    } else if let Some(policy_str) = CONFIG.sso_master_password_policy().filter(|_| CONFIG.sso_enabled()) {
+        serde_json::from_str(&policy_str).unwrap_or(json!({}))
+    } else {
+        json!({})
+    };
+
+    mpp_json["object"] = json!("masterPasswordPolicy");
+    mpp_json
+}

src/api/web.rs

@@ -55,12 +55,14 @@ fn not_found() -> ApiResult<Html<String>> {
 #[get("/css/vaultwarden.css")]
 fn vaultwarden_css() -> Cached<Css<String>> {
     let css_options = json!({
-        "signup_disabled": !CONFIG.signups_allowed() && CONFIG.signups_domains_whitelist().is_empty(),
-        "mail_enabled": CONFIG.mail_enabled(),
-        "yubico_enabled": CONFIG._enable_yubico() && (CONFIG.yubico_client_id().is_some() == CONFIG.yubico_secret_key().is_some()),
         "emergency_access_allowed": CONFIG.emergency_access_allowed(),
-        "sends_allowed": CONFIG.sends_allowed(),
         "load_user_scss": true,
+        "mail_enabled": CONFIG.mail_enabled(),
+        "sends_allowed": CONFIG.sends_allowed(),
+        "signup_disabled": CONFIG.is_signup_disabled(),
+        "sso_disabled": !CONFIG.sso_enabled(),
+        "sso_only": CONFIG.sso_enabled() && CONFIG.sso_only(),
+        "yubico_enabled": CONFIG._enable_yubico() && (CONFIG.yubico_client_id().is_some() == CONFIG.yubico_secret_key().is_some()),
     });
 
     let scss = match CONFIG.render_template("scss/vaultwarden.scss", &css_options) {

src/auth.rs

@@ -1,6 +1,5 @@
 // JWT Handling
-//
-use chrono::{TimeDelta, Utc};
+use chrono::{DateTime, TimeDelta, Utc};
 use jsonwebtoken::{errors::ErrorKind, Algorithm, DecodingKey, EncodingKey, Header};
 use num_traits::FromPrimitive;
 use once_cell::sync::{Lazy, OnceCell};
@@ -14,15 +13,23 @@ use std::{
     net::IpAddr,
 };
 
-use crate::db::models::{
-    AttachmentId, CipherId, CollectionId, DeviceId, EmergencyAccessId, MembershipId, OrgApiKeyId, OrganizationId,
-    SendFileId, SendId, UserId,
+use crate::{
+    api::ApiResult,
+    db::models::{
+        AttachmentId, CipherId, CollectionId, DeviceId, EmergencyAccessId, MembershipId, OrgApiKeyId, OrganizationId,
+        SendFileId, SendId, UserId,
+    },
+    error::Error,
+    sso, CONFIG,
 };
-use crate::{error::Error, CONFIG};
 
 const JWT_ALGORITHM: Algorithm = Algorithm::RS256;
 
-pub static DEFAULT_VALIDITY: Lazy<TimeDelta> = Lazy::new(|| TimeDelta::try_hours(2).unwrap());
+// Limit when BitWarden consider the token as expired
+pub static BW_EXPIRATION: Lazy<TimeDelta> = Lazy::new(|| TimeDelta::try_minutes(5).unwrap());
+
+pub static DEFAULT_REFRESH_VALIDITY: Lazy<TimeDelta> = Lazy::new(|| TimeDelta::try_days(30).unwrap());
+pub static DEFAULT_ACCESS_VALIDITY: Lazy<TimeDelta> = Lazy::new(|| TimeDelta::try_hours(2).unwrap());
 static JWT_HEADER: Lazy<Header> = Lazy::new(|| Header::new(JWT_ALGORITHM));
 
 pub static JWT_LOGIN_ISSUER: Lazy<String> = Lazy::new(|| format!("{}|login", CONFIG.domain_origin()));
@@ -90,7 +97,7 @@ pub fn encode_jwt<T: Serialize>(claims: &T) -> String {
     }
 }
 
-fn decode_jwt<T: DeserializeOwned>(token: &str, issuer: String) -> Result<T, Error> {
+pub fn decode_jwt<T: DeserializeOwned>(token: &str, issuer: String) -> Result<T, Error> {
     let mut validation = jsonwebtoken::Validation::new(JWT_ALGORITHM);
     validation.leeway = 30; // 30 seconds
     validation.validate_exp = true;
@@ -109,6 +116,10 @@ fn decode_jwt<T: DeserializeOwned>(token: &str, issuer: String) -> Result<T, Err
     }
 }
 
+pub fn decode_refresh(token: &str) -> Result<RefreshJwtClaims, Error> {
+    decode_jwt(token, JWT_LOGIN_ISSUER.to_string())
+}
+
 pub fn decode_login(token: &str) -> Result<LoginJwtClaims, Error> {
     decode_jwt(token, JWT_LOGIN_ISSUER.to_string())
 }
@@ -182,6 +193,73 @@ pub struct LoginJwtClaims {
     pub amr: Vec<String>,
 }
 
+impl LoginJwtClaims {
+    pub fn new(device: &Device, user: &User, nbf: i64, exp: i64, scope: Vec<String>, now: DateTime<Utc>) -> Self {
+        // ---
+        // Disabled these keys to be added to the JWT since they could cause the JWT to get too large
+        // Also These key/value pairs are not used anywhere by either Vaultwarden or Bitwarden Clients
+        // Because these might get used in the future, and they are added by the Bitwarden Server, lets keep it, but then commented out
+        // ---
+        // fn arg: orgs: Vec<super::UserOrganization>,
+        // ---
+        // let orgowner: Vec<_> = orgs.iter().filter(|o| o.atype == 0).map(|o| o.org_uuid.clone()).collect();
+        // let orgadmin: Vec<_> = orgs.iter().filter(|o| o.atype == 1).map(|o| o.org_uuid.clone()).collect();
+        // let orguser: Vec<_> = orgs.iter().filter(|o| o.atype == 2).map(|o| o.org_uuid.clone()).collect();
+        // let orgmanager: Vec<_> = orgs.iter().filter(|o| o.atype == 3).map(|o| o.org_uuid.clone()).collect();
+
+        if exp <= (now + *BW_EXPIRATION).timestamp() {
+            warn!("Raise access_token lifetime to more than 5min.")
+        }
+
+        // Create the JWT claims struct, to send to the client
+        Self {
+            nbf,
+            exp,
+            iss: JWT_LOGIN_ISSUER.to_string(),
+            sub: user.uuid.clone(),
+            premium: true,
+            name: user.name.clone(),
+            email: user.email.clone(),
+            email_verified: !CONFIG.mail_enabled() || user.verified_at.is_some(),
+
+            // ---
+            // Disabled these keys to be added to the JWT since they could cause the JWT to get too large
+            // Also These key/value pairs are not used anywhere by either Vaultwarden or Bitwarden Clients
+            // Because these might get used in the future, and they are added by the Bitwarden Server, lets keep it, but then commented out
+            // See: https://github.com/dani-garcia/vaultwarden/issues/4156
+            // ---
+            // orgowner,
+            // orgadmin,
+            // orguser,
+            // orgmanager,
+            sstamp: user.security_stamp.clone(),
+            device: device.uuid.clone(),
+            scope,
+            amr: vec!["Application".into()],
+        }
+    }
+
+    pub fn default(device: &Device, user: &User, auth_method: &AuthMethod) -> Self {
+        let time_now = Utc::now();
+        Self::new(
+            device,
+            user,
+            time_now.timestamp(),
+            (time_now + *DEFAULT_ACCESS_VALIDITY).timestamp(),
+            auth_method.scope_vec(),
+            time_now,
+        )
+    }
+
+    pub fn token(&self) -> String {
+        encode_jwt(&self)
+    }
+
+    pub fn expires_in(&self) -> i64 {
+        self.exp - Utc::now().timestamp()
+    }
+}
+
 #[derive(Debug, Serialize, Deserialize)]
 pub struct InviteJwtClaims {
     // Not before
@@ -966,3 +1044,143 @@ impl<'r> FromRequest<'r> for ClientVersion {
         Outcome::Success(ClientVersion(version))
     }
 }
+
+#[derive(Clone, Debug, Ord, PartialOrd, Eq, PartialEq, Serialize, Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum AuthMethod {
+    OrgApiKey,
+    Password,
+    Sso,
+    UserApiKey,
+}
+
+impl AuthMethod {
+    pub fn scope(&self) -> String {
+        match self {
+            AuthMethod::OrgApiKey => "api.organization".to_string(),
+            AuthMethod::Password => "api offline_access".to_string(),
+            AuthMethod::Sso => "api offline_access".to_string(),
+            AuthMethod::UserApiKey => "api".to_string(),
+        }
+    }
+
+    pub fn scope_vec(&self) -> Vec<String> {
+        self.scope().split_whitespace().map(str::to_string).collect()
+    }
+
+    pub fn check_scope(&self, scope: Option<&String>) -> ApiResult<String> {
+        let method_scope = self.scope();
+        match scope {
+            None => err!("Missing scope"),
+            Some(scope) if scope == &method_scope => Ok(method_scope),
+            Some(scope) => err!(format!("Scope ({scope}) not supported")),
+        }
+    }
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum TokenWrapper {
+    Access(String),
+    Refresh(String),
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct RefreshJwtClaims {
+    // Not before
+    pub nbf: i64,
+    // Expiration time
+    pub exp: i64,
+    // Issuer
+    pub iss: String,
+    // Subject
+    pub sub: AuthMethod,
+
+    pub device_token: String,
+
+    pub token: Option<TokenWrapper>,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct AuthTokens {
+    pub refresh_claims: RefreshJwtClaims,
+    pub access_claims: LoginJwtClaims,
+}
+
+impl AuthTokens {
+    pub fn refresh_token(&self) -> String {
+        encode_jwt(&self.refresh_claims)
+    }
+
+    pub fn access_token(&self) -> String {
+        self.access_claims.token()
+    }
+
+    pub fn expires_in(&self) -> i64 {
+        self.access_claims.expires_in()
+    }
+
+    pub fn scope(&self) -> String {
+        self.refresh_claims.sub.scope()
+    }
+
+    // Create refresh_token and access_token with default validity
+    pub fn new(device: &Device, user: &User, sub: AuthMethod) -> Self {
+        let time_now = Utc::now();
+
+        let access_claims = LoginJwtClaims::default(device, user, &sub);
+
+        let refresh_claims = RefreshJwtClaims {
+            nbf: time_now.timestamp(),
+            exp: (time_now + *DEFAULT_REFRESH_VALIDITY).timestamp(),
+            iss: JWT_LOGIN_ISSUER.to_string(),
+            sub,
+            device_token: device.refresh_token.clone(),
+            token: None,
+        };
+
+        Self {
+            refresh_claims,
+            access_claims,
+        }
+    }
+}
+
+pub async fn refresh_tokens(refresh_token: &str, conn: &mut DbConn) -> ApiResult<(Device, AuthTokens)> {
+    let time_now = Utc::now();
+
+    let refresh_claims = match decode_refresh(refresh_token) {
+        Err(err) => err_silent!(format!("Impossible to read refresh_token: {}", err.message())),
+        Ok(claims) => claims,
+    };
+
+    // Get device by refresh token
+    let mut device = match Device::find_by_refresh_token(&refresh_claims.device_token, conn).await {
+        None => err!("Invalid refresh token"),
+        Some(device) => device,
+    };
+
+    // Save to update `updated_at`.
+    device.save(conn).await?;
+
+    let user = match User::find_by_uuid(&device.user_uuid, conn).await {
+        None => err!("Impossible to find user"),
+        Some(user) => user,
+    };
+
+    if refresh_claims.exp < time_now.timestamp() {
+        err!("Expired refresh token");
+    }
+
+    let auth_tokens = match refresh_claims.sub {
+        AuthMethod::Sso if CONFIG.sso_enabled() && CONFIG.sso_auth_only_not_session() => {
+            AuthTokens::new(&device, &user, refresh_claims.sub)
+        }
+        AuthMethod::Sso if CONFIG.sso_enabled() => sso::exchange_refresh_token(&device, &user, &refresh_claims).await?,
+        AuthMethod::Sso => err!("SSO is now disabled, Login again using email and master password"),
+        AuthMethod::Password if CONFIG.sso_enabled() && CONFIG.sso_only() => err!("SSO is now required, Login again"),
+        AuthMethod::Password => AuthTokens::new(&device, &user, refresh_claims.sub),
+        _ => err!("Invalid auth method, cannot refresh token"),
+    };
+
+    Ok((device, auth_tokens))
+}

