Timshel/vaultwarden

Cannot decode access token when using self-hosted GitLab as OIDC provider

heapifyman opened this issue · 4 comments

heapifyman commented

Subject of the issue

After log in at GitLab and being redirected to vaultwarden I end up on the vaultwarden login page again. And a popup shows the error message: "Could not decode access_token: InvalidToken".

This was working before, up until version 1.30.1-2. All versions afterwards fail with above error.

Deployment environment

  • vaultwarden version: ghcr.io/timshel/vaultwarden:1.30.1-8

  • Install method: docker image

  • Clients used: web vault

  • Reverse proxy and version:

  • MySQL/MariaDB or PostgreSQL version:

  • Other relevant details:

Steps to reproduce

  1. docker-compose up
  2. Open https://vault.mydomain.com:8000 in a browser
  3. Login

Expected behaviour

Being logged in to vaultwarden

Actual behaviour

After redirect from gitlab, I end up on vaultwarden login page again. And a popup shows the error message: "Could not decode access_token: InvalidToken".

Troubleshooting data

Log shows:

[response][INFO] (login) POST /identity/connect/token => 400 Bad Request

Callback URL defined in GitLab is: https://vault.mydomain.com:8000/identity/connect/oidc-signin

docker-compose.yml 
services:
  vaultwarden:
    image: ghcr.io/timshel/vaultwarden:1.30.1-8
    restart: unless-stopped
    env_file: .env
    environment:
      - ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN}
    volumes:
      - /opt/vaultwarden/certs:/etc/vaultwarden/certs:ro
    ports:
      - 8000:8000
    networks:
      - vaultwarden

networks:
  vaultwarden:
    name: vaultwarden
.env: 
ROCKET_PORT=8000
DOMAIN=https://vault.mydomain.com:${ROCKET_PORT}

ROCKET_TLS={certs="/etc/vaultwarden/certs/vault.mydomain.com.crt",key="/etc/vaultwarden/certs/vault.mydomain.com.key"}

SSO_ENABLED=true
SSO_ONLY=true
SSO_FRONTEND=override
I_REALLY_WANT_VOLATILE_STORAGE=true
SSO_CLIENT_ID=client-id
SSO_CLIENT_SECRET=gloas-...
SSO_AUTHORITY=https://gitlab.mydomain.com

LOG_FILE=/data/vaultwarden.log

VAULTWARDEN_ADMIN_TOKEN='$argon2id...'

SIGNUPS_ALLOWED=false
INVITATIONS_ALLOWED=false
ORG_CREATION_USERS=somone@mydomain.com,somebodyelse@mydomain.com

PASSWORD_HINTS_ALLOWED=false

SMTP_HOST=smtp.mydomain.com
SMTP_FROM=noreply@mydomain.com
SMTP_FROM_NAME=Vaultwarden
SMTP_SECURITY=force_tls
SMTP_PORT=465
SMTP_USERNAME=my-smtp-user
SMTP_PASSWORD=my-smtp-password
SMTP_TIMEOUT=15
Timshel commented

I can replicate, looking at it.

Timshel commented

Just pushed a fix, 1.30.1-9 should be ready ~1h.

sandervandegeijn commented

Still working on AzureAD

heapifyman commented

With 1.30.1-9 authenticating against self-hosted Gitlab is working again. 👍🏽

  • 👍1