SSO using OpenID Connect (#3899)

* Add SSO functionality using OpenID Connect Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools> Co-authored-by: Stuart Heap <sheap13@gmail.com> Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud> Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com> Co-authored-by: Jacques B. <timshel@github.com> * Improvements and error handling * Stop rolling device token * Add playwright tests * Activate PKCE by default * Ensure result order when searching for sso_user * add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION * Toggle SSO button in scss * Base64 encode state before sending it to providers * Prevent disabled User from SSO login * Review fixes * Remove unused UserOrganization.invited_by_email * Split SsoUser::find_by_identifier_or_email * api::Accounts::verify_password add the policy even if it's ignored * Disable signups if SSO_ONLY is activated * Add verifiedDate to organizations::get_org_domain_sso_details * Review fixes * Remove OrganizationId guard from get_master_password_policy * Add wrapper type OIDCCode OIDCState OIDCIdentifier * Membership::confirm_user_invitations fix and tests * Allow set-password only if account is unitialized * Review fixes * Prevent accepting another user invitation * Log password change event on SSO account creation * Unify master password policy resolution * Upgrade openidconnect to 4.0.0 * Revert "Remove unused UserOrganization.invited_by_email" This reverts commit 548e19995e141314af98a10d170ea7371f02fab4. * Process org enrollment in accounts::post_set_password * Improve tests * Pass the claim invited_by_email in case it was not in db * Add Slack configuration hints * Fix playwright tests * Skip broken tests * Add sso identifier in admin user panel * Remove duplicate expiration check, add a log * Augment mobile refresh_token validity * Rauthy configuration hints * Fix playwright tests * Playwright upgrade and conf improvement * Playwright tests improvements * 2FA email and device creation change * Fix and improve Playwright tests * Minor improvements * Fix enforceOnLogin org policies * Run playwright sso tests against correct db * PKCE should now work with Zitadel * Playwright upgrade maildev to use MailBuffer.expect * Upgrades playwright tests deps * Check email_verified in id_token and user_info * Add sso verified endpoint for v2025.6.0 * Fix playwright tests * Create a separate sso_client * Upgrade openidconnect to 4.0.1 * Server settings for login fields toggle * Use only css for login fields * Fix playwright test * Review fix * More review fix * Perform same checks when setting kdf --------- Co-authored-by: Felix Eckhofer <felix@eckhofer.com> Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools> Co-authored-by: Stuart Heap <sheap13@gmail.com> Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud> Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com> Co-authored-by: Jacques B. <timshel@github.com> Co-authored-by: Timshel <timshel@480s>
2025-09-13 03:55:58 +03:00 · 2025-08-08 23:22:22 +02:00
parent a0c76284fd
commit cff6c2b3af
110 changed files with 8081 additions and 329 deletions
--- a/playwright/compose/warden/Dockerfile
+++ b/playwright/compose/warden/Dockerfile
@@ -0,0 +1,40 @@
+FROM playwright_oidc_vaultwarden_prebuilt AS prebuilt
+
+FROM node:18-bookworm AS build
+
+ARG REPO_URL
+ARG COMMIT_HASH
+
+ENV REPO_URL=$REPO_URL
+ENV COMMIT_HASH=$COMMIT_HASH
+
+COPY --from=prebuilt /web-vault /web-vault
+
+COPY build.sh /build.sh
+RUN /build.sh
+
+######################## RUNTIME IMAGE  ########################
+FROM docker.io/library/debian:bookworm-slim
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Create data folder and Install needed libraries
+RUN mkdir /data && \
+    apt-get update && apt-get install -y \
+        --no-install-recommends \
+        ca-certificates \
+        curl \
+        libmariadb-dev-compat \
+        libpq5 \
+        openssl && \
+    rm -rf /var/lib/apt/lists/*
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+
+COPY --from=prebuilt /start.sh .
+COPY --from=prebuilt /vaultwarden .
+COPY --from=build /web-vault ./web-vault
+
+ENTRYPOINT ["/start.sh"]
--- a/playwright/compose/warden/build.sh
+++ b/playwright/compose/warden/build.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+echo $REPO_URL
+echo $COMMIT_HASH
+
+if [[ ! -z "$REPO_URL" ]] && [[ ! -z "$COMMIT_HASH" ]] ; then
+    rm -rf /web-vault
+
+    mkdir bw_web_builds;
+    cd bw_web_builds;
+
+    git -c init.defaultBranch=main init
+    git remote add origin "$REPO_URL"
+    git fetch --depth 1 origin "$COMMIT_HASH"
+    git -c advice.detachedHead=false checkout FETCH_HEAD
+
+    export VAULT_VERSION=$(cat Dockerfile | grep "ARG VAULT_VERSION" | cut -d "=" -f2)
+    ./scripts/checkout_web_vault.sh
+    ./scripts/patch_web_vault.sh
+    ./scripts/build_web_vault.sh
+    printf '{"version":"%s"}' "$COMMIT_HASH" > ./web-vault/apps/web/build/vw-version.json
+
+    mv ./web-vault/apps/web/build /web-vault
+fi