Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[suggestion] add rauthy as IAM #90

Open
cocoon opened this issue Feb 1, 2025 · 4 comments
Open

[suggestion] add rauthy as IAM #90

cocoon opened this issue Feb 1, 2025 · 4 comments
Labels
enhancement New feature or request

Comments

@cocoon
Copy link

cocoon commented Feb 1, 2025

Vaultwarden Support String

No issue here, just thought it would perfectly fit to vaultwarden SSO to add an example or docker config for rauthy, IAM written in rust.
https://github.com/sebadob/rauthy

I already got it nicely working together adding vaultwarden SSO fork as a client 👍

Just as info: it might help to check https://github.com/sebadob/rauthy/blob/main/justfile how to build additionally to reading the guide.
And as it just got an UI freshup, there might be some changes, like currently expects an env var DEV_MODE=xyz for building the frontend with npm.

Vaultwarden Build Version

1.30.5-0a1aa852

Deployment method

Build from source

Custom deployment method

No response

Reverse Proxy

no

Host/Server Operating System

Windows

Operating System Version

Windows 11

Clients

Web Vault, Browser Extension

Client Version

No response

Steps To Reproduce

Expected Result

Actual Result

Logs

Screenshots or Videos

Image

Additional Context

No response
@cocoon cocoon added the bug Something isn't working label Feb 1, 2025
@Timshel
Copy link
Owner

Timshel commented Feb 1, 2025

Hey,
I'll add a mention on the SSO.md page.
From what I understand it appear to work out of the box ?

I can see you allowed the offline_access claim but did you add it to the Vaultwarden config ?
Or were you able to obtain a refresh_token even without the claim ? (it's not requested by default).

@Timshel Timshel added enhancement New feature or request and removed bug Something isn't working labels Feb 1, 2025
@cocoon
Copy link
Author

cocoon commented Feb 3, 2025

From what I understand it appear to work out of the box ?

Yes, after I manipulated the code of vaultwarden or better openidconnect to accept my local CA certs ^^
But yes it works.

I can see you allowed the offline_access claim but did you add it to the Vaultwarden config ? Or were you able to obtain a refresh_token even without the claim ? (it's not requested by default).

Oh I can't tell you, it is just a very early experiment, I just found vaultwarden around January 25, and wanted to get it working with OIDC and local CA certificates.

My current vaultwarden config looks like this, but still just testing:

SSO_AUTHORITY=https://rauthy.lab:8443/auth/v1
SSO_SCOPES="email profile offline_access"
SSO_PKCE=true
SSO_CLIENT_ID=11111222222
SSO_CLIENT_SECRET=xyz
SSO_AUTH_ONLY_NOT_SESSION=true

@Timshel
Copy link
Owner

Timshel commented Feb 3, 2025

For local CA situation should improve soon will work on updating openidconnect.

Quick question on your config did you activate SSO_AUTH_ONLY_NOT_SESSION because you had any issues or just to use different session expiration ?

@cocoon
Copy link
Author

cocoon commented Feb 3, 2025
edited
Loading

For local CA situation should improve soon will work on updating openidconnect.

Great 👍 Currently I just made an ugly hack of the old version of openidconnect to allow it, but for testing it is fine.

SSO_AUTH_ONLY_NOT_SESSION

No specific problem here, I just read through so many GitHub issues and put together what I found, really, it is very early testing from my side.

IF I experience a specific issue, I will for sure open an issue here or respond to an existing one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Timshel @cocoon