src/config.rs

@@ -435,6 +435,9 @@ make_config! {
         /// Duo Auth context cleanup schedule |> Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt.
         /// Defaults to once every minute. Set blank to disable this job.
         duo_context_purge_schedule:   String, false,  def,    "30 * * * * *".to_string();
+        /// Purge incomplete sso nonce. |> Cron schedule of the job that cleans leftover nonce in db due to incomplete sso login.
+        /// Defaults to daily. Set blank to disable this job.
+        purge_incomplete_sso_nonce: String, false,  def,   "0 20 0 * * *".to_string();
     },
 
     /// General settings
@@ -652,6 +655,42 @@ make_config! {
         enforce_single_org_with_reset_pw_policy: bool, false, def, false;
     },
 
+    /// OpenID Connect SSO settings
+    sso {
+        /// Enabled
+        sso_enabled:                    bool,   false,   def,    false;
+        /// Only sso login |> Disable Email+Master Password login
+        sso_only:                       bool,   true,   def,    false;
+        /// Allow email association |> Associate existing non-sso user based on email
+        sso_signups_match_email:        bool,   true,   def,    true;
+        /// Allow unknown email verification status |> Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover.
+        sso_allow_unknown_email_verification: bool, false, def, false;
+        /// Client ID
+        sso_client_id:                  String, false,   def,    String::new();
+        /// Client Key
+        sso_client_secret:              Pass,   false,   def,    String::new();
+        /// Authority Server |> Base url of the OIDC provider discovery endpoint (without `/.well-known/openid-configuration`)
+        sso_authority:                  String, false,   def,    String::new();
+        /// Authorization request scopes |> List the of the needed scope (`openid` is implicit)
+        sso_scopes:                     String, false,  def,   "email profile".to_string();
+        /// Authorization request extra parameters
+        sso_authorize_extra_params:     String, false,  def,    String::new();
+        /// Use PKCE during Authorization flow
+        sso_pkce:                       bool,   false,   def,    true;
+        /// Regex for additionnal trusted Id token audience |> By default only the client_id is trsuted.
+        sso_audience_trusted:           String, false,  option;
+        /// CallBack Path |> Generated from Domain.
+        sso_callback_path:              String, false,  generated, |c| generate_sso_callback_path(&c.domain);
+        /// Optional sso master password policy |> Ex format: '{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}'
+        sso_master_password_policy:     String, true,  option;
+        /// Use sso only for auth not the session lifecycle |> Use default Vaultwarden session lifecycle (Idle refresh token valid for 30days)
+        sso_auth_only_not_session:      bool,   true,   def,    false;
+        /// Client cache for discovery endpoint. |> Duration in seconds (0 or less to disable). More details: https://github.com/dani-garcia/vaultwarden/blob/sso-support/SSO.md#client-cache
+        sso_client_cache_expiration:    u64,    true,   def,    0;
+        /// Log all tokens |> `LOG_LEVEL=debug` or `LOG_LEVEL=info,vaultwarden::sso=debug` is required
+        sso_debug_tokens:               bool,   true,   def,    false;
+    },
+
     /// Yubikey settings
     yubico: _enable_yubico {
         /// Enabled
@@ -878,6 +917,17 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
         err!("All Duo options need to be set for global Duo support")
     }
 
+    if cfg.sso_enabled {
+        if cfg.sso_client_id.is_empty() || cfg.sso_client_secret.is_empty() || cfg.sso_authority.is_empty() {
+            err!("`SSO_CLIENT_ID`, `SSO_CLIENT_SECRET` and `SSO_AUTHORITY` must be set for SSO support")
+        }
+
+        internal_sso_issuer_url(&cfg.sso_authority)?;
+        internal_sso_redirect_url(&cfg.sso_callback_path)?;
+        check_master_password_policy(&cfg.sso_master_password_policy)?;
+        internal_sso_authorize_extra_params_vec(&cfg.sso_authorize_extra_params)?;
+    }
+
     if cfg._enable_yubico {
         if cfg.yubico_client_id.is_some() != cfg.yubico_secret_key.is_some() {
             err!("Both `YUBICO_CLIENT_ID` and `YUBICO_SECRET_KEY` must be set for Yubikey OTP support")
@@ -1055,6 +1105,35 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
     Ok(())
 }
 
+fn internal_sso_issuer_url(sso_authority: &String) -> Result<openidconnect::IssuerUrl, Error> {
+    match openidconnect::IssuerUrl::new(sso_authority.clone()) {
+        Err(err) => err!(format!("Invalid sso_authority UR ({sso_authority}): {err}")),
+        Ok(issuer_url) => Ok(issuer_url),
+    }
+}
+
+fn internal_sso_redirect_url(sso_callback_path: &String) -> Result<openidconnect::RedirectUrl, Error> {
+    match openidconnect::RedirectUrl::new(sso_callback_path.clone()) {
+        Err(err) => err!(format!("Invalid sso_callback_path ({sso_callback_path} built using `domain`) URL: {err}")),
+        Ok(redirect_url) => Ok(redirect_url),
+    }
+}
+
+fn internal_sso_authorize_extra_params_vec(config: &str) -> Result<Vec<(String, String)>, Error> {
+    match parse_param_list(config.to_owned(), '&', '=') {
+        Err(e) => err!(format!("Invalid SSO_AUTHORIZE_EXTRA_PARAMS: {e}")),
+        Ok(params) => Ok(params),
+    }
+}
+
+fn check_master_password_policy(sso_master_password_policy: &Option<String>) -> Result<(), Error> {
+    let policy = sso_master_password_policy.as_ref().map(|mpp| serde_json::from_str::<serde_json::Value>(mpp));
+    if let Some(Err(error)) = policy {
+        err!(format!("Invalid sso_master_password_policy ({error}), Ensure that it's correctly escaped with ''"))
+    }
+    Ok(())
+}
+
 /// Extracts an RFC 6454 web origin from a URL.
 fn extract_url_origin(url: &str) -> String {
     match Url::parse(url) {
@@ -1086,6 +1165,10 @@ fn generate_smtp_img_src(embed_images: bool, domain: &str) -> String {
     }
 }
 
