vaultwarden

mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-05-07 20:11:53 +02:00

History

nathanmoreton 2b79525441 Add SSO cookie vendor endpoint for native apps behind authenticating proxies Implements the server-side pieces of Bitwarden's SSO cookie vending flow (upstream PRs bitwarden/server#6880, #6892, #6903) so the native Bitwarden mobile and desktop apps work when Vaultwarden sits behind an authenticating reverse proxy such as Cloudflare Access, Authentik, Authelia, or oauth2-proxy. Without this, users behind such a proxy can authenticate the web vault in a browser but the native apps 404 on /api/sso-cookie-vendor after the browser-assisted IdP step, leaving the app unable to acquire the proxy's auth cookie. What's added: * New config section `sso_cookie_vendor` (4 fields, default-off) driving both env-var and admin-UI configuration via the existing make_config! macro, with startup validation. * GET /api/sso-cookie-vendor — reads the proxy auth cookie from the request (including sharded variants CF_Authorization-0..19) and 302-redirects to bitwarden://sso-cookie-vendor?<cookie>=<value>&d=1 so the native app can capture and reuse the cookie. Upstream-compatible 404/400/500 HTML error pages; 8192-byte URI cap. * communication.bootstrap block in /api/config matching the shape from bitwarden/server#6892 so clients discover the flow without modification. * Unit tests covering single/sharded cookies, precedence, missing-cookie 404, URL-encoding, oversize URI, and error HTML format. See docs/sso-cookie-vendor.md for the full writeup (background, security considerations, end-to-end flow, and per-proxy configuration notes).	2026-04-23 21:19:15 -05:00
..
sso-cookie-vendor.md	Add SSO cookie vendor endpoint for native apps behind authenticating proxies	2026-04-23 21:19:15 -05:00

nathanmoreton 2b79525441 Add SSO cookie vendor endpoint for native apps behind authenticating proxies

Implements the server-side pieces of Bitwarden's SSO cookie vending flow
(upstream PRs bitwarden/server#6880, #6892, #6903) so the native Bitwarden
mobile and desktop apps work when Vaultwarden sits behind an authenticating
reverse proxy such as Cloudflare Access, Authentik, Authelia, or
oauth2-proxy.

Without this, users behind such a proxy can authenticate the web vault in
a browser but the native apps 404 on /api/sso-cookie-vendor after the
browser-assisted IdP step, leaving the app unable to acquire the proxy's
auth cookie.

What's added:

  * New config section `sso_cookie_vendor` (4 fields, default-off) driving
    both env-var and admin-UI configuration via the existing make_config!
    macro, with startup validation.
  * GET /api/sso-cookie-vendor — reads the proxy auth cookie from the
    request (including sharded variants CF_Authorization-0..19) and
    302-redirects to bitwarden://sso-cookie-vendor?<cookie>=<value>&d=1
    so the native app can capture and reuse the cookie. Upstream-compatible
    404/400/500 HTML error pages; 8192-byte URI cap.
  * communication.bootstrap block in /api/config matching the shape from
    bitwarden/server#6892 so clients discover the flow without modification.
  * Unit tests covering single/sharded cookies, precedence, missing-cookie
    404, URL-encoding, oversize URI, and error HTML format.

See docs/sso-cookie-vendor.md for the full writeup (background, security
considerations, end-to-end flow, and per-proxy configuration notes).

2026-04-23 21:19:15 -05:00

sso-cookie-vendor.md

Add SSO cookie vendor endpoint for native apps behind authenticating proxies

2026-04-23 21:19:15 -05:00