Zitadel : Could not read id_token claims, Invalid audiences
LeVraiRoiDHyrule opened this issue · 22 comments
Hi,
I am new to Vaultwarden OIDC. I want to use it with my SSO option of choice, Zitadel. I have followed this :
Line 196 in f72bd26
My compose is the following:
vaultwarden:
image: ghcr.io/timshel/vaultwarden:latest
container_name: vaultwarden
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- DOMAIN=https://vault.${DOMAIN}
#- SIGNUPS_ALLOWED=false
#- INVITATIONS_ALLOWED=false
- SSO_ENABLED=true
- SSO_PKCE=true
- SSO_ONLY=true
- SSO_AUTHORITY=https://api.auth.${DOMAIN}
- SSO_AUDIENCE_TRUSTED='^264077012140818435$'
- SSO_CLIENT_ID=264077012140883971@[REDACTED]
- SSO_CLIENT_SECRET=dummy
- SSO_SCOPES="email profile offline_access"
- SSO_FRONTEND=override
- SSO_DEBUG_TOKENS=true
- SSO_ROLES_ENABLED=true
networks:
- services
volumes:
- ${CONFIG_FOLDER}/vaultwarden:/data
restart: unless-stopped
labels:
- "bunkerweb.SERVER_NAME=vault.${DOMAIN}"
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/"
- "bunkerweb.REVERSE_PROXY_HOST=http://vaultwarden:80"According to the docs and to #33 (comment) , the value to input in SSO_AUDIENCE_TRUSTED is the ID of the Zitadel project, which is what I have set. The error I have is:
[2024-05-02 23:53:50.209][vaultwarden::sso][ERROR] Could not read id_token claims, Invalid audiences: `264080136108834819@[REDACTED]` is not a trusted audience
What is weird is that the invalid audience that the log says is wrong doesn't match any ID I could find in Zitadel. I have no idea what is wrong. Here is the full debug log:
### Running web-vault frontend with SSO override ###
/--------------------------------------------------------------------\
| Starting Vaultwarden |
| Version 1.30.5-9 |
|--------------------------------------------------------------------|
| This is an *unofficial* Bitwarden implementation, DO NOT use the |
| official channels to report bugs/features, regardless of client. |
| Send usage/configuration questions or feature requests to: |
| https://github.com/dani-garcia/vaultwarden/discussions or |
| https://vaultwarden.discourse.group/ |
| Report suspected bugs/issues in the software itself at: |
| https://github.com/dani-garcia/vaultwarden/issues/new |
\--------------------------------------------------------------------/
[2024-05-02 00:20:29.942][start][INFO] Rocket has launched from http://0.0.0.0:80
[2024-05-02 23:53:23.953][request][INFO] GET /api/config
[2024-05-02 23:53:23.953][response][INFO] (config) GET /api/config => 200 OK
[2024-05-02 23:53:29.382][request][INFO] GET /identity/sso/prevalidate?domainHint=VaultWarden
[2024-05-02 23:53:29.385][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK
[2024-05-02 23:53:29.474][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt
[2024-05-02 23:53:30.270][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect
[2024-05-02 23:53:40.927][request][INFO] GET /identity/connect/oidc-signin?code=bpS3lE5XJvFsb9CdxqTAX2obN
[2024-05-02 23:53:40.928][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect
[2024-05-02 23:53:42.137][request][INFO] GET /api/config
[2024-05-02 23:53:42.137][response][INFO] (config) GET /api/config => 200 OK
[2024-05-02 23:53:42.169][request][INFO] POST /identity/connect/token
[2024-05-02 23:53:43.320][vaultwarden::sso][ERROR] Could not read id_token claims, Invalid audiences: `264080136108834819@[REDACTED]` is not a trusted audience
[2024-05-02 23:53:43.320][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-05-02 23:53:46.483][request][INFO] GET /identity/sso/prevalidate?domainHint=VaultWarden
[2024-05-02 23:53:46.484][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK
[2024-05-02 23:53:46.572][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt
[2024-05-02 23:53:46.779][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect
[2024-05-02 23:53:47.797][request][INFO] GET /identity/connect/oidc-signin?code=aVL8BHdRGIseQaboJwZmDUDVU
[2024-05-02 23:53:47.798][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect
[2024-05-02 23:53:48.992][request][INFO] GET /api/config
[2024-05-02 23:53:48.992][response][INFO] (config) GET /api/config => 200 OK
[2024-05-02 23:53:49.016][request][INFO] POST /identity/connect/token
[2024-05-02 23:53:50.209][vaultwarden::sso][ERROR] Could not read id_token claims, Invalid audiences: `264080136108834819@[REDACTED]` is not a trusted audience
[2024-05-02 23:53:50.210][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
Would you have an idea of what the problem could be ? Thanks in advance for any answer, have a nice day.