+fn generate_sso_callback_path(domain: &str) -> String {
+    format!("{domain}/identity/connect/oidc-signin")
+}
+
 /// Generate the correct URL for the icon service.
 /// This will be used within icons.rs to call the external icon service.
 fn generate_icon_service_url(icon_service: &str) -> String {
@@ -1128,6 +1211,26 @@ fn smtp_convert_deprecated_ssl_options(smtp_ssl: Option<bool>, smtp_explicit_tls
     "starttls".to_string()
 }
 
+/// Allow to parse a list of Key/Values (Ex: `key1=value&key2=value2`)
+/// - line break are handled as `separator`
+fn parse_param_list(config: String, separator: char, kv_separator: char) -> Result<Vec<(String, String)>, Error> {
+    config
+        .lines()
+        .flat_map(|l| l.split(separator))
+        .map(|l| l.trim())
+        .filter(|l| !l.is_empty())
+        .map(|l| {
+            let split = l.split(kv_separator).collect::<Vec<&str>>();
+            match &split[..] {
+                [key, value] => Ok(((*key).to_string(), (*value).to_string())),
+                _ => {
+                    err!(format!("Failed to parse ({l}). Expected key{kv_separator}value"))
+                }
+            }
+        })
+        .collect()
+}
+
 impl Config {
     pub fn load() -> Result<Self, Error> {
         // Loading from env and file
@@ -1204,6 +1307,14 @@ impl Config {
         self.update_config(builder, false)
     }
 
+    // The `signups_allowed` setting is overrided if:
+    //  - The email whitelist is not empty (will allow signups).
+    //  - The sso is activated and password login is disabled (will disable signups).
+    pub fn is_signup_disabled(&self) -> bool {
+        (!self.signups_allowed() && self.signups_domains_whitelist().is_empty())
+            || (self.sso_enabled() && self.sso_only())
+    }
+
     /// Tests whether an email's domain is allowed. A domain is allowed if it
     /// is in signups_domains_whitelist, or if no whitelist is set (so there
     /// are no domain restrictions in effect).
@@ -1222,12 +1333,7 @@ impl Config {
     /// Tests whether signup is allowed for an email address, taking into
     /// account the signups_allowed and signups_domains_whitelist settings.
     pub fn is_signup_allowed(&self, email: &str) -> bool {
-        if !self.signups_domains_whitelist().is_empty() {
-            // The whitelist setting overrides the signups_allowed setting.
-            self.is_email_domain_allowed(email)
-        } else {
-            self.signups_allowed()
-        }
+        !self.is_signup_disabled() && self.is_email_domain_allowed(email)
     }
 
     /// Tests whether the specified user is allowed to create an organization.
@@ -1325,6 +1431,22 @@ impl Config {
             }
         }
     }
+
+    pub fn sso_issuer_url(&self) -> Result<openidconnect::IssuerUrl, Error> {
+        internal_sso_issuer_url(&self.sso_authority())
+    }
+
+    pub fn sso_redirect_url(&self) -> Result<openidconnect::RedirectUrl, Error> {
+        internal_sso_redirect_url(&self.sso_callback_path())
+    }
+
+    pub fn sso_scopes_vec(&self) -> Vec<String> {
+        self.sso_scopes().split_whitespace().map(str::to_string).collect()
+    }
+
+    pub fn sso_authorize_extra_params_vec(&self) -> Result<Vec<(String, String)>, Error> {
+        internal_sso_authorize_extra_params_vec(&self.sso_authorize_extra_params())
+    }
 }
 
 use handlebars::{
@@ -1388,6 +1510,7 @@ where
     reg!("email/send_org_invite", ".html");
     reg!("email/send_single_org_removed_from_org", ".html");
     reg!("email/smtp_test", ".html");
+    reg!("email/sso_change_email", ".html");
     reg!("email/twofactor_email", ".html");
     reg!("email/verify_email", ".html");
     reg!("email/welcome_must_verify", ".html");
@@ -1486,3 +1609,54 @@ handlebars::handlebars_helper!(webver: | web_vault_version: String |
 handlebars::handlebars_helper!(vwver: | vw_version: String |
     semver::VersionReq::parse(&vw_version).expect("Invalid Vaultwarden version compare string").matches(&VW_VERSION)
 );
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_parse_param_list() {
+        let config = "key1=value&key2=value2&".to_string();
+        let parsed = parse_param_list(config, '&', '=');
+
+        assert_eq!(
+            parsed.unwrap(),
+            vec![("key1".to_string(), "value".to_string()), ("key2".to_string(), "value2".to_string())]
+        );
+    }
+
+    #[test]
+    fn test_parse_param_list_lines() {
+        let config = r#"
+        key1=value
+        key2=value2
+        "#
+        .to_string();
+        let parsed = parse_param_list(config, '&', '=');
+
+        assert_eq!(
+            parsed.unwrap(),
+            vec![("key1".to_string(), "value".to_string()), ("key2".to_string(), "value2".to_string())]
+        );
+    }
+
+    #[test]
+    fn test_parse_param_list_mixed() {
+        let config = r#"key1=value&key2=value2&
+        &key3=value3&&
+        &key4=value4
+        "#
+        .to_string();
+        let parsed = parse_param_list(config, '&', '=');
+
+        assert_eq!(
+            parsed.unwrap(),
+            vec![
+                ("key1".to_string(), "value".to_string()),
+                ("key2".to_string(), "value2".to_string()),
+                ("key3".to_string(), "value3".to_string()),
+                ("key4".to_string(), "value4".to_string()),
+            ]
+        );
+    }
+}

src/db/models/device.rs

@@ -1,9 +1,11 @@
 use chrono::{NaiveDateTime, Utc};
+
+use data_encoding::{BASE64, BASE64URL};
 use derive_more::{Display, From};
 use serde_json::Value;
 
 use super::{AuthRequest, UserId};
-use crate::{crypto, util::format_date, CONFIG};
+use crate::{crypto, util::format_date};
 use macros::IdFromParam;
 
 db_object! {
@@ -44,7 +46,7 @@ impl Device {
 
             push_uuid: None,
             push_token: None,
-            refresh_token: String::new(),
+            refresh_token: crypto::encode_random_bytes::<64>(BASE64URL),
             twofactor_remember: None,
         }
     }
@@ -62,7 +64,6 @@ impl Device {
     }
 
     pub fn refresh_twofactor_remember(&mut self) -> String {
-        use data_encoding::BASE64;
         let twofactor_remember = crypto::encode_random_bytes::<180>(BASE64);
         self.twofactor_remember = Some(twofactor_remember.clone());
 
@@ -73,61 +74,6 @@ impl Device {
         self.twofactor_remember = None;
     }
 
-    pub fn refresh_tokens(&mut self, user: &super::User, scope: Vec<String>) -> (String, i64) {
-        // If there is no refresh token, we create one
-        if self.refresh_token.is_empty() {
-            use data_encoding::BASE64URL;
-            self.refresh_token = crypto::encode_random_bytes::<64>(BASE64URL);
-        }
-
-        // Update the expiration of the device and the last update date
-        let time_now = Utc::now();
-        self.updated_at = time_now.naive_utc();
-
-        // ---
-        // Disabled these keys to be added to the JWT since they could cause the JWT to get too large
-        // Also These key/value pairs are not used anywhere by either Vaultwarden or Bitwarden Clients
-        // Because these might get used in the future, and they are added by the Bitwarden Server, lets keep it, but then commented out
-        // ---
-        // fn arg: members: Vec<super::Membership>,
-        // ---
-        // let orgowner: Vec<_> = members.iter().filter(|m| m.atype == 0).map(|o| o.org_uuid.clone()).collect();
-        // let orgadmin: Vec<_> = members.iter().filter(|m| m.atype == 1).map(|o| o.org_uuid.clone()).collect();
-        // let orguser: Vec<_> = members.iter().filter(|m| m.atype == 2).map(|o| o.org_uuid.clone()).collect();
-        // let orgmanager: Vec<_> = members.iter().filter(|m| m.atype == 3).map(|o| o.org_uuid.clone()).collect();
-
-        // Create the JWT claims struct, to send to the client
-        use crate::auth::{encode_jwt, LoginJwtClaims, DEFAULT_VALIDITY, JWT_LOGIN_ISSUER};
-        let claims = LoginJwtClaims {
-            nbf: time_now.timestamp(),
-            exp: (time_now + *DEFAULT_VALIDITY).timestamp(),
-            iss: JWT_LOGIN_ISSUER.to_string(),
-            sub: user.uuid.clone(),
-
-            premium: true,
-            name: user.name.clone(),
-            email: user.email.clone(),
-            email_verified: !CONFIG.mail_enabled() || user.verified_at.is_some(),
-
-            // ---
-            // Disabled these keys to be added to the JWT since they could cause the JWT to get too large
-            // Also These key/value pairs are not used anywhere by either Vaultwarden or Bitwarden Clients
-            // Because these might get used in the future, and they are added by the Bitwarden Server, lets keep it, but then commented out
-            // See: https://github.com/dani-garcia/vaultwarden/issues/4156
-            // ---
-            // orgowner,
-            // orgadmin,
-            // orguser,
-            // orgmanager,
-            sstamp: user.security_stamp.clone(),
-            device: self.uuid.clone(),
-            scope,
-            amr: vec!["Application".into()],
-        };
-
-        (encode_jwt(&claims), DEFAULT_VALIDITY.num_seconds())
-    }
-
     pub fn is_push_device(&self) -> bool {
         matches!(DeviceType::from_i32(self.atype), DeviceType::Android | DeviceType::Ios)
     }

