SSO using OpenID Connect (#3899)

* Add SSO functionality using OpenID Connect Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools> Co-authored-by: Stuart Heap <sheap13@gmail.com> Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud> Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com> Co-authored-by: Jacques B. <timshel@github.com> * Improvements and error handling * Stop rolling device token * Add playwright tests * Activate PKCE by default * Ensure result order when searching for sso_user * add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION * Toggle SSO button in scss * Base64 encode state before sending it to providers * Prevent disabled User from SSO login * Review fixes * Remove unused UserOrganization.invited_by_email * Split SsoUser::find_by_identifier_or_email * api::Accounts::verify_password add the policy even if it's ignored * Disable signups if SSO_ONLY is activated * Add verifiedDate to organizations::get_org_domain_sso_details * Review fixes * Remove OrganizationId guard from get_master_password_policy * Add wrapper type OIDCCode OIDCState OIDCIdentifier * Membership::confirm_user_invitations fix and tests * Allow set-password only if account is unitialized * Review fixes * Prevent accepting another user invitation * Log password change event on SSO account creation * Unify master password policy resolution * Upgrade openidconnect to 4.0.0 * Revert "Remove unused UserOrganization.invited_by_email" This reverts commit 548e19995e141314af98a10d170ea7371f02fab4. * Process org enrollment in accounts::post_set_password * Improve tests * Pass the claim invited_by_email in case it was not in db * Add Slack configuration hints * Fix playwright tests * Skip broken tests * Add sso identifier in admin user panel * Remove duplicate expiration check, add a log * Augment mobile refresh_token validity * Rauthy configuration hints * Fix playwright tests * Playwright upgrade and conf improvement * Playwright tests improvements * 2FA email and device creation change * Fix and improve Playwright tests * Minor improvements * Fix enforceOnLogin org policies * Run playwright sso tests against correct db * PKCE should now work with Zitadel * Playwright upgrade maildev to use MailBuffer.expect * Upgrades playwright tests deps * Check email_verified in id_token and user_info * Add sso verified endpoint for v2025.6.0 * Fix playwright tests * Create a separate sso_client * Upgrade openidconnect to 4.0.1 * Server settings for login fields toggle * Use only css for login fields * Fix playwright test * Review fix * More review fix * Perform same checks when setting kdf --------- Co-authored-by: Felix Eckhofer <felix@eckhofer.com> Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools> Co-authored-by: Stuart Heap <sheap13@gmail.com> Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud> Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com> Co-authored-by: Jacques B. <timshel@github.com> Co-authored-by: Timshel <timshel@480s>
2025-09-10 18:55:57 +03:00 · 2025-08-08 23:22:22 +02:00
parent a0c76284fd
commit cff6c2b3af
110 changed files with 8081 additions and 329 deletions
--- a/src/db/models/device.rs
+++ b/src/db/models/device.rs
@@ -1,4 +1,6 @@
 use chrono::{NaiveDateTime, Utc};
+
+use data_encoding::{BASE64, BASE64URL};
 use derive_more::{Display, From};
 use serde_json::Value;

@@ -6,7 +8,6 @@ use super::{AuthRequest, UserId};
 use crate::{
    crypto,
    util::{format_date, get_uuid},
-    CONFIG,
 };
 use macros::{IdFromParam, UuidFromParam};

@@ -34,25 +35,6 @@ db_object! {

 /// Local methods
 impl Device {
-    pub fn new(uuid: DeviceId, user_uuid: UserId, name: String, atype: i32) -> Self {
-        let now = Utc::now().naive_utc();
-
-        Self {
-            uuid,
-            created_at: now,
-            updated_at: now,
-
-            user_uuid,
-            name,
-            atype,
-
-            push_uuid: Some(PushId(get_uuid())),
-            push_token: None,
-            refresh_token: String::new(),
-            twofactor_remember: None,
-        }
-    }
-
    pub fn to_json(&self) -> Value {
        json!({
            "id": self.uuid,
@@ -66,7 +48,6 @@ impl Device {
    }

    pub fn refresh_twofactor_remember(&mut self) -> String {
-        use data_encoding::BASE64;
        let twofactor_remember = crypto::encode_random_bytes::<180>(BASE64);
        self.twofactor_remember = Some(twofactor_remember.clone());

