Spiegel von
https://github.com/dani-garcia/vaultwarden.git
synchronisiert 2024-11-28 06:10:28 +01:00
Activate PKCE by default
Dieser Commit ist enthalten in:
Ursprung
c328f6df26
Commit
a87e12f6e0
4 geänderte Dateien mit 5 neuen und 17 gelöschten Zeilen
|
@ -454,8 +454,8 @@
|
||||||
#SSO_SCOPES="email profile"
|
#SSO_SCOPES="email profile"
|
||||||
## Additionnal authorization url parameters (ex: to obtain a `refresh_token` with Google Auth).
|
## Additionnal authorization url parameters (ex: to obtain a `refresh_token` with Google Auth).
|
||||||
# SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"
|
# SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"
|
||||||
## Activate PKCE for the Auth Code flow. Recommended but disabled for now waiting for feedback on support.
|
## Activate PKCE for the Auth Code flow.
|
||||||
# SSO_PKCE=false
|
# SSO_PKCE=true
|
||||||
## Regex to add additionnal trusted audience to Id Token (by default only the client_id is trusted).
|
## Regex to add additionnal trusted audience to Id Token (by default only the client_id is trusted).
|
||||||
# SSO_AUDIENCE_TRUSTED='^$'
|
# SSO_AUDIENCE_TRUSTED='^$'
|
||||||
## Set your Client ID and Client Key
|
## Set your Client ID and Client Key
|
||||||
|
|
15
SSO.md
15
SSO.md
|
@ -20,7 +20,7 @@ The following configurations are available
|
||||||
- $SSO_AUTHORITY/.well-known/openid-configuration should return the a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
|
- $SSO_AUTHORITY/.well-known/openid-configuration should return the a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
|
||||||
- `SSO_SCOPES` : Optional, allow to override scopes if needed (default `"email profile"`)
|
- `SSO_SCOPES` : Optional, allow to override scopes if needed (default `"email profile"`)
|
||||||
- `SSO_AUTHORIZE_EXTRA_PARAMS` : Optional, allow to add extra parameter to the authorize redirection (default `""`)
|
- `SSO_AUTHORIZE_EXTRA_PARAMS` : Optional, allow to add extra parameter to the authorize redirection (default `""`)
|
||||||
- `SSO_PKCE`: Activate PKCE for the Auth Code flow. Recommended but disabled for now waiting for feedback on support (default `false`).
|
- `SSO_PKCE`: Activate PKCE for the Auth Code flow (default `true`).
|
||||||
- `SSO_AUDIENCE_TRUSTED`: Optional, Regex to trust additional audience for the IdToken (`client_id` is always trusted). Use single quote when writing the regex: `'^$'`.
|
- `SSO_AUDIENCE_TRUSTED`: Optional, Regex to trust additional audience for the IdToken (`client_id` is always trusted). Use single quote when writing the regex: `'^$'`.
|
||||||
- `SSO_CLIENT_ID` : Client Id
|
- `SSO_CLIENT_ID` : Client Id
|
||||||
- `SSO_CLIENT_SECRET` : Client Secret
|
- `SSO_CLIENT_SECRET` : Client Secret
|
||||||
|
@ -97,7 +97,6 @@ Server configuration, nothing specific just set:
|
||||||
- `SSO_AUTHORITY=https://${domain}/realms/${realm_name}`
|
- `SSO_AUTHORITY=https://${domain}/realms/${realm_name}`
|
||||||
- `SSO_CLIENT_ID`
|
- `SSO_CLIENT_ID`
|
||||||
- `SSO_CLIENT_SECRET`
|
- `SSO_CLIENT_SECRET`
|
||||||
- `SSO_PKCE=true`
|
|
||||||
|
|
||||||
### Testing
|
### Testing
|
||||||
|
|
||||||
|
@ -150,7 +149,6 @@ Server configuration should look like:
|
||||||
- `SSO_SCOPES="email profile offline_access"`
|