src/db/models/mod.rs

@@ -11,6 +11,7 @@ mod group;
 mod org_policy;
 mod organization;
 mod send;
+mod sso_nonce;
 mod two_factor;
 mod two_factor_duo_context;
 mod two_factor_incomplete;
@@ -35,7 +36,8 @@ pub use self::send::{
     id::{SendFileId, SendId},
     Send, SendType,
 };
+pub use self::sso_nonce::SsoNonce;
 pub use self::two_factor::{TwoFactor, TwoFactorType};
 pub use self::two_factor_duo_context::TwoFactorDuoContext;
 pub use self::two_factor_incomplete::TwoFactorIncomplete;
-pub use self::user::{Invitation, User, UserId, UserKdfType, UserStampException};
+pub use self::user::{Invitation, SsoUser, User, UserId, UserKdfType, UserStampException};

src/db/models/org_policy.rs

@@ -63,12 +63,12 @@ pub enum OrgPolicyErr {
 
 /// Local methods
 impl OrgPolicy {
-    pub fn new(org_uuid: OrganizationId, atype: OrgPolicyType, data: String) -> Self {
+    pub fn new(org_uuid: OrganizationId, atype: OrgPolicyType, enabled: bool, data: String) -> Self {
         Self {
             uuid: OrgPolicyId(crate::util::get_uuid()),
             org_uuid,
             atype: atype as i32,
-            enabled: false,
+            enabled,
             data,
         }
     }
@@ -78,12 +78,11 @@ impl OrgPolicy {
     }
 
     pub fn to_json(&self) -> Value {
-        let data_json: Value = serde_json::from_str(&self.data).unwrap_or(Value::Null);
         json!({
             "id": self.uuid,
             "organizationId": self.org_uuid,
             "type": self.atype,
-            "data": data_json,
+            "data": serde_json::from_str(&self.data).unwrap_or(Value::Null),
             "enabled": self.enabled,
             "object": "policy",
         })
@@ -197,7 +196,7 @@ impl OrgPolicy {
     pub async fn find_accepted_and_confirmed_by_user_and_active_policy(
         user_uuid: &UserId,
         policy_type: OrgPolicyType,
-        conn: &mut DbConn,
+        conn: &DbConn,
     ) -> Vec<Self> {
         db_run! { conn: {
             org_policies::table

src/db/models/organization.rs

@@ -36,6 +36,8 @@ db_object! {
         pub user_uuid: UserId,
         pub org_uuid: OrganizationId,
 
+        pub invited_by_email: Option<String>,
+
         pub access_all: bool,
         pub akey: String,
         pub status: i32,
@@ -236,12 +238,13 @@ impl Organization {
 const ACTIVATE_REVOKE_DIFF: i32 = 128;
 
 impl Membership {
-    pub fn new(user_uuid: UserId, org_uuid: OrganizationId) -> Self {
+    pub fn new(user_uuid: UserId, org_uuid: OrganizationId, invited_by_email: Option<String>) -> Self {
         Self {
             uuid: MembershipId(crate::util::get_uuid()),
 
             user_uuid,
             org_uuid,
+            invited_by_email,
 
             access_all: false,
             akey: String::new(),
@@ -390,11 +393,36 @@ impl Organization {
         }}
     }
 
+    pub async fn find_by_name(name: &str, conn: &mut DbConn) -> Option<Self> {
+        db_run! { conn: {
+            organizations::table
+                .filter(organizations::name.eq(name))
+                .first::<OrganizationDb>(conn)
+                .ok().from_db()
+        }}
+    }
+
     pub async fn get_all(conn: &mut DbConn) -> Vec<Self> {
         db_run! { conn: {
             organizations::table.load::<OrganizationDb>(conn).expect("Error loading organizations").from_db()
         }}
     }
+
+    pub async fn find_main_org_user_email(user_email: &str, conn: &mut DbConn) -> Option<Organization> {
+        let lower_mail = user_email.to_lowercase();
+
+        db_run! { conn: {
+            organizations::table
+                .inner_join(users_organizations::table.on(users_organizations::org_uuid.eq(organizations::uuid)))
+                .inner_join(users::table.on(users::uuid.eq(users_organizations::user_uuid)))
+                .filter(users::email.eq(lower_mail))
+                .filter(users_organizations::status.ne(MembershipStatus::Revoked as i32))
+                .order(users_organizations::atype.asc())
+                .select(organizations::all_columns)
+                .first::<OrganizationDb>(conn)
+                .ok().from_db()
+        }}
+    }
 }
 
 impl Membership {
@@ -824,6 +852,19 @@ impl Membership {
         }}
     }
 
+    // Should be used only when email are disabled.
+    // In Organizations::send_invite status is set to Accepted only if the user has a password.
+    pub async fn accept_user_invitations(user_uuid: &UserId, conn: &mut DbConn) -> EmptyResult {
+        db_run! { conn: {
+            diesel::update(users_organizations::table)
+                .filter(users_organizations::user_uuid.eq(user_uuid))
+                .filter(users_organizations::status.eq(MembershipStatus::Invited as i32))
+                .set(users_organizations::status.eq(MembershipStatus::Accepted as i32))
+                .execute(conn)
+                .map_res("Error confirming invitations")
+        }}
+    }
+
     pub async fn find_any_state_by_user(user_uuid: &UserId, conn: &mut DbConn) -> Vec<Self> {
         db_run! { conn: {
             users_organizations::table
@@ -1085,6 +1126,17 @@ impl Membership {
             .first::<MembershipDb>(conn).ok().from_db()
         }}
     }
+
+    pub async fn find_main_user_org(user_uuid: &str, conn: &mut DbConn) -> Option<Self> {
+        db_run! { conn: {
+            users_organizations::table
+                .filter(users_organizations::user_uuid.eq(user_uuid))
+                .filter(users_organizations::status.ne(MembershipStatus::Revoked as i32))
+                .order(users_organizations::atype.asc())
+                .first::<MembershipDb>(conn)
+                .ok().from_db()
+        }}
+    }
 }
 
 impl OrganizationApiKey {

src/db/models/sso_nonce.rs

@@ -0,0 +1,89 @@
+use chrono::{NaiveDateTime, Utc};
+
+use crate::api::EmptyResult;
+use crate::db::{DbConn, DbPool};
+use crate::error::MapResult;
+use crate::sso::{OIDCState, NONCE_EXPIRATION};
+
+db_object! {
+    #[derive(Identifiable, Queryable, Insertable)]
+    #[diesel(table_name = sso_nonce)]
+    #[diesel(primary_key(state))]
+    pub struct SsoNonce {
+        pub state: OIDCState,
+        pub nonce: String,
+        pub verifier: Option<String>,
+        pub redirect_uri: String,
+        pub created_at: NaiveDateTime,
+    }
+}
+
+/// Local methods
+impl SsoNonce {
+    pub fn new(state: OIDCState, nonce: String, verifier: Option<String>, redirect_uri: String) -> Self {
+        let now = Utc::now().naive_utc();
+
+        SsoNonce {
+            state,
+            nonce,
+            verifier,
+            redirect_uri,
+            created_at: now,
+        }
+    }
+}
+
+/// Database methods
+impl SsoNonce {
+    pub async fn save(&self, conn: &mut DbConn) -> EmptyResult {
+        db_run! { conn:
+            sqlite, mysql {
+                diesel::replace_into(sso_nonce::table)
+                    .values(SsoNonceDb::to_db(self))
+                    .execute(conn)
+                    .map_res("Error saving SSO nonce")
+            }
+            postgresql {
+                let value = SsoNonceDb::to_db(self);
+                diesel::insert_into(sso_nonce::table)
+                    .values(&value)
+                    .execute(conn)
+                    .map_res("Error saving SSO nonce")
+            }
+        }
+    }
+
+    pub async fn delete(state: &OIDCState, conn: &mut DbConn) -> EmptyResult {
+        db_run! { conn: {
+            diesel::delete(sso_nonce::table.filter(sso_nonce::state.eq(state)))
+                .execute(conn)
+                .map_res("Error deleting SSO nonce")
+        }}
+    }
+
+    pub async fn find(state: &OIDCState, conn: &DbConn) -> Option<Self> {
+        let oldest = Utc::now().naive_utc() - *NONCE_EXPIRATION;
+        db_run! { conn: {
+            sso_nonce::table
+                .filter(sso_nonce::state.eq(state))
+                .filter(sso_nonce::created_at.ge(oldest))
+                .first::<SsoNonceDb>(conn)
+                .ok()
+                .from_db()
+        }}
+    }
+
+    pub async fn delete_expired(pool: DbPool) -> EmptyResult {
+        debug!("Purging expired sso_nonce");
+        if let Ok(conn) = pool.get().await {
+            let oldest = Utc::now().naive_utc() - *NONCE_EXPIRATION;
+            db_run! { conn: {
+                diesel::delete(sso_nonce::table.filter(sso_nonce::created_at.lt(oldest)))
+                    .execute(conn)
+                    .map_res("Error deleting expired SSO nonce")
+            }}
+        } else {
+            err!("Failed to get DB connection while purging expired sso_nonce")
+        }
+    }
+}