Not sure if this solves the issue but I think you might have a typo, the configuration example for Zitadel says SSO_AUDIENCE_TRUSTED='^${Project Id}$', so there is another $ before your Project Id, which I think you might have missed
Not sure if this solves the issue but I think you might have a typo, the configuration example for Zitadel says SSO_AUDIENCE_TRUSTED='^${Project Id}$', so there is another $ before your Project Id, which I think you might have missed
Thanks for noticing. There is a typo, that I fixed. But I've did it while trying all IDs I could find, it was correct originally. It is now
- SSO_AUDIENCE_TRUSTED='^$264076946105696259$'
but I still get the error
[2024-05-03 09:41:02.028][vaultwarden::sso][ERROR] Could not read id_token claims, Invalid audiences: `264080136108834819@saladserver` is not a trusted audience
Would you have another idea about what could be wrong ?
Thanks in advance and have a nice day.
Hey
I'm not using Zitadel, so I'm unsure but if the Invalid audience reported in the log is stable just put it in the regex for SSO_AUDIENCE_TRUSTED ?
You can check that the 264080136108834819@saladserver is indeed the audience sent by activating SSO_DEBUG_TOKENS=true and parsing the token with https://jwt.io.
Hey
I'm not using Zitadel, so I'm unsure but if the Invalid audience reported in the log is stable just put it in the regex for
SSO_AUDIENCE_TRUSTED?You can check that the
264080136108834819@saladserveris indeed the audience sent by activatingSSO_DEBUG_TOKENS=trueand parsing the token with https://jwt.io.
Hi,
I tried setting the ID from the error as the trusted audience, but it still produces the same error.
I would like to check what is the sent audience, and have activated SSO_DEBUG_TOKENS=true. But where do I get the token? I can't find it in the logs.
Sorry missed you already added it. It looks ok, but it looks like it's not passed since I believe it should be outputted before the claims validation:
[2024-05-03 10:03:23.878][request][INFO] POST /identity/connect/token
[2024-05-03 10:03:24.015][vaultwarden::sso][DEBUG] Id token:
[2024-05-03 10:03:24.015][vaultwarden::sso][DEBUG] Access token:
[2024-05-03 10:03:24.015][vaultwarden::sso][DEBUG] Refresh token:
Weird, I don't have any [DEBUG] line in the logs and nothing like such lines:
### Running web-vault frontend with SSO override ###
/--------------------------------------------------------------------\
| Starting Vaultwarden |
| Version 1.30.5-9 |
|--------------------------------------------------------------------|
| This is an *unofficial* Bitwarden implementation, DO NOT use the |
| official channels to report bugs/features, regardless of client. |
| Send usage/configuration questions or feature requests to: |
| https://github.com/dani-garcia/vaultwarden/discussions or |
| https://vaultwarden.discourse.group/ |
| Report suspected bugs/issues in the software itself at: |
| https://github.com/dani-garcia/vaultwarden/issues/new |
\--------------------------------------------------------------------/
[2024-05-03 10:10:14.802][start][INFO] Rocket has launched from http://0.0.0.0:80
[2024-05-03 10:10:27.317][request][INFO] GET /api/config
[2024-05-03 10:10:27.318][response][INFO] (config) GET /api/config => 200 OK
[2024-05-03 10:10:28.289][request][INFO] GET /identity/sso/prevalidate?domainHint=VaultWarden
[2024-05-03 10:10:28.290][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK
[2024-05-03 10:10:28.386][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt
[2024-05-03 10:10:28.626][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect
[2024-05-03 10:10:30.336][request][INFO] GET /identity/connect/oidc-signin?code=Ln9fxmGjpNdJtFY4rblvUOzK3
[2024-05-03 10:10:30.337][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect
[2024-05-03 10:10:30.942][request][INFO] GET /api/config
[2024-05-03 10:10:30.942][response][INFO] (config) GET /api/config => 200 OK
[2024-05-03 10:10:30.956][request][INFO] POST /identity/connect/token
[2024-05-03 10:10:31.620][vaultwarden::sso][ERROR] Could not read id_token claims, Invalid audiences: `264080136108834819@saladserver` is not a trusted audience
[2024-05-03 10:10:31.620][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
This is all I get with - SSO_DEBUG_TOKENS=true
Hey
Just tested with this docker-compose and a local vaultwarden.
