rhino/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-03-22 09:49:20 -07:00
Code Issues Packages Projects Releases Wiki Activity

Add openid scope - this is a mandatory scope for OIDC to work

Tommy
2026-02-22 10:46:06 -07:00
parent 2309a70c10
commit e153ccb429
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
Enabling-SSO-support-using-OpenId-Connect.md

@@ -18,7 +18,7 @@ The following configurations are available
- The URL must not include the `/.well-known/openid-configuration`
- `${SSO_AUTHORITY}/.well-known/openid-configuration` must return a JSON document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse (with an [HTTP status code 200 OK](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse:~:text=A%20successful%20response%20MUST%20use%20the%20200%20OK%20HTTP%20status%20code)!)
- `SSO_AUTHORITY` has to match the exact value of the `issuer` field that is returned by that JSON (so take the `issuer` value of the file if you are unsure whether to include a trailing slash or not).
- `SSO_SCOPES` : Optional, allow to override scopes if needed (default `email profile`)
- `SSO_SCOPES` : Optional, allow to override scopes if needed (default `openid profile email`)
- `SSO_AUTHORIZE_EXTRA_PARAMS` : Optional, allow to add extra parameter to the authorize redirection (default `""`)
- `SSO_PKCE`: Activate PKCE for the Auth Code flow (default `true`).
- `SSO_AUDIENCE_TRUSTED`: Optional, Regex to trust additional audience for the IdToken (`client_id` is always trusted). Use single quote when writing the regex: `'^$'`.
@@ -105,7 +105,7 @@ Or for a specific client in `Clients / Client details / Advanced / Advanced sett
Server configuration:
- `SSO_AUTHORITY=https://${keycloak_domain}/realms/${realm_name}`
- `SSO_SCOPES=email profile offline_access`
- `SSO_SCOPES=openid profile email offline_access`
- `SSO_CLIENT_ID`
- `SSO_CLIENT_SECRET`
@@ -129,7 +129,7 @@ To obtain a `refresh_token` to be able to extend session you'll need to add the
Config will look like:
- `SSO_SCOPES=email profile offline_access`
- `SSO_SCOPES=openid profile email offline_access`
## Authentik
@@ -143,7 +143,7 @@ Starting with `2024.2` version you will need to add the `offline_access` scope a
Server configuration should look like:
- `SSO_AUTHORITY=https://${authentik_domain}/application/o/${application_name}/` : trailing `/` is important
- `SSO_SCOPES=email profile offline_access`
- `SSO_SCOPES=openid profile email offline_access`
- `SSO_CLIENT_ID`
- `SSO_CLIENT_SECRET`
@@ -280,7 +280,7 @@ But older versions might have to disable it (`SSO_PKCE=false`).
Config will look like:
- `SSO_AUTHORITY=https://${provider_host}`
- `SSO_SCOPES=email profile offline_access`
- `SSO_SCOPES=openid profile email offline_access`
- `SSO_CLIENT_ID`
- `SSO_CLIENT_SECRET`
- `SSO_AUDIENCE_TRUSTED='^${Project Id}$'`