src/db/models/user.rs

@@ -10,13 +10,14 @@ use crate::{
     crypto,
     db::DbConn,
     error::MapResult,
+    sso::OIDCIdentifier,
     util::{format_date, get_uuid, retry},
     CONFIG,
 };
 use macros::UuidFromParam;
 
 db_object! {
-    #[derive(Identifiable, Queryable, Insertable, AsChangeset)]
+    #[derive(Identifiable, Queryable, Insertable, AsChangeset, Selectable)]
     #[diesel(table_name = users)]
     #[diesel(treat_none_as_null = true)]
     #[diesel(primary_key(uuid))]
@@ -71,6 +72,14 @@ db_object! {
     pub struct Invitation {
         pub email: String,
     }
+
+    #[derive(Identifiable, Queryable, Insertable, Selectable)]
+    #[diesel(table_name = sso_users)]
+    #[diesel(primary_key(user_uuid))]
+    pub struct SsoUser {
+        pub user_uuid: UserId,
+        pub identifier: OIDCIdentifier,
+    }
 }
 
 pub enum UserKdfType {
@@ -96,7 +105,7 @@ impl User {
     pub const CLIENT_KDF_TYPE_DEFAULT: i32 = UserKdfType::Pbkdf2 as i32;
     pub const CLIENT_KDF_ITER_DEFAULT: i32 = 600_000;
 
-    pub fn new(email: String) -> Self {
+    pub fn new(email: String, name: Option<String>) -> Self {
         let now = Utc::now().naive_utc();
         let email = email.to_lowercase();
 
@@ -108,7 +117,7 @@ impl User {
             verified_at: None,
             last_verifying_at: None,
             login_verify_count: 0,
-            name: email.clone(),
+            name: name.unwrap_or(email.clone()),
             email,
             akey: String::new(),
             email_new: None,
@@ -478,3 +487,49 @@ impl Invitation {
 #[deref(forward)]
 #[from(forward)]
 pub struct UserId(String);
+
+impl SsoUser {
+    pub async fn save(&self, conn: &mut DbConn) -> EmptyResult {
+        db_run! { conn:
+            sqlite, mysql {
+                diesel::replace_into(sso_users::table)
+                    .values(SsoUserDb::to_db(self))
+                    .execute(conn)
+                    .map_res("Error saving SSO user")
+            }
+            postgresql {
+                let value = SsoUserDb::to_db(self);
+                diesel::insert_into(sso_users::table)
+                    .values(&value)
+                    .execute(conn)
+                    .map_res("Error saving SSO user")
+            }
+        }
+    }
+
+    pub async fn find_by_identifier(identifier: &str, conn: &DbConn) -> Option<(User, SsoUser)> {
+        db_run! {conn: {
+            users::table
+                .inner_join(sso_users::table)
+                .select(<(UserDb, SsoUserDb)>::as_select())
+                .filter(sso_users::identifier.eq(identifier))
+                .first::<(UserDb, SsoUserDb)>(conn)
+                .ok()
+                .map(|(user, sso_user)| { (user.from_db(), sso_user.from_db()) })
+        }}
+    }
+
+    pub async fn find_by_mail(mail: &str, conn: &DbConn) -> Option<(User, Option<SsoUser>)> {
+        let lower_mail = mail.to_lowercase();
+
+        db_run! {conn: {
+            users::table
+                .left_join(sso_users::table)
+                .select(<(UserDb, Option<SsoUserDb>)>::as_select())
+                .filter(users::email.eq(lower_mail))
+                .first::<(UserDb, Option<SsoUserDb>)>(conn)
+                .ok()
+                .map(|(user, sso_user)| { (user.from_db(), sso_user.from_db()) })
+        }}
+    }
+}

src/db/schemas/mysql/schema.rs

@@ -235,6 +235,7 @@ table! {
         uuid -> Text,
         user_uuid -> Text,
         org_uuid -> Text,
+        invited_by_email -> Nullable<Text>,
         access_all -> Bool,
         akey -> Text,
         status -> Integer,
@@ -254,6 +255,23 @@ table! {
     }
 }
 
+table! {
+    sso_nonce (state) {
+        state -> Text,
+        nonce -> Text,
+        verifier -> Nullable<Text>,
+        redirect_uri -> Text,
+        created_at -> Timestamp,
+    }
+}
+
+table! {
+    sso_users (user_uuid) {
+        user_uuid -> Text,
+        identifier -> Text,
+    }
+}
+
 table! {
     emergency_access (uuid) {
         uuid -> Text,
@@ -348,6 +366,7 @@ joinable!(collections_groups -> collections (collections_uuid));
 joinable!(collections_groups -> groups (groups_uuid));
 joinable!(event -> users_organizations (uuid));
 joinable!(auth_requests -> users (user_uuid));
+joinable!(sso_users -> users (user_uuid));
 
 allow_tables_to_appear_in_same_query!(
     attachments,
@@ -361,6 +380,7 @@ allow_tables_to_appear_in_same_query!(
     org_policies,
     organizations,
     sends,
+    sso_users,
     twofactor,
     users,
     users_collections,

src/db/schemas/postgresql/schema.rs

@@ -235,6 +235,7 @@ table! {
         uuid -> Text,
         user_uuid -> Text,
         org_uuid -> Text,
+        invited_by_email -> Nullable<Text>,
         access_all -> Bool,
         akey -> Text,
         status -> Integer,
@@ -254,6 +255,23 @@ table! {
     }
 }
 
+table! {
+    sso_nonce (state) {
+        state -> Text,
+        nonce -> Text,
+        verifier -> Nullable<Text>,
+        redirect_uri -> Text,
+        created_at -> Timestamp,
+    }
+}
+
+table! {
+    sso_users (user_uuid) {
+        user_uuid -> Text,
+        identifier -> Text,
+    }
+}
+
 table! {
     emergency_access (uuid) {
         uuid -> Text,
@@ -348,6 +366,7 @@ joinable!(collections_groups -> collections (collections_uuid));
 joinable!(collections_groups -> groups (groups_uuid));
 joinable!(event -> users_organizations (uuid));
 joinable!(auth_requests -> users (user_uuid));
+joinable!(sso_users -> users (user_uuid));
 
 allow_tables_to_appear_in_same_query!(
     attachments,
@@ -361,6 +380,7 @@ allow_tables_to_appear_in_same_query!(
     org_policies,
     organizations,
     sends,
+    sso_users,
     twofactor,
     users,
     users_collections,

src/db/schemas/sqlite/schema.rs

@@ -235,6 +235,7 @@ table! {
         uuid -> Text,
         user_uuid -> Text,
         org_uuid -> Text,
+        invited_by_email -> Nullable<Text>,
         access_all -> Bool,
         akey -> Text,
         status -> Integer,
@@ -254,6 +255,23 @@ table! {
     }
 }
 
+table! {
+    sso_nonce (state) {
+        state -> Text,
+        nonce -> Text,
+        verifier -> Nullable<Text>,
+        redirect_uri -> Text,
+        created_at -> Timestamp,
+    }
+}
+
+table! {
+    sso_users (user_uuid) {
+        user_uuid -> Text,
+        identifier -> Text,
+    }
+}
+
 table! {
     emergency_access (uuid) {
         uuid -> Text,
@@ -348,6 +366,7 @@ joinable!(collections_groups -> collections (collections_uuid));
 joinable!(collections_groups -> groups (groups_uuid));
 joinable!(event -> users_organizations (uuid));
 joinable!(auth_requests -> users (user_uuid));
+joinable!(sso_users -> users (user_uuid));
 
 allow_tables_to_appear_in_same_query!(
     attachments,
@@ -361,6 +380,7 @@ allow_tables_to_appear_in_same_query!(
     org_policies,
     organizations,
     sends,
+    sso_users,
     twofactor,
     users,
     users_collections,

src/error.rs

@@ -147,6 +147,10 @@ impl Error {
     pub fn get_event(&self) -> &Option<ErrorEvent> {
         &self.event
     }
+
+    pub fn message(&self) -> &str {
+        &self.message
+    }
 }
 
 pub trait MapResult<S> {
@@ -251,9 +255,15 @@ macro_rules! err_silent {
     ($msg:expr) => {{
         return Err($crate::error::Error::new($msg, $msg));
     }};
+    ($msg:expr, ErrorEvent $err_event:tt) => {{
+        return Err($crate::error::Error::new($msg, $msg).with_event($crate::error::ErrorEvent $err_event));
+    }};
     ($usr_msg:expr, $log_value:expr) => {{
         return Err($crate::error::Error::new($usr_msg, $log_value));
     }};
+    ($usr_msg:expr, $log_value:expr, ErrorEvent $err_event:tt) => {{
+        return Err($crate::error::Error::new($usr_msg, $log_value).with_event($crate::error::ErrorEvent $err_event));
+    }};
 }
 