When setting SSO_DEBUG_TOKENS the tokens are displayed before the claims error :
[2024-05-03 10:31:25.440][request][INFO] POST /identity/connect/token
[2024-05-03 10:31:26.788][vaultwarden::sso][DEBUG] Id token: ...
[2024-05-03 10:31:26.788][vaultwarden::sso][DEBUG] Access token: ...
[2024-05-03 10:31:26.788][vaultwarden::sso][DEBUG] Refresh token: ...
[2024-05-03 10:31:26.788][vaultwarden::sso][DEBUG] Expiration time: Some(43199s)
[2024-05-03 10:31:26.788][vaultwarden::sso][ERROR] Could not read id_token claims, Invalid audiences: `265463761383457010` is not a trusted audience
And after setting the audience given by the logs as SSO_AUDIENCE_TRUSTED='^265463761383457010$' I can log without issues.
Hi,
I just tried disabling and re-enabling debug mode, it makes no difference, I don't have any debug information about the token. It is like the env variable is completely ignored. It makes no sense because all other env variables work. Would you have an idea why I can't enable debug mode ?
I just tried wiping all vaultwarden data and recreate the container, same issue.
Thanks in advance for any answer and have a nice day
Just to be sure tested it by adding vaultwarden directly to the compose.
It appears that the environment handling is crap had some errors with my secret being invalid.
Switched to using env_file in the compose and an external file and problems disappeared, so I would suggest doing the same.
Hi, I just tried disabling and re-enabling debug mode, it makes no difference, I don't have any debug information about the token. It is like the env variable is completely ignored. It makes no sense because all other env variables work. Would you have an idea why I can't enable debug mode ? I just tried wiping all vaultwarden data and recreate the container, same issue.
Thanks in advance for any answer and have a nice day
Do you have LOG_LEVEL set to Debug? I also once searched quite long for those tokens, Try to add LOG_LEVEL=debug to your enviroment variables
Do you have LOG_LEVEL set to Debug? I also once searched quite long for those tokens, Try to add LOG_LEVEL=debug to your enviroment variables
O yes forgot to mention that :( sorry.
Alternative is to activate it selectively with:
LOG_LEVEL_OVERRIDE="
vaultwarden::api::identity=debug
vaultwarden::auth=debug
vaultwarden::sso=debug
"
Not sure if multiline env are supported in the docker-compose.
So for the SSO_AUDIENCE_TRUSTED I'm guessing that the single quote ' is not supported directly in the docker-compose and it will be included in the value (my secret was wrapped in it too).
Hi, I just tried disabling and re-enabling debug mode, it makes no difference, I don't have any debug information about the token. It is like the env variable is completely ignored. It makes no sense because all other env variables work. Would you have an idea why I can't enable debug mode ? I just tried wiping all vaultwarden data and recreate the container, same issue.
Thanks in advance for any answer and have a nice dayDo you have LOG_LEVEL set to Debug? I also once searched quite long for those tokens, Try to add LOG_LEVEL=debug to your enviroment variables
I did not have LOG_LEVEL to debug, which is now done and that was my problem ! I now can see the tokens.
