Cannot decode access token when using self-hosted GitLab as OIDC provider
heapifyman opened this issue · 4 comments
Subject of the issue
After log in at GitLab and being redirected to vaultwarden I end up on the vaultwarden login page again. And a popup shows the error message: "Could not decode access_token: InvalidToken".
This was working before, up until version 1.30.1-2
. All versions afterwards fail with above error.
Deployment environment
- vaultwarden version:
ghcr.io/timshel/vaultwarden:1.30.1-8
-
Install method: docker image
-
Clients used: web vault
-
Reverse proxy and version:
-
MySQL/MariaDB or PostgreSQL version:
-
Other relevant details:
Steps to reproduce
docker-compose up
- Open https://vault.mydomain.com:8000 in a browser
- Login
Expected behaviour
Being logged in to vaultwarden
Actual behaviour
After redirect from gitlab, I end up on vaultwarden login page again. And a popup shows the error message: "Could not decode access_token: InvalidToken".
Troubleshooting data
Log shows:
[response][INFO] (login) POST /identity/connect/token => 400 Bad Request
Callback URL defined in GitLab is: https://vault.mydomain.com:8000/identity/connect/oidc-signin
docker-compose.yml
services:
vaultwarden:
image: ghcr.io/timshel/vaultwarden:1.30.1-8
restart: unless-stopped
env_file: .env
environment:
- ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN}
volumes:
- /opt/vaultwarden/certs:/etc/vaultwarden/certs:ro
ports:
- 8000:8000
networks:
- vaultwarden
networks:
vaultwarden:
name: vaultwarden
.env:
ROCKET_PORT=8000
DOMAIN=https://vault.mydomain.com:${ROCKET_PORT}
ROCKET_TLS={certs="/etc/vaultwarden/certs/vault.mydomain.com.crt",key="/etc/vaultwarden/certs/vault.mydomain.com.key"}
SSO_ENABLED=true
SSO_ONLY=true
SSO_FRONTEND=override
I_REALLY_WANT_VOLATILE_STORAGE=true
SSO_CLIENT_ID=client-id
SSO_CLIENT_SECRET=gloas-...
SSO_AUTHORITY=https://gitlab.mydomain.com
LOG_FILE=/data/vaultwarden.log
VAULTWARDEN_ADMIN_TOKEN='$argon2id...'
SIGNUPS_ALLOWED=false
INVITATIONS_ALLOWED=false
ORG_CREATION_USERS=somone@mydomain.com,somebodyelse@mydomain.com
PASSWORD_HINTS_ALLOWED=false
SMTP_HOST=smtp.mydomain.com
SMTP_FROM=noreply@mydomain.com
SMTP_FROM_NAME=Vaultwarden
SMTP_SECURITY=force_tls
SMTP_PORT=465
SMTP_USERNAME=my-smtp-user
SMTP_PASSWORD=my-smtp-password
SMTP_TIMEOUT=15
I can replicate, looking at it.
Just pushed a fix, 1.30.1-9
should be ready ~1h.
Still working on AzureAD
With 1.30.1-9
authenticating against self-hosted Gitlab is working again. 👍🏽