mirrors/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2024-11-25 14:25:38 +03:00
Code Issues Projects Releases Packages Wiki Activity

Activate PKCE by default

Browse source
This commit is contained in:
Timshel 2024-10-07 14:46:04 +02:00
parent c328f6df26
commit a87e12f6e0
4 changed files with 5 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.env.template
View file

@ -454,8 +454,8 @@
#SSO_SCOPES="email profile" #SSO_SCOPES="email profile"
## Additionnal authorization url parameters (ex: to obtain a `refresh_token` with Google Auth). ## Additionnal authorization url parameters (ex: to obtain a `refresh_token` with Google Auth).
# SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent" # SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"
## Activate PKCE for the Auth Code flow. Recommended but disabled for now waiting for feedback on support. ## Activate PKCE for the Auth Code flow.
# SSO_PKCE=false # SSO_PKCE=true
## Regex to add additionnal trusted audience to Id Token (by default only the client_id is trusted). ## Regex to add additionnal trusted audience to Id Token (by default only the client_id is trusted).
# SSO_AUDIENCE_TRUSTED='^$' # SSO_AUDIENCE_TRUSTED='^$'
## Set your Client ID and Client Key ## Set your Client ID and Client Key

15
SSO.md
View file

@ -20,7 +20,7 @@ The following configurations are available
- $SSO_AUTHORITY/.well-known/openid-configuration should return the a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse - $SSO_AUTHORITY/.well-known/openid-configuration should return the a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
- `SSO_SCOPES` : Optional, allow to override scopes if needed (default `"email profile"`) - `SSO_SCOPES` : Optional, allow to override scopes if needed (default `"email profile"`)
- `SSO_AUTHORIZE_EXTRA_PARAMS` : Optional, allow to add extra parameter to the authorize redirection (default `""`) - `SSO_AUTHORIZE_EXTRA_PARAMS` : Optional, allow to add extra parameter to the authorize redirection (default `""`)
- `SSO_PKCE`: Activate PKCE for the Auth Code flow. Recommended but disabled for now waiting for feedback on support (default `false`). - `SSO_PKCE`: Activate PKCE for the Auth Code flow (default `true`).
- `SSO_AUDIENCE_TRUSTED`: Optional, Regex to trust additional audience for the IdToken (`client_id` is always trusted). Use single quote when writing the regex: `'^$'`. - `SSO_AUDIENCE_TRUSTED`: Optional, Regex to trust additional audience for the IdToken (`client_id` is always trusted). Use single quote when writing the regex: `'^$'`.
- `SSO_CLIENT_ID` : Client Id - `SSO_CLIENT_ID` : Client Id
- `SSO_CLIENT_SECRET` : Client Secret - `SSO_CLIENT_SECRET` : Client Secret
@ -97,7 +97,6 @@ Server configuration, nothing specific just set:
- `SSO_AUTHORITY=https://${domain}/realms/${realm_name}` - `SSO_AUTHORITY=https://${domain}/realms/${realm_name}`
- `SSO_CLIENT_ID` - `SSO_CLIENT_ID`
- `SSO_CLIENT_SECRET` - `SSO_CLIENT_SECRET`
- `SSO_PKCE=true`
### Testing ### Testing
@ -150,7 +149,6 @@ Server configuration should look like:
- `SSO_SCOPES="email profile offline_access"` - `SSO_SCOPES="email profile offline_access"`
- `SSO_CLIENT_ID` - `SSO_CLIENT_ID`
- `SSO_CLIENT_SECRET` - `SSO_CLIENT_SECRET`
- `SSO_PKCE=true`
## Casdoor ## Casdoor
@ -162,7 +160,6 @@ Then configure your server with:
- `SSO_AUTHORITY=https://${provider_host}` - `SSO_AUTHORITY=https://${provider_host}`
- `SSO_CLIENT_ID` - `SSO_CLIENT_ID`
- `SSO_CLIENT_SECRET` - `SSO_CLIENT_SECRET`
- `SSO_PKCE=true`
## GitLab ## GitLab
@ -177,7 +174,6 @@ Then configure your server with
- `SSO_AUTHORITY=https://gitlab.com` - `SSO_AUTHORITY=https://gitlab.com`
- `SSO_CLIENT_ID` - `SSO_CLIENT_ID`
- `SSO_CLIENT_SECRET` - `SSO_CLIENT_SECRET`
- `SSO_PKCE=true`
## Google Auth ## Google Auth
@ -189,19 +185,12 @@ Configure your server with :
- `SSO_AUTHORITY=https://accounts.google.com` - `SSO_AUTHORITY=https://accounts.google.com`
- `SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"` - `SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"`
- `SSO_PKCE=true`
- `SSO_CLIENT_ID` - `SSO_CLIENT_ID`
- `SSO_CLIENT_SECRET` - `SSO_CLIENT_SECRET`
## Kanidm ## Kanidm
Kanidm recommend always running with PKCE: Nothing specific should work with just `SSO_AUTHORITY`, `SSO_CLIENT_ID` and `SSO_CLIENT_SECRET`.
Config will look like:
- `SSO_PKCE=true`
Otherwise you can disable the PKCE requirement with: `kanidm system oauth2 warning-insecure-client-disable-pkce CLIENT_NAME --name admin`.
## Microsoft Entra ID ## Microsoft Entra ID

1
playwright/test.env
View file

@ -61,7 +61,6 @@ SMTP_TIMEOUT=5
SSO_CLIENT_ID=VaultWarden SSO_CLIENT_ID=VaultWarden
SSO_CLIENT_SECRET=VaultWarden SSO_CLIENT_SECRET=VaultWarden
SSO_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${TEST_REALM} SSO_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${TEST_REALM}
SSO_PKCE=true
########################### ###########################
# Docker MariaDb container# # Docker MariaDb container#

2
src/config.rs
View file

@ -659,7 +659,7 @@ make_config! {
/// Authorization request extra parameters /// Authorization request extra parameters
sso_authorize_extra_params: String, false, def, String::new(); sso_authorize_extra_params: String, false, def, String::new();
/// Use PKCE during Authorization flow /// Use PKCE during Authorization flow
sso_pkce: bool, false, def, false; sso_pkce: bool, false, def, true;
/// Regex for additionnal trusted Id token audience |> By default only the client_id is trsuted. /// Regex for additionnal trusted Id token audience |> By default only the client_id is trsuted.
sso_audience_trusted: String, false, option; sso_audience_trusted: String, false, option;
/// CallBack Path |> Generated from Domain. /// CallBack Path |> Generated from Domain.