[2024-05-03 11:32:33.912][start][INFO] Rocket has launched from http://0.0.0.0:80
[2024-05-03 11:33:33.906][vaultwarden::api::core::accounts][DEBUG] Purging auth requests
[2024-05-03 11:33:33.906][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins
[2024-05-03 11:33:33.937][request][INFO] GET /alive
[2024-05-03 11:33:33.937][response][INFO] (alive) GET /alive => 200 OK
[2024-05-03 11:33:37.936][request][INFO] GET /
[2024-05-03 11:33:37.936][response][INFO] (web_index) GET / => 200 OK
[2024-05-03 11:33:38.494][request][INFO] GET /api/config
[2024-05-03 11:33:38.494][response][INFO] (config) GET /api/config => 200 OK
[2024-05-03 11:33:39.204][request][INFO] GET /identity/sso/prevalidate?domainHint=VaultWarden
[2024-05-03 11:33:39.205][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK
[2024-05-03 11:33:39.305][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt
[2024-05-03 11:33:39.374][reqwest::connect][DEBUG] starting new connection: https://api.auth.mydomain.com/
[2024-05-03 11:33:39.573][reqwest::connect][DEBUG] starting new connection: https://api.auth.mydomain.com/
[2024-05-03 11:33:39.665][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect
[2024-05-03 11:33:41.451][request][INFO] GET /identity/connect/oidc-signin?code=C8OM3QZozxaCAcGlpywiuz6s5
[2024-05-03 11:33:41.452][vaultwarden::api::identity][DEBUG] Redirection to https://vault.mydomain.com/sso-connector.html?code=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjE3MTQ3MjkxMjEsImlzcyI6Imh0dHBzOi8vdmF1bHQuc2FsYWRjZXNhci5mcnxzc28iLCJjb2RlIjp7Ik9rIjp7ImNvZGUiOiJDOE9NM1Fab3p4YUNBY0dscHl3aXV6NnM1MWVaWExYbl9fRnVRZWRPR3JNMzd3Iiwic3RhdGUiOiJGeDdEV2dUaVFSM2pFeXZmVktVVVlIeVc0ZkpVM3pYdm4zOHZyYkJGWGJBNms0bTJGNHVSNERhRUxtbkRkZ2JwX2lkZW50aWZpZXI9dW5kZWZpbmVkIn19fQ.h_Dt-bef6BghDXTG3HLeUgF9mgFW45iBo5q5zuqK7Dd31kTq2jnVUcAJd67gA92ox2EdHyuZ8FJ9ZXwvZZ7OfKGSqZlvOk8NBY3PviegBd22e0TRxThbe6BdcQioq7Nx7nyiD2rYJZRvrOFshL4lSfsoFFnAWdsRiwUtQ9eqSfBKxVIe8e64AW-LDDmG2WNcWSqBcUORsBzxLulD_w41OtFflk8RvqahVxVyA7kzU-1Zjr_922YjagNn7JjcWOkjaZpageHmYI3jx0XmNqnpdubCL9nq5XJ8AHWAd8tWqfK41TjU9OyrH8MFKCwwECtYvNRVpQMSU5U49MK0Cjm0GQ&state=Fx7DWgTiQR3jEyvfVKUUYHyW4fJU3zXvn38vrbBFXbA6k4m2F4uR4DaELmnDdgbp_identifier%3Dundefined&scope=api+offline_access&iss=https%3A%2F%2Fvault.mydomain.com
[2024-05-03 11:33:41.452][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect
[2024-05-03 11:33:41.503][request][INFO] GET /sso-connector.html?code=eyJ0eXAiOiJKV1QiLCJhbGciO
[2024-05-03 11:33:41.503][response][INFO] (web_files) GET /<p..> [10] => 200 OK
[2024-05-03 11:33:42.127][request][INFO] GET /api/config
[2024-05-03 11:33:42.128][response][INFO] (config) GET /api/config => 200 OK
[2024-05-03 11:33:42.144][request][INFO] POST /identity/connect/token
[2024-05-03 11:33:42.213][reqwest::connect][DEBUG] starting new connection: https://api.auth.mydomain.com/
[2024-05-03 11:33:42.322][reqwest::connect][DEBUG] starting new connection: https://api.auth.mydomain.com/
[2024-05-03 11:33:42.453][reqwest::connect][DEBUG] starting new connection: https://api.auth.mydomain.com/
[2024-05-03 11:33:43.182][reqwest::connect][DEBUG] starting new connection: https://api.auth.mydomain.com/