@@ -77,71 +58,9 @@ impl Device {
        self.twofactor_remember = None;
    }

-    pub fn refresh_tokens(
-        &mut self,
-        user: &super::User,
-        scope: Vec<String>,
-        client_id: Option<String>,
-    ) -> (String, i64) {
-        // If there is no refresh token, we create one
-        if self.refresh_token.is_empty() {
-            use data_encoding::BASE64URL;
-            self.refresh_token = crypto::encode_random_bytes::<64>(BASE64URL);
-        }
-
-        // Update the expiration of the device and the last update date
-        let time_now = Utc::now();
-        self.updated_at = time_now.naive_utc();
-
-        // Generate a random push_uuid so if it doesn't already have one
-        if self.push_uuid.is_none() {
-            self.push_uuid = Some(PushId(get_uuid()));
-        }
-
-        // ---
-        // Disabled these keys to be added to the JWT since they could cause the JWT to get too large
-        // Also These key/value pairs are not used anywhere by either Vaultwarden or Bitwarden Clients
-        // Because these might get used in the future, and they are added by the Bitwarden Server, lets keep it, but then commented out
-        // ---
-        // fn arg: members: Vec<super::Membership>,
-        // ---
-        // let orgowner: Vec<_> = members.iter().filter(|m| m.atype == 0).map(|o| o.org_uuid.clone()).collect();
-        // let orgadmin: Vec<_> = members.iter().filter(|m| m.atype == 1).map(|o| o.org_uuid.clone()).collect();
-        // let orguser: Vec<_> = members.iter().filter(|m| m.atype == 2).map(|o| o.org_uuid.clone()).collect();
-        // let orgmanager: Vec<_> = members.iter().filter(|m| m.atype == 3).map(|o| o.org_uuid.clone()).collect();
-
-        // Create the JWT claims struct, to send to the client
-        use crate::auth::{encode_jwt, LoginJwtClaims, DEFAULT_VALIDITY, JWT_LOGIN_ISSUER};
-        let claims = LoginJwtClaims {
-            nbf: time_now.timestamp(),
-            exp: (time_now + *DEFAULT_VALIDITY).timestamp(),
-            iss: JWT_LOGIN_ISSUER.to_string(),
-            sub: user.uuid.clone(),
-
-            premium: true,
-            name: user.name.clone(),
-            email: user.email.clone(),
-            email_verified: !CONFIG.mail_enabled() || user.verified_at.is_some(),
-
-            // ---
-            // Disabled these keys to be added to the JWT since they could cause the JWT to get too large
-            // Also These key/value pairs are not used anywhere by either Vaultwarden or Bitwarden Clients
-            // Because these might get used in the future, and they are added by the Bitwarden Server, lets keep it, but then commented out
-            // See: https://github.com/dani-garcia/vaultwarden/issues/4156
-            // ---
-            // orgowner,
-            // orgadmin,
-            // orguser,
-            // orgmanager,
-            sstamp: user.security_stamp.clone(),
-            device: self.uuid.clone(),
-            devicetype: DeviceType::from_i32(self.atype).to_string(),
-            client_id: client_id.unwrap_or("undefined".to_string()),
-            scope,
-            amr: vec!["Application".into()],
-        };
-
-        (encode_jwt(&claims), DEFAULT_VALIDITY.num_seconds())
+    // This rely on the fact we only update the device after a successful login
+    pub fn is_new(&self) -> bool {
+        self.created_at == self.updated_at
    }

    pub fn is_push_device(&self) -> bool {
@@ -187,14 +106,39 @@ impl DeviceWithAuthRequest {
 }
 use crate::db::DbConn;

-use crate::api::EmptyResult;
+use crate::api::{ApiResult, EmptyResult};
 use crate::error::MapResult;

 /// Database methods
 impl Device {
-    pub async fn save(&mut self, conn: &mut DbConn) -> EmptyResult {
-        self.updated_at = Utc::now().naive_utc();
+    pub async fn new(
+        uuid: DeviceId,
+        user_uuid: UserId,
+        name: String,
+        atype: i32,
+        conn: &mut DbConn,
+    ) -> ApiResult<Device> {
+        let now = Utc::now().naive_utc();

+        let device = Self {
+            uuid,
+            created_at: now,
+            updated_at: now,
+
+            user_uuid,
+            name,
+            atype,
+
+            push_uuid: Some(PushId(get_uuid())),
+            push_token: None,
+            refresh_token: crypto::encode_random_bytes::<64>(BASE64URL),
+            twofactor_remember: None,
+        };
+
+        device.inner_save(conn).await.map(|()| device)
+    }
+
+    async fn inner_save(&self, conn: &mut DbConn) -> EmptyResult {
        db_run! { conn:
            sqlite, mysql {
                crate::util::retry(
@@ -212,6 +156,12 @@ impl Device {
        }
    }

+    // Should only be called after user has passed authentication
+    pub async fn save(&mut self, conn: &mut DbConn) -> EmptyResult {
+        self.updated_at = Utc::now().naive_utc();
+        self.inner_save(conn).await
+    }
+
    pub async fn delete_all_by_user(user_uuid: &UserId, conn: &mut DbConn) -> EmptyResult {
        db_run! { conn: {
            diesel::delete(devices::table.filter(devices::user_uuid.eq(user_uuid)))
@@ -403,6 +353,10 @@ impl DeviceType {
            _ => DeviceType::UnknownBrowser,
        }
    }
+
+    pub fn is_mobile(value: &i32) -> bool {
+        *value == DeviceType::Android as i32 || *value == DeviceType::Ios as i32
+    }
 }

 #[derive(