SSO with google login throwing "Could not decode access_token"
avicoder opened this issue · 5 comments
SSO with Google OAuth not working
Deployment environment
-
vaultwarden version: Version 1.30.3-f3623e22 (sso-support)
-
Install method: docker
docker run --name vaultwarden -v /vw-data/:/data/ --restart unless-stopped -p 80:80 -e SSO_ENABLED="true" -e SSO_CLIENT_ID="**********ee77m412vg2r.apps.googleusercontent.com" -e SSO_CLIENT_SECRET="****************" -e SSO_AUTHORITY="https://accounts.google.com" -e DOMAIN=https://pass.*****.com -e SSO_FRONTEND=override vaultwarden/server:latest
-
Clients used:web vault
-
Reverse proxy and version: Cloudflare Access
Steps to reproduce
- run the docker usinf the command mentioned above , passing the env variables.
- Go to the #sso login page
- login with the gmail account.
Expected behaviour
Login to the dashboard
Actual behaviour
Hey
Latest push ( 23d56c3) should fix the issue.
Note with current setting you will have no refresh_token so the session will end after 1h.
Additional parameters are needed to retrieve a refresh_token on the authorize_url and I need to think on how to integrate it.
Yeah - It worked, thanks
Hey
So added the SSO_AUTHORIZE_EXTRA_PARAMS setting to allow to set the needed parameters to obtain a refresh_token with Google Auth.
Documentation there :).
thanks, does this mean, the session will be longer compared to previous 1 hour, if SSO_AUTHORIZE_EXTRA_PARAMS is set?
The rules regarding Google refresh_token: https://developers.google.com/identity/protocols/oauth2#expiration
In the app without information the refresh_token is considered valid for a year and is reset with each check.
Might add something to allow to config it to the same six month idle value (in both case the user will be logout, just should prevent the error log from a failed refresh attempt).