[2024-05-03 11:33:43.331][vaultwarden::sso][DEBUG] Id token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjI2NTQ1OTAyODMyOTQ5NjU3OSIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FwaS5hdXRoLnNhbGFkY2VzYXIuZnIiLCJzdWIiOiIyNjM5MzI5MDQ2MTMyMTYyNTkiLCJhdWQiOlsiMjY0MDc3MDEyMTQwODgzOTcxQHNhbGFkc2VydmVyIiwiMjY0MDgwMTM2MTA4ODM0ODE5QHNhbGFkc2VydmVyIiwiMjY1MjU3NjMxMjM5NzAwNDgzQGFwcHMiLCIyNjQwNzY5NDYxMDU2OTYyNTkiXSwiZXhwIjoxNzE0NzcyMDIzLCJpYXQiOjE3MTQ3Mjg4MjMsImF1dGhfdGltZSI6MTcxNDEyNDY2Nywibm9uY2UiOiIyQlpMcHN3UEpyWmkwYkJBdURvNGlnIiwiYW1yIjpbInBhc3N3b3JkIiwicHdkIl0sImF6cCI6IjI2NDA3NzAxMjE0MDg4Mzk3MUBzYWxhZHNlcnZlciIsImNsaWVudF9pZCI6IjI2NDA3NzAxMjE0MDg4Mzk3MUBzYWxhZHNlcnZlciIsImF0X2hhc2giOiJrZTJoVnRmTUdlVUdFU0sxVzRSalJnIiwiY19oYXNoIjoiWU1jSEFGbzJlX3hBbnR6SkVsQVpjQSJ9.VWWnTYYnzg8t0L-oVC20vr2uAA8g78Yt-5hr_x--YbJsNAKXixFa0w1C0e0i6sxo4IUXV2QF5BUoQMSwb0wwww_Qwguo1opqf5HA5TFlnhaIEZ2sXSGnupYt5aphTFy8r9CaFA9kOfyLO6hsgp6YNtAMXNDy-T2izeQlRzrF2TNDNjXNdUv0O_ArFKumAn7Pg5GFpdqOcgLP03_HsgwDg60tVmaQInakrEKmrL9BSElWEsUaw8iTz_QJjrXtGkwW6gI8YIPnhOOlchbUxL8UM6hO04P35rLFlexHh77k9wqHtRoZcYtdm5oziXtDBvnotaVcVBmGlMM9SrxO8lXIWQ
[2024-05-03 11:33:43.331][vaultwarden::sso][DEBUG] Access token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjI2NTQ1OTAyODMyOTQ5NjU3OSIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FwaS5hdXRoLnNhbGFkY2VzYXIuZnIiLCJzdWIiOiIyNjM5MzI5MDQ2MTMyMTYyNTkiLCJhdWQiOlsiMjY0MDc3MDEyMTQwODgzOTcxQHNhbGFkc2VydmVyIiwiMjY0MDgwMTM2MTA4ODM0ODE5QHNhbGFkc2VydmVyIiwiMjY1MjU3NjMxMjM5NzAwNDgzQGFwcHMiLCIyNjQwNzY5NDYxMDU2OTYyNTkiXSwiZXhwIjoxNzE0NzcyMDIyLCJpYXQiOjE3MTQ3Mjg4MjIsIm5iZiI6MTcxNDcyODgyMiwianRpIjoiMjY1NDcwNjI0NzkxNTI3NDI3In0.beMLkwxDqMLz6dCLv6P7QKzdtBNM7RwmOL-KMNNQP5qTj_yIfbT-YKyzBOULaKANaXhBiE5PJGLUFizdqsT5sbPui76FavCIyittW5z2ZjUZcbiRsSEkbFJ0MzCT-nHVt7NCcky9K8UMd9_2F7omNqx8i9mIM4ubMzAyJ1nsy6dabU8ZtqY1aTYUv9KNGR5QIWWh2SxODQktnsBBPwcw9a_vVf97Ajft584dI5xobXYDo9YJaSk0Zwk7aPKi3q6mCYTvzK4Shs18pvQRlw_YSYmmnVfA6O6YeAvzt42cy-ne1oz8LiF2UtAEGWidtUVCCWFJVhccfSclfkyURRW1ng
[2024-05-03 11:33:43.331][vaultwarden::sso][DEBUG] Refresh token: None
[2024-05-03 11:33:43.331][vaultwarden::sso][DEBUG] Expiration time: Some(43199s)
[2024-05-03 11:33:43.331][vaultwarden::sso][ERROR] Could not read id_token claims, Invalid audiences: `264080136108834819@saladserver` is not a trusted audience
[2024-05-03 11:33:43.331][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
Decoded with jwt.io, I have this:
{
"iss": "https://api.auth.mydomain.com",
"sub": "263932904613216259",
"aud": [
"264077012140883971@[REDACTED]",
"264080136108834819@[REDACTED]",
"265257631239700483@[REDACTED]",
"264076946105696259"
],
"exp": 1714771689,
"iat": 1714728490,
"nbf": 1714728490,
"jti": "265470066261229571"
}
The ID I have in my error is
264080136108834819@[REDACTED]
The ID I have set as trusted audience is
- SSO_AUDIENCE_TRUSTED='^$264076946105696259$'
Single quotes should be supported, I use them in other composes without issues.
I am not sure what to conclude from the decoded JWT.
What is weird is that it says "Refresh token: none", but I have specifically enabled them in Zitadel.
The ID I have set as trusted audience is
- SSO_AUDIENCE_TRUSTED='^$264076946105696259$'
SSO_AUDIENCE_TRUSTED should be ^264080136108834819@[REDACTED]$. ^ matches the beginning of an input and $ matches to the end of this input.