- `SSO_SCOPES="email profile offline_access"`
|
||||||
- `SSO_CLIENT_ID`
|
- `SSO_CLIENT_ID`
|
||||||
- `SSO_CLIENT_SECRET`
|
- `SSO_CLIENT_SECRET`
|
||||||
- `SSO_PKCE=true`
|
|
||||||
|
|
||||||
## Casdoor
|
## Casdoor
|
||||||
|
|
||||||
|
@ -162,7 +160,6 @@ Then configure your server with:
|
||||||
- `SSO_AUTHORITY=https://${provider_host}`
|
- `SSO_AUTHORITY=https://${provider_host}`
|
||||||
- `SSO_CLIENT_ID`
|
- `SSO_CLIENT_ID`
|
||||||
- `SSO_CLIENT_SECRET`
|
- `SSO_CLIENT_SECRET`
|
||||||
- `SSO_PKCE=true`
|
|
||||||
|
|
||||||
## GitLab
|
## GitLab
|
||||||
|
|
||||||
|
@ -177,7 +174,6 @@ Then configure your server with
|
||||||
- `SSO_AUTHORITY=https://gitlab.com`
|
- `SSO_AUTHORITY=https://gitlab.com`
|
||||||
- `SSO_CLIENT_ID`
|
- `SSO_CLIENT_ID`
|
||||||
- `SSO_CLIENT_SECRET`
|
- `SSO_CLIENT_SECRET`
|
||||||
- `SSO_PKCE=true`
|
|
||||||
|
|
||||||
## Google Auth
|
## Google Auth
|
||||||
|
|
||||||
|
@ -189,19 +185,12 @@ Configure your server with :
|
||||||
|
|
||||||
- `SSO_AUTHORITY=https://accounts.google.com`
|
- `SSO_AUTHORITY=https://accounts.google.com`
|
||||||
- `SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"`
|
- `SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"`
|
||||||
- `SSO_PKCE=true`
|
|
||||||
- `SSO_CLIENT_ID`
|
- `SSO_CLIENT_ID`
|
||||||
- `SSO_CLIENT_SECRET`
|
- `SSO_CLIENT_SECRET`
|
||||||
|
|
||||||
## Kanidm
|
## Kanidm
|
||||||
|
|
||||||
Kanidm recommend always running with PKCE:
|
Nothing specific should work with just `SSO_AUTHORITY`, `SSO_CLIENT_ID` and `SSO_CLIENT_SECRET`.
|
||||||
|
|
||||||
Config will look like:
|
|
||||||
|
|
||||||
- `SSO_PKCE=true`
|
|
||||||
|
|
||||||
Otherwise you can disable the PKCE requirement with: `kanidm system oauth2 warning-insecure-client-disable-pkce CLIENT_NAME --name admin`.
|
|
||||||
|
|
||||||
## Microsoft Entra ID
|
## Microsoft Entra ID
|
||||||
|
|
||||||
|
|
|
@ -61,7 +61,6 @@ SMTP_TIMEOUT=5
|
||||||
SSO_CLIENT_ID=VaultWarden
|
SSO_CLIENT_ID=VaultWarden
|
||||||
SSO_CLIENT_SECRET=VaultWarden
|
SSO_CLIENT_SECRET=VaultWarden
|
||||||
SSO_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${TEST_REALM}
|
SSO_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${TEST_REALM}
|
||||||
SSO_PKCE=true
|
|
||||||
|
|
||||||
###########################
|
###########################
|
||||||
# Docker MariaDb container#
|
# Docker MariaDb container#
|
||||||
|
|
|
@ -659,7 +659,7 @@ make_config! {
|
||||||
/// Authorization request extra parameters
|
/// Authorization request extra parameters
|
||||||
sso_authorize_extra_params: String, false, def, String::new();
|
sso_authorize_extra_params: String, false, def, String::new();
|
||||||
/// Use PKCE during Authorization flow
|
/// Use PKCE during Authorization flow
|
||||||
sso_pkce: bool, false, def, false;
|
sso_pkce: bool, false, def, true;
|
||||||
/// Regex for additionnal trusted Id token audience |> By default only the client_id is trsuted.
|
/// Regex for additionnal trusted Id token audience |> By default only the client_id is trsuted.
|
||||||
sso_audience_trusted: String, false, option;
|
sso_audience_trusted: String, false, option;
|
||||||
/// CallBack Path |> Generated from Domain.
|
/// CallBack Path |> Generated from Domain.
|
||||||
|
|
Laden …
In neuem Issue referenzieren