 #[macro_export]

src/mail.rs

@@ -280,7 +280,11 @@ pub async fn send_invite(
             .append_pair("organizationId", &org_id)
             .append_pair("organizationUserId", &member_id)
             .append_pair("token", &invite_token);
-        if user.private_key.is_some() {
+
+        if CONFIG.sso_enabled() && CONFIG.sso_only() {
+            query_params.append_pair("orgUserHasExistingUser", "false");
+            query_params.append_pair("orgSsoIdentifier", org_name);
+        } else if user.private_key.is_some() {
             query_params.append_pair("orgUserHasExistingUser", "true");
         }
     }
@@ -549,6 +553,18 @@ pub async fn send_change_email(address: &str, token: &str) -> EmptyResult {
     send_email(address, &subject, body_html, body_text).await
 }
 
+pub async fn send_sso_change_email(address: &str) -> EmptyResult {
+    let (subject, body_html, body_text) = get_text(
+        "email/sso_change_email",
+        json!({
+            "url": format!("{}/#/settings/account", CONFIG.domain()),
+            "img_src": CONFIG._smtp_img_src(),
+        }),
+    )?;
+
+    send_email(address, &subject, body_html, body_text).await
+}
+
 pub async fn send_test(address: &str) -> EmptyResult {
     let (subject, body_html, body_text) = get_text(
         "email/smtp_test",

src/main.rs

@@ -56,6 +56,7 @@ mod db;
 mod http_client;
 mod mail;
 mod ratelimit;
+mod sso;
 mod util;
 
 use crate::api::core::two_factor::duo_oidc::purge_duo_contexts;
@@ -699,6 +700,13 @@ fn schedule_jobs(pool: db::DbPool) {
                 }));
             }
 
+            // Purge sso nonce from incomplete flow (default to daily at 00h20).
+            if !CONFIG.purge_incomplete_sso_nonce().is_empty() {
+                sched.add(Job::new(CONFIG.purge_incomplete_sso_nonce().parse().unwrap(), || {
+                    runtime.spawn(db::models::SsoNonce::delete_expired(pool.clone()));
+                }));
+            }
+
             // Periodically check for jobs to run. We probably won't need any
             // jobs that run more often than once a minute, so a default poll
             // interval of 30 seconds should be sufficient. Users who want to