Thanks, you were right, I was missing @[REDACTED] at the end. That apparently worked because I now have the same error message but with a different ID in the error. So I think it works but I have to add multiple IDs to trusted audience. Do you know how I can do that ?
Did you also have to allow multiple audiences ?
EDIT : Found, I used standard regex | and had to add 3 IDs for it to work. But I'm still interested if you needed to do that too with Zitadel.
Also, I now have the following error:
[ERROR] Neither id token nor userinfo contained an email
In Zitadel, my user correctly has an email. Did you have to enable something so that the email is passed to the apps ?
In your earlier comment the decoded id_token you included has almost no information.
In https://zitadel.com/docs/apis/openidoauth/endpoints
It's mentioned that :
Following the OIDC Core 1.0 specs whenever an access_token is issued, the id_token will not contain any claims of the scopes profile, email, phone and address.
Send the access_token to the userinfo_endpoint or introspection_endpoint the retrieve these claims or set the id_token_userinfo_assertion Option ("User Info inside ID Token" in Console) to true.
So that would explain the missing info in the id_token, but not idea why it would be missing from the user information.
Note: I had no issue when testing locally (with client secret) so probably some config.
@Timshel , thanks, you were right, I had to activate a setting in Zitadel for it to send more infos in userinfos. I now have the following token:
{
"iss": "https://api.auth.redacted.fr",
"sub": "263932904613216259",
"aud": [
"264077012140883971@redacted",
"264080136108834819@redacted",
"265257631239700483@apps",
"265976263691272195@apps",
"264076946105696259"
],
"exp": 1715073935,
"iat": 1715030735,
"auth_time": 1715030442,
"nonce": "UYTaKxgzsYPiz23c-tffYw",
"amr": [
"password",
"pwd"
],
"azp": "264077012140883971@redacted",
"client_id": "264077012140883971@redacted",
"at_hash": "QezSYU5x7XmB_fJGWTG83g",
"c_hash": "9aVqHdKJQfKjjzB5UtxCCQ",
"name": "ZITADEL Admin",
"given_name": "ZITADEL",
"family_name": "Admin",
"locale": "en",
"updated_at": 1713812271,
"preferred_username": "zitadel-admin@zitadel.auth.redacted"
}This one has more infos in it. It contains the email in "preferred_username". But Vaultwarden SSO still says
[ERROR] Neither id token nor userinfo contained an email
So I guess it wants the email in a specific field name. Do you know what should be the name of that field ? Simply email ? If I know exactly what Vaultwarden SSO wants for email, I will be able to ask to Zitadel support how to achieve it in this format.
Thanks in advance for any answer and have a great day.
I found out what my issue was. Zitadel was indeed not including the email field in its ID token. To get Zitadel to add it, I had to enable User Info inside ID Token and also set these scopes in vaultwarden:
- SSO_SCOPES="openid email profile offline_access"
This variable in the documentation miss the openid scope and that was my problem.
@Halyul , your configuration only included email profile offline_access, how did you manage to login in Vaultwarden without the openid scope ?
@LeVraiRoiDHyrule you should not have to add the openid scope to SSO_SCOPES.
It's added by default when building the authorization url.
You can check that even without it in the config, it will then be present in the url when you are redirected to the sso provider.
That's weird, because I can confirm that adding it in the scope list makes a difference on my setup. Without it, I don't get any email from Zitadel. Zitadel maintainer seems to think too that the problem is missing scope sent by the application : zitadel/zitadel#7920
EDIT : said originally that only first login required openid scope and that further login was working without it. I was wrong, no login work without openid scope, even further logins after account creation. I have removed it and can no longer log in due to email field not present in the ID token.
@LeVraiRoiDHyrule have you checked the redirection url to zitadel ?
Tested again and with : SSO_SCOPES="email profile roles groups"
I correctly obtain :
http://.../realms/test/protocol/openid-connect/auth?
response_type=code
&client_id=VaultWarden
&state=Acbjmn3ibdVNYPQpyV4fQLjoKbYDjLrwshxY2iyo8ELb2kSAyCGQtTqWfp9PkDbK_identifier%3DTest
&code_challenge=q1FQ5JkafSUlR2EAHRgX8RrM2qHfrEYsMmypehNo6es
&code_challenge_method=S256
&redirect_uri=http...
&scope=openid+email+profile+roles+groups
&nonce=tQCS3gRGISpmGgU5AjcdCg
If it's not included in your case can you open a separate issue please.
It is indeed not included. You can find my new issue here #55
I believe you mentioned that everything is working now, so I'll close this :).