verified_email Claim

[gjuuz]

Vaultwarden Support String

unfortunately i dont get sign up via sso working with azure idp. I have to setup SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=true to get this working but i want to avoid this. Token Claim verified_email is not available within Azure. I can setup verified_primary_email but is it possible to also accept this claim in the sso process ?

BR

Vaultwarden Build Version

---

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

---

Host/Server Operating System

Linux

Operating System Version

No response

Clients

Web Vault

Client Version

No response

Steps To Reproduce

---

Expected Result

---

Actual Result

---

Logs

No response

Screenshots or Videos

No response

Additional Context

No response

[Timshel]

Hey,

While technically possible, since this is a well-defined claim present in the spec; I don't plan to add alternative ways to support it at the moment.

Edit: If you can manually add claims does it prevent you to name it email_verified ?

[gjuuz]

Unfortunately its not possible to add claims to azure manually. I think you can only choose predefined claims to use.

[Timshel]

I won't pretend that I know how Entra works but some documentation appears to mention the email_verified claim:
https://learn.microsoft.com/en-us/entra/external-id/customers/reference-oidc-claims-mapping-customers

[gjuuz]

Dont know how to get to this menu but within our tenant i can only see this:

[Timshel]

I'm sorry I never used Entra so I won't be able to help you with it.

I mentioned it because I don't remember for which provider SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION was added, but I don't believe it was for Entra.

It's not mentioned in SSO.md#microsoft-entra-id and I believe multiple people were successful in configuring Entra.

[gjuuz]

I followed this instruction but yea as i said this claim is not visible and i also cant add custom claims or something. I will keep searching for it :)

[kouhei-ioroi]

Hello, @Timshel and @gjuuz
I was using OIDCWarden with EntraID, but I thought that signup was not possible from the beginning, so I always invited manually.

If SSO can do sign-up like just-in-time provisioning, it would be very nice.

To use OIDC custom claims with EntraID, open "Enterprise Applications" in the Azure Portal, and add or change them in "Attributes and Claims" from "Single Sign-On" for the application.

Also, if you don't add
"acceptMappedClaims": true to your application manifest, you may encounter certificate-related issues.

You can also set custom claims on the command line using the Graph API.

1. Install-Module Microsoft.Graph
2. Connect-MgGraph -Scopes "Application.ReadWrite.All", "Policy.ReadWrite.ApplicationConfiguration"
3. New-MgPolicyClaimMappingPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"mail","JwtClaimType":"email_verified"}]}}') -DisplayName "email_verified"
4. New-MgServicePrincipalClaimMappingPolicyByRef -ServicePrincipalId <YourApplicationServicePrincipalId> -BodyParameter @{"@odata.id" = "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/<YourPolicyId>"}

If you need to delete these settings, you can remove the policy from application and delete the policy itself by executing:

1. Remove-MgServicePrincipalClaimMappingPolicyByRef -ServicePrincipalId <YourApplicationServicePrincipalId> -ClaimsMappingPolicyId <PolicyId>
2. Remove-MgPolicyClaimMappingPolicy -ClaimsMappingPolicyId <PolicyId>

I tried customizing the claims each way, and both times OIDCWarden raised the same following error.
The error is as follows:
Failed to contact token endpoint: Parse(Error { path: Path { segments: [] }, original: Error("Failed to parse payload JSON: Error(\"invalid type: string \\\"<REAL EMAIL ADDRESS>\\\", expected a boolean\", line: 1, column: 586)", line: 1, column: 4536) }, [123, 34, 116, 111, 107, 101, 110, 95...
This is followed by a list of numbers, and the entire error string is around 20,000 characters long.
I'd be happy to help if you need any additional feedback on this.

Thanks!

[Timshel]

but I thought that signup was not possible from the beginning, so I always invited manually.

Signup is supported, and I was not aware of any specific issue with Entra up to this point.

Error("invalid type: string \"\", expected a boolean"

This is expected since the email_verified claim is supposed to be a boolean which indicate if the provider as verified the email.

[gjuuz]

as i said azure does not support his claim. it only has verified_primary_email available as claim

[kouhei-ioroi]

I thought it might be possible to return user.accountenabled as a custom claim, but unfortunately EntraID returns OIDC claims as Strings, so claims expecting a Boolean would fail.
I also considered returning fixed values ​​of true or false, but this also failed because it returns a String.

[kouhei-ioroi]

I think it's possible to define and return a boolean by combining directory schema extensions, but you'd have to define the schema value for every user, which would be tedious in a large organization.

Solution:
A. Add a special oidc claim option for IdPs that can't return "email_verified" as a boolean, such as EntraID (convert string to boolean and accept, or check that a specific claim is included, etc.)
B. Add to SSO.md to use SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=true

[Rainson12]

wouldnt it be possible to try parse the return value from string to boolean? Entra can not set static booleans but only string:

It is not possible to get rid of the ""

[gjuuz]

m string to boolean? Entra can not set static booleans but only string:

this will not work cause vaultwarden is expecting a boolean.

[kouhei-ioroi]

m string to boolean? Entra can not set static booleans but only string:

this will not work cause vaultwarden is expecting a boolean.

I think he is probably asking for that functionality not for EntraID but for Vaultwarden (OIDCwarden).

[gjuuz]

m string to boolean? Entra can not set static booleans but only string:

this will not work cause vaultwarden is expecting a boolean.

I think he is probably asking for that functionality not for EntraID but for Vaultwarden (OIDCwarden).

misunderstood sorry :)

[Timshel]

wouldnt it be possible to try parse the return value from string to boolean?

Since the parsing of the default claims is done by the underlying library, which quite strict, it would not be so trivial to implement.

But even if it was, as mentioned before this is a well-defined field in the spec, so in general I have no plan to add workaround for a specific provider.

[kouhei-ioroi]

A better solution would be to ask Microsoft to either fix EntraID's OIDC to comply with the spec, or to add support for boolean types...

[Timshel]

Hey
Just worked on upgrading to openidconnect 4.0.0 and it now includes a feature accept-string-booleans.
I did not want to activate it by default but I added a feature in Vaultwarden to activate it: oidc-accept-string-booleans.

I did not test it, and you'll have to make your own build, but it might still help :)