src/sso.rs

@@ -0,0 +1,648 @@
+use chrono::Utc;
+use derive_more::{AsRef, Deref, Display, From};
+use regex::Regex;
+use std::borrow::Cow;
+use std::time::Duration;
+use url::Url;
+
+use mini_moka::sync::Cache;
+use once_cell::sync::Lazy;
+use openidconnect::core::{
+    CoreClient, CoreIdTokenVerifier, CoreProviderMetadata, CoreResponseType, CoreUserInfoClaims,
+};
+use openidconnect::reqwest;
+use openidconnect::{
+    AccessToken, AuthDisplay, AuthPrompt, AuthenticationFlow, AuthorizationCode, AuthorizationRequest, ClientId,
+    ClientSecret, CsrfToken, EndpointNotSet, EndpointSet, Nonce, OAuth2TokenResponse, PkceCodeChallenge,
+    PkceCodeVerifier, RefreshToken, ResponseType, Scope,
+};
+
+use crate::{
+    api::ApiResult,
+    auth,
+    auth::{AuthMethod, AuthTokens, TokenWrapper, BW_EXPIRATION, DEFAULT_REFRESH_VALIDITY},
+    db::{
+        models::{Device, SsoNonce, User},
+        DbConn,
+    },
+    CONFIG,
+};
+
+pub static FAKE_IDENTIFIER: &str = "Vaultwarden";
+
+static AC_CACHE: Lazy<Cache<OIDCState, AuthenticatedUser>> =
+    Lazy::new(|| Cache::builder().max_capacity(1000).time_to_live(Duration::from_secs(10 * 60)).build());
+
+static CLIENT_CACHE_KEY: Lazy<String> = Lazy::new(|| "sso-client".to_string());
+static CLIENT_CACHE: Lazy<Cache<String, Client>> = Lazy::new(|| {
+    Cache::builder().max_capacity(1).time_to_live(Duration::from_secs(CONFIG.sso_client_cache_expiration())).build()
+});
+
+static SSO_JWT_ISSUER: Lazy<String> = Lazy::new(|| format!("{}|sso", CONFIG.domain_origin()));
+
+pub static NONCE_EXPIRATION: Lazy<chrono::Duration> = Lazy::new(|| chrono::TimeDelta::try_minutes(10).unwrap());
+
+trait AuthorizationRequestExt<'a> {
+    fn add_extra_params<N: Into<Cow<'a, str>>, V: Into<Cow<'a, str>>>(self, params: Vec<(N, V)>) -> Self;
+}
+
+impl<'a, AD: AuthDisplay, P: AuthPrompt, RT: ResponseType> AuthorizationRequestExt<'a>
+    for AuthorizationRequest<'a, AD, P, RT>
+{
+    fn add_extra_params<N: Into<Cow<'a, str>>, V: Into<Cow<'a, str>>>(mut self, params: Vec<(N, V)>) -> Self {
+        for (key, value) in params {
+            self = self.add_extra_param(key, value);
+        }
+        self
+    }
+}
+
+#[derive(
+    Clone,
+    Debug,
+    Default,
+    DieselNewType,
+    FromForm,
+    PartialEq,
+    Eq,
+    Hash,
+    Serialize,
+    Deserialize,
+    AsRef,
+    Deref,
+    Display,
+    From,
+)]
+#[deref(forward)]
+#[from(forward)]
+pub struct OIDCCode(String);
+
+#[derive(
+    Clone,
+    Debug,
+    Default,
+    DieselNewType,
+    FromForm,
+    PartialEq,
+    Eq,
+    Hash,
+    Serialize,
+    Deserialize,
+    AsRef,
+    Deref,
+    Display,
+    From,
+)]
+#[deref(forward)]
+#[from(forward)]
+pub struct OIDCState(String);
+
+#[derive(Debug, Serialize, Deserialize)]
+struct SsoTokenJwtClaims {
+    // Not before
+    pub nbf: i64,
+    // Expiration time
+    pub exp: i64,
+    // Issuer
+    pub iss: String,
+    // Subject
+    pub sub: String,
+}
+
+pub fn encode_ssotoken_claims() -> String {
+    let time_now = Utc::now();
+    let claims = SsoTokenJwtClaims {
+        nbf: time_now.timestamp(),
+        exp: (time_now + chrono::TimeDelta::try_minutes(2).unwrap()).timestamp(),
+        iss: SSO_JWT_ISSUER.to_string(),
+        sub: "vaultwarden".to_string(),
+    };
+
+    auth::encode_jwt(&claims)
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum OIDCCodeWrapper {
+    Ok {
+        state: OIDCState,
+        code: OIDCCode,
+    },
+    Error {
+        state: OIDCState,
+        error: String,
+        error_description: Option<String>,
+    },
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct OIDCCodeClaims {
+    // Expiration time
+    pub exp: i64,
+    // Issuer
+    pub iss: String,
+
+    pub code: OIDCCodeWrapper,
+}
+
+pub fn encode_code_claims(code: OIDCCodeWrapper) -> String {
+    let time_now = Utc::now();
+    let claims = OIDCCodeClaims {
+        exp: (time_now + chrono::TimeDelta::try_minutes(5).unwrap()).timestamp(),
+        iss: SSO_JWT_ISSUER.to_string(),
+        code,
+    };
+
+    auth::encode_jwt(&claims)
+}
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+struct BasicTokenClaims {
+    iat: Option<i64>,
+    nbf: Option<i64>,
+    exp: i64,
+}
+
+impl BasicTokenClaims {
+    fn nbf(&self) -> i64 {
+        self.nbf.or(self.iat).unwrap_or_else(|| Utc::now().timestamp())
+    }
+}
+
+fn decode_token_claims(token_name: &str, token: &str) -> ApiResult<BasicTokenClaims> {
+    let mut validation = jsonwebtoken::Validation::default();
+    validation.set_issuer(&[CONFIG.sso_authority()]);
+    validation.insecure_disable_signature_validation();
+    validation.validate_aud = false;
+
+    match jsonwebtoken::decode(token, &jsonwebtoken::DecodingKey::from_secret(&[]), &validation) {
+        Ok(btc) => Ok(btc.claims),
+        Err(err) => err_silent!(format!("Failed to decode basic token claims from {token_name}: {err}")),
+    }
+}
+
+#[derive(Clone)]
+struct Client {
+    http_client: reqwest::Client,
+    core_client: CoreClient<EndpointSet, EndpointNotSet, EndpointNotSet, EndpointNotSet, EndpointSet, EndpointSet>,
+}
+
+impl Client {
+    // Call the OpenId discovery endpoint to retrieve configuration
+    async fn _get_client() -> ApiResult<Self> {
+        let client_id = ClientId::new(CONFIG.sso_client_id());
+        let client_secret = ClientSecret::new(CONFIG.sso_client_secret());
+
+        let issuer_url = CONFIG.sso_issuer_url()?;
+
+        let http_client = match reqwest::ClientBuilder::new().redirect(reqwest::redirect::Policy::none()).build() {
+            Err(err) => err!(format!("Failed to build http client: {err}")),
+            Ok(client) => client,
+        };
+
+        let provider_metadata = match CoreProviderMetadata::discover_async(issuer_url, &http_client).await {
+            Err(err) => err!(format!("Failed to discover OpenID provider: {err}")),
+            Ok(metadata) => metadata,
+        };
+
+        let base_client = CoreClient::from_provider_metadata(provider_metadata, client_id, Some(client_secret));
+
+        let token_uri = match base_client.token_uri() {
+            Some(uri) => uri.clone(),
+            None => err!("Failed to discover token_url, cannot proceed"),
+        };
+
+        let user_info_url = match base_client.user_info_url() {
+            Some(url) => url.clone(),
+            None => err!("Failed to discover user_info url, cannot proceed"),
+        };
+
+        let core_client = base_client
+            .set_redirect_uri(CONFIG.sso_redirect_url()?)
+            .set_token_uri(token_uri)
+            .set_user_info_url(user_info_url);
+
+        Ok(Client {
+            http_client,
+            core_client,
+        })
+    }
+
+    // Simple cache to prevent recalling the discovery endpoint each time
+    async fn cached() -> ApiResult<Self> {
+        if CONFIG.sso_client_cache_expiration() > 0 {
+            match CLIENT_CACHE.get(&*CLIENT_CACHE_KEY) {
+                Some(client) => Ok(client),
+                None => Self::_get_client().await.inspect(|client| {
+                    debug!("Inserting new client in cache");
+                    CLIENT_CACHE.insert(CLIENT_CACHE_KEY.clone(), client.clone());
+                }),
+            }
+        } else {
+            Self::_get_client().await
+        }
+    }
+
+    async fn user_info(&self, access_token: AccessToken) -> ApiResult<CoreUserInfoClaims> {
+        match self.core_client.user_info(access_token, None).request_async(&self.http_client).await {
+            Err(err) => err!(format!("Request to user_info endpoint failed: {err}")),
+            Ok(user_info) => Ok(user_info),
+        }
+    }
+
+    fn vw_id_token_verifier(&self) -> CoreIdTokenVerifier<'_> {
+        let mut verifier = self.core_client.id_token_verifier();
+        if let Some(regex_str) = CONFIG.sso_audience_trusted() {
+            match Regex::new(&regex_str) {
+                Ok(regex) => {
+                    verifier = verifier.set_other_audience_verifier_fn(move |aud| regex.is_match(aud));
+                }
+                Err(err) => {
+                    error!("Failed to parse SSO_AUDIENCE_TRUSTED={regex_str} regex: {err}");
+                }
+            }
+        }
+        verifier
+    }
+}
+
+pub fn deocde_state(base64_state: String) -> ApiResult<OIDCState> {
+    let state = match data_encoding::BASE64.decode(base64_state.as_bytes()) {
+        Ok(vec) => match String::from_utf8(vec) {
+            Ok(valid) => OIDCState(valid),
+            Err(_) => err!(format!("Invalid utf8 chars in {base64_state} after base64 decoding")),
+        },
+        Err(_) => err!(format!("Failed to decode {base64_state} using base64")),
+    };
+
+    Ok(state)
+}
+
+// The `nonce` allow to protect against replay attacks
+// The `state` is encoded using base64 to ensure no issue with providers (It contains the Organization identifier).
+// redirect_uri from: https://github.com/bitwarden/server/blob/main/src/Identity/IdentityServer/ApiClient.cs
+pub async fn authorize_url(
+    state: OIDCState,
+    client_id: &str,
+    raw_redirect_uri: &str,
+    mut conn: DbConn,
+) -> ApiResult<Url> {
+    let scopes = CONFIG.sso_scopes_vec().into_iter().map(Scope::new);
+    let base64_state = data_encoding::BASE64.encode(state.to_string().as_bytes());
+
+    let redirect_uri = match client_id {
+        "web" | "browser" => format!("{}/sso-connector.html", CONFIG.domain()),
+        "desktop" | "mobile" => "bitwarden://sso-callback".to_string(),
+        "cli" => {
+            let port_regex = Regex::new(r"^http://localhost:([0-9]{4})$").unwrap();
+            match port_regex.captures(raw_redirect_uri).and_then(|captures| captures.get(1).map(|c| c.as_str())) {
+                Some(port) => format!("http://localhost:{}", port),
+                None => err!("Failed to extract port number"),
+            }
+        }
+        _ => err!(format!("Unsupported client {client_id}")),
+    };
+
+    let client = Client::cached().await?;
+    let mut auth_req = client
+        .core_client
+        .authorize_url(
+            AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
+            || CsrfToken::new(base64_state),
+            Nonce::new_random,
+        )
+        .add_scopes(scopes)
+        .add_extra_params(CONFIG.sso_authorize_extra_params_vec()?);
+
+    let verifier = if CONFIG.sso_pkce() {
+        let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
+        auth_req = auth_req.set_pkce_challenge(pkce_challenge);
+        Some(pkce_verifier.secret().to_string())
+    } else {
+        None
+    };
+
+    let (auth_url, _, nonce) = auth_req.url();
+
+    let sso_nonce = SsoNonce::new(state, nonce.secret().to_string(), verifier, redirect_uri);
+    sso_nonce.save(&mut conn).await?;
+
+    Ok(auth_url)
+}
+
+#[derive(
+    Clone,
+    Debug,
+    Default,
+    DieselNewType,
+    FromForm,
+    PartialEq,
+    Eq,
+    Hash,
+    Serialize,
+    Deserialize,
+    AsRef,
+    Deref,
+    Display,
+    From,
+)]
+#[deref(forward)]
+#[from(forward)]
+pub struct OIDCIdentifier(String);
+
+impl OIDCIdentifier {
+    fn new(issuer: &str, subject: &str) -> Self {
+        OIDCIdentifier(format!("{}/{}", issuer, subject))
+    }
+}
+
+#[derive(Clone, Debug)]
+pub struct AuthenticatedUser {
+    pub refresh_token: Option<String>,
+    pub access_token: String,
+    pub expires_in: Option<Duration>,
+    pub identifier: OIDCIdentifier,
+    pub email: String,
+    pub email_verified: Option<bool>,
+    pub user_name: Option<String>,
+}
+
+#[derive(Clone, Debug)]
+pub struct UserInformation {
+    pub state: OIDCState,
+    pub identifier: OIDCIdentifier,
+    pub email: String,
+    pub email_verified: Option<bool>,
+    pub user_name: Option<String>,
+}
+
+async fn decode_code_claims(code: &str, conn: &mut DbConn) -> ApiResult<(OIDCCode, OIDCState)> {
+    match auth::decode_jwt::<OIDCCodeClaims>(code, SSO_JWT_ISSUER.to_string()) {
+        Ok(code_claims) => match code_claims.code {
+            OIDCCodeWrapper::Ok {
+                state,
+                code,
+            } => Ok((code, state)),
+            OIDCCodeWrapper::Error {
+                state,
+                error,
+                error_description,
+            } => {
+                if let Err(err) = SsoNonce::delete(&state, conn).await {
+                    error!("Failed to delete database sso_nonce using {state}: {err}")
+                }
+                err!(format!(
+                    "SSO authorization failed: {error}, {}",
+                    error_description.as_ref().unwrap_or(&String::new())
+                ))
+            }
+        },
+        Err(err) => err!(format!("Failed to decode code wrapper: {err}")),
+    }
+}
+
+// During the 2FA flow we will
+//  - retrieve the user information and then only discover he needs 2FA.
+//  - second time we will rely on the `AC_CACHE` since the `code` has already been exchanged.
+// The `nonce` will ensure that the user is authorized only once.
+// We return only the `UserInformation` to force calling `redeem` to obtain the `refresh_token`.
+pub async fn exchange_code(wrapped_code: &str, conn: &mut DbConn) -> ApiResult<UserInformation> {
+    let (code, state) = decode_code_claims(wrapped_code, conn).await?;
+
+    if let Some(authenticated_user) = AC_CACHE.get(&state) {
+        return Ok(UserInformation {
+            state,
+            identifier: authenticated_user.identifier,
+            email: authenticated_user.email,
+            email_verified: authenticated_user.email_verified,
+            user_name: authenticated_user.user_name,
+        });
+    }
+
+    let oidc_code = AuthorizationCode::new(code.to_string());
+    let client = Client::cached().await?;
+
+    let nonce = match SsoNonce::find(&state, conn).await {
+        None => err!(format!("Invalid state cannot retrieve nonce")),
+        Some(nonce) => nonce,
+    };
+
+    let mut exchange = client.core_client.exchange_code(oidc_code);
+
+    if CONFIG.sso_pkce() {
+        match nonce.verifier {
+            None => err!(format!("Missing verifier in the DB nonce table")),
+            Some(secret) => exchange = exchange.set_pkce_verifier(PkceCodeVerifier::new(secret)),
+        }
+    }
+
+    match exchange.request_async(&client.http_client).await {
+        Ok(token_response) => {
+            let user_info = client.user_info(token_response.access_token().to_owned()).await?;
+            let oidc_nonce = Nonce::new(nonce.nonce.clone());
+
+            let id_token = match token_response.extra_fields().id_token() {
+                None => err!("Token response did not contain an id_token"),
+                Some(token) => token,
+            };
+
+            if CONFIG.sso_debug_tokens() {
+                debug!("Id token: {}", id_token.to_string());
+                debug!("Access token: {}", token_response.access_token().secret().to_string());
+                debug!("Refresh token: {:?}", token_response.refresh_token().map(|t| t.secret().to_string()));
+                debug!("Expiration time: {:?}", token_response.expires_in());
+            }
+
+            let id_claims = match id_token.claims(&client.vw_id_token_verifier(), &oidc_nonce) {
+                Ok(claims) => claims,
+                Err(err) => {
+                    if CONFIG.sso_client_cache_expiration() > 0 {
+                        CLIENT_CACHE.invalidate(&*CLIENT_CACHE_KEY);
+                    }
+                    err!(format!("Could not read id_token claims, {err}"));
+                }
+            };
+
+            let email = match id_claims.email() {
+                Some(email) => email.to_string(),
+                None => match user_info.email() {
+                    None => err!("Neither id token nor userinfo contained an email"),
+                    Some(email) => email.to_owned().to_string(),
+                },
+            }
+            .to_lowercase();
+
+            let user_name = user_info.preferred_username().map(|un| un.to_string());
+
+            let refresh_token = token_response.refresh_token().map(|t| t.secret().to_string());
+            if refresh_token.is_none() && CONFIG.sso_scopes_vec().contains(&"offline_access".to_string()) {
+                error!("Scope offline_access is present but response contain no refresh_token");
+            }
+
+            let identifier = OIDCIdentifier::new(id_claims.issuer(), id_claims.subject());
+
+            let authenticated_user = AuthenticatedUser {
+                refresh_token,
+                access_token: token_response.access_token().secret().to_string(),
+                expires_in: token_response.expires_in(),
+                identifier: identifier.clone(),
+                email: email.clone(),
+                email_verified: id_claims.email_verified(),
+                user_name: user_name.clone(),
+            };
+
+            AC_CACHE.insert(state.clone(), authenticated_user.clone());
+
+            Ok(UserInformation {
+                state,
+                identifier,
+                email,
+                email_verified: id_claims.email_verified(),
+                user_name,
+            })
+        }
+        Err(err) => err!(format!("Failed to contact token endpoint: {err}")),
+    }
+}
+
+// User has passed 2FA flow we can delete `nonce` and clear the cache.
+pub async fn redeem(state: &OIDCState, conn: &mut DbConn) -> ApiResult<AuthenticatedUser> {
+    if let Err(err) = SsoNonce::delete(state, conn).await {
+        error!("Failed to delete database sso_nonce using {state}: {err}")
+    }
+
+    if let Some(au) = AC_CACHE.get(state) {
+        AC_CACHE.invalidate(state);
+        Ok(au)
+    } else {
+        err!("Failed to retrieve user info from sso cache")
+    }
+}
+
+// We always return a refresh_token (with no refresh_token some secrets are not displayed in the web front).
+// If there is no SSO refresh_token, we keep the access_token to be able to call user_info to check for validity
+pub fn create_auth_tokens(
+    device: &Device,
+    user: &User,
+    refresh_token: Option<String>,
+    access_token: &str,
+    expires_in: Option<Duration>,
+) -> ApiResult<AuthTokens> {
+    if !CONFIG.sso_auth_only_not_session() {
+        let now = Utc::now();
+
+        let (ap_nbf, ap_exp) = match (decode_token_claims("access_token", access_token), expires_in) {
+            (Ok(ap), _) => (ap.nbf(), ap.exp),
+            (Err(_), Some(exp)) => (now.timestamp(), (now + exp).timestamp()),
+            _ => err!("Non jwt access_token and empty expires_in"),
+        };
+
+        let access_claims = auth::LoginJwtClaims::new(device, user, ap_nbf, ap_exp, AuthMethod::Sso.scope_vec(), now);
+
+        _create_auth_tokens(device, refresh_token, access_claims, access_token)
+    } else {
+        Ok(AuthTokens::new(device, user, AuthMethod::Sso))
+    }
+}
+
+fn _create_auth_tokens(
+    device: &Device,
+    refresh_token: Option<String>,
+    access_claims: auth::LoginJwtClaims,
+    access_token: &str,
+) -> ApiResult<AuthTokens> {
+    let (nbf, exp, token) = if let Some(rt) = refresh_token.as_ref() {
+        match decode_token_claims("refresh_token", rt) {
+            Err(_) => {
+                let time_now = Utc::now();
+                let exp = (time_now + *DEFAULT_REFRESH_VALIDITY).timestamp();
+                debug!("Non jwt refresh_token (expiration set to {})", exp);
+                (time_now.timestamp(), exp, TokenWrapper::Refresh(rt.to_string()))
+            }
+            Ok(refresh_payload) => {
+                debug!("Refresh_payload: {:?}", refresh_payload);
+                (refresh_payload.nbf(), refresh_payload.exp, TokenWrapper::Refresh(rt.to_string()))
+            }
+        }
+    } else {
+        debug!("No refresh_token present");
+        (access_claims.nbf, access_claims.exp, TokenWrapper::Access(access_token.to_string()))
+    };
+
+    let refresh_claims = auth::RefreshJwtClaims {
+        nbf,
+        exp,
+        iss: auth::JWT_LOGIN_ISSUER.to_string(),
+        sub: AuthMethod::Sso,
+        device_token: device.refresh_token.clone(),
+        token: Some(token),
+    };
+
+    Ok(AuthTokens {
+        refresh_claims,
+        access_claims,
+    })
+}
+
+// This endpoint is called in two case
+//  - the session is close to expiration we will try to extend it
+//  - the user is going to make an action and we check that the session is still valid
+pub async fn exchange_refresh_token(
+    device: &Device,
+    user: &User,
+    refresh_claims: &auth::RefreshJwtClaims,
+) -> ApiResult<AuthTokens> {
+    match &refresh_claims.token {
+        Some(TokenWrapper::Refresh(refresh_token)) => {
+            let rt = RefreshToken::new(refresh_token.to_string());
+
+            let client = Client::cached().await?;
+
+            let token_response =
+                match client.core_client.exchange_refresh_token(&rt).request_async(&client.http_client).await {
+                    Err(err) => err!(format!("Request to exchange_refresh_token endpoint failed: {:?}", err)),
+                    Ok(token_response) => token_response,
+                };
+
+            // Use new refresh_token if returned
+            let rolled_refresh_token = token_response
+                .refresh_token()
+                .map(|token| token.secret().to_string())
+                .unwrap_or(refresh_token.to_string());
+
+            create_auth_tokens(
+                device,
+                user,
+                Some(rolled_refresh_token),
+                token_response.access_token().secret(),
+                token_response.expires_in(),
+            )
+        }
+        Some(TokenWrapper::Access(access_token)) => {
+            let now = Utc::now();
+            let exp_limit = (now + *BW_EXPIRATION).timestamp();
+
+            if refresh_claims.exp < exp_limit {
+                err_silent!("Access token is close to expiration but we have no refresh token")
+            }
+
+            let client = Client::cached().await?;
+            match client.user_info(AccessToken::new(access_token.to_string())).await {
+                Err(err) => {
+                    err_silent!(format!("Failed to retrieve user info, token has probably been invalidated: {err}"))
+                }
+                Ok(_) => {
+                    let access_claims = auth::LoginJwtClaims::new(
+                        device,
+                        user,
+                        now.timestamp(),
+                        refresh_claims.exp,
+                        AuthMethod::Sso.scope_vec(),
+                        now,
+                    );
+                    _create_auth_tokens(device, None, access_claims, access_token)
+                }
+            }
+        }
+        None => err!("No token present while in SSO"),
+    }
+}

src/static/templates/email/send_org_invite.html.hbs

@@ -9,7 +9,7 @@ Join {{{org_name}}}
    </tr>
    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
       <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
-         <a href="{{{url}}}"
+         <a data-testid="invite" href="{{{url}}}"
             clicktracking=off target="_blank" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #3c8dbc; border-color: #3c8dbc; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
          Join Organization Now
          </a>

src/static/templates/email/sso_change_email.hbs

@@ -0,0 +1,4 @@
+Your Email Changed
+<!---------------->
+Your email was changed in your SSO Provider. Please update your email in Account Settings ({{url}}).
+{{> email/email_footer_text }}

src/static/templates/email/sso_change_email.html.hbs

@@ -0,0 +1,11 @@
+Your Email Changed
+<!---------------->
+{{> email/email_header }}
+<table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+   <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+      <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+         Your email was changed in your SSO Provider. Please update your email in <a href="{{url}}/">Account Settings</a>.
+      </td>
+   </tr>
+</table>
+{{> email/email_footer }}

src/static/templates/email/twofactor_email.html.hbs

@@ -4,7 +4,7 @@ Vaultwarden Login Verification Code
 <table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
     <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
         <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top">
-            Your two-step verification code is: <b>{{token}}</b>
+            Your two-step verification code is: <b data-testid="2fa">{{token}}</b>
         </td>
     </tr>
     <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">

src/static/templates/email/verify_email.html.hbs

@@ -9,7 +9,7 @@ Verify Your Email
    </tr>
    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
       <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
-         <a href="{{url}}/#/verify-email/?userId={{user_id}}&token={{token}}"
+         <a data-testid="verify" href="{{url}}/#/verify-email/?userId={{user_id}}&token={{token}}"
             clicktracking=off target="_blank" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #3c8dbc; border-color: #3c8dbc; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
          Verify Email Address Now
          </a>