&", rank = 1)]
+async fn oidcsignin(code: String, state: String, conn: DbConn) -> ApiResult {
+ oidcsignin_redirect(
+ state.clone(),
+ sso::OIDCCodeWrapper::Ok {
+ code,
+ state,
+ },
+ &conn,
+ )
+ .await
}
-#[get("/connect/oidc-signin?")]
-fn oidcsignin(code: String, jar: &CookieJar<'_>, _conn: DbConn) -> ApiResult {
- let cookiemanager = CookieManager::new(jar);
-
- let redirect_uri = match cookiemanager.get_cookie("redirect_uri".to_string()) {
- None => err!("No redirect_uri in cookie"),
- Some(uri) => uri,
- };
- let orig_state = match cookiemanager.get_cookie("state".to_string()) {
- None => err!("No state in cookie"),
- Some(state) => state,
- };
-
- cookiemanager.delete_cookie("redirect_uri".to_string());
- cookiemanager.delete_cookie("state".to_string());
-
- let redirect = CustomRedirect {
- url: format!("{redirect_uri}?code={code}&state={orig_state}"),
- headers: vec![],
- };
-
- Ok(redirect)
+// Bitwarden client appear to only care for code and state so we pipe it through
+// cf: https://github.com/bitwarden/clients/blob/8e46ef1ae5be8b62b0d3d0b9d1b1c62088a04638/libs/angular/src/auth/components/sso.component.ts#L68C11-L68C23)
+#[get("/connect/oidc-signin?&&", rank = 2)]
+async fn oidcsignin_error(
+ state: String,
+ error: String,
+ error_description: Option,
+ conn: DbConn,
+) -> ApiResult {
+ oidcsignin_redirect(
+ state.clone(),
+ sso::OIDCCodeWrapper::Error {
+ state,
+ error,
+ error_description,
+ },
+ &conn,
+ )
+ .await
}
-#[derive(FromForm)]
-#[allow(non_snake_case)]
+// iss and scope parameters are needed for redirection to work on IOS.
+async fn oidcsignin_redirect(state: String, wrapper: sso::OIDCCodeWrapper, conn: &DbConn) -> ApiResult {
+ let code = sso::encode_code_claims(wrapper);
+
+ let nonce = match SsoNonce::find(&state, conn).await {
+ Some(n) => n,
+ None => err!(format!("Failed to retrive redirect_uri with {state}")),
+ };
+
+ let mut url = match url::Url::parse(&nonce.redirect_uri) {
+ Ok(url) => url,
+ Err(err) => err!(format!("Failed to parse redirect uri ({}): {err}", nonce.redirect_uri)),
+ };
+
+ url.query_pairs_mut()
+ .append_pair("code", &code)
+ .append_pair("state", &state)
+ .append_pair("scope", &AuthMethod::Sso.scope())
+ .append_pair("iss", &CONFIG.domain());
+
+ debug!("Redirection to {url}");
+
+ Ok(Redirect::temporary(String::from(url)))
+}
+
+#[derive(Debug, Clone, Default, FromForm)]
struct AuthorizeData {
- #[allow(unused)]
#[field(name = uncased("client_id"))]
#[field(name = uncased("clientid"))]
- client_id: Option,
+ client_id: String,
#[field(name = uncased("redirect_uri"))]
#[field(name = uncased("redirecturi"))]
- redirect_uri: Option,
+ redirect_uri: String,
#[allow(unused)]
- #[field(name = uncased("response_type"))]
- #[field(name = uncased("responsetype"))]
response_type: Option,
#[allow(unused)]
- #[field(name = uncased("scope"))]
scope: Option,
- #[field(name = uncased("state"))]
- state: Option,
+ state: String,
#[allow(unused)]
- #[field(name = uncased("code_challenge"))]
code_challenge: Option,
#[allow(unused)]
- #[field(name = uncased("code_challenge_method"))]
code_challenge_method: Option,
#[allow(unused)]
- #[field(name = uncased("response_mode"))]
response_mode: Option,
#[allow(unused)]
- #[field(name = uncased("domain_hint"))]
domain_hint: Option,
#[allow(unused)]
#[field(name = uncased("ssoToken"))]
- ssoToken: Option,
+ sso_token: Option,
}
+// The `redirect_uri` will change depending of the client (web, android, ios ..)
#[get("/connect/authorize?")]
-async fn authorize(data: AuthorizeData, jar: &CookieJar<'_>, mut conn: DbConn) -> ApiResult {
- let cookiemanager = CookieManager::new(jar);
- match get_client_from_sso_config().await {
- Ok(client) => {
- let (auth_url, _csrf_state, nonce) = client
- .authorize_url(
- AuthenticationFlow::::AuthorizationCode,
- CsrfToken::new_random,
- Nonce::new_random,
- )
- .add_scope(Scope::new("email".to_string()))
- .add_scope(Scope::new("profile".to_string()))
- .url();
+async fn authorize(data: AuthorizeData, conn: DbConn) -> ApiResult {
+ let AuthorizeData {
+ client_id,
+ redirect_uri,
+ state,
+ ..
+ } = data;
- let sso_nonce = SsoNonce::new(nonce.secret().to_string());
- sso_nonce.save(&mut conn).await?;
+ let auth_url = sso::authorize_url(state, &client_id, &redirect_uri, conn).await?;
- let redirect_uri = match data.redirect_uri {
- None => err!("No redirect_uri in data"),
- Some(uri) => uri,
- };
- cookiemanager.set_cookie("redirect_uri".to_string(), redirect_uri);
- let state = match data.state {
- None => err!("No state in data"),
- Some(state) => state,
- };
- cookiemanager.set_cookie("state".to_string(), state);
-
- let redirect = CustomRedirect {
- url: format!("{}", auth_url),
- headers: vec![],
- };
-
- Ok(redirect)
- }
- Err(_err) => err!("Unable to find client from identifier"),
- }
-}
-
-async fn get_auth_code_access_token(code: &str) -> ApiResult<(String, String, CoreUserInfoClaims)> {
- let oidc_code = AuthorizationCode::new(String::from(code));
- match get_client_from_sso_config().await {
- Ok(client) => match client.exchange_code(oidc_code).request_async(async_http_client).await {
- Ok(token_response) => {
- let refresh_token = match token_response.refresh_token() {
- Some(token) => token.secret().to_string(),
- None => String::new(),
- };
- let id_token = match token_response.extra_fields().id_token() {
- None => err!("Token response did not contain an id_token"),
- Some(token) => token.to_string(),
- };
-
- let user_info: CoreUserInfoClaims =
- match client.user_info(token_response.access_token().to_owned(), None) {
- Err(_err) => err!("Token response did not contain user_info"),
- Ok(info) => match info.request_async(async_http_client).await {
- Err(_err) => err!("Request to user_info endpoint failed"),
- Ok(claim) => claim,
- },
- };
-
- Ok((refresh_token, id_token, user_info))
- }
- Err(err) => err!("Failed to contact token endpoint: {}", err.to_string()),
- },
- Err(_err) => err!("Unable to find client"),
- }
+ Ok(Redirect::temporary(String::from(auth_url)))
}
diff --git a/src/api/mod.rs b/src/api/mod.rs
index d5281bda..753c60e1 100644
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@@ -35,7 +35,7 @@ pub use crate::api::{
use crate::db::{models::User, DbConn};
// Type aliases for API methods results
-type ApiResult = Result;
+pub type ApiResult = Result;
pub type JsonResult = ApiResult>;
pub type EmptyResult = ApiResult<()>;
diff --git a/src/auth.rs b/src/auth.rs
index d684249d..743287a6 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -1,6 +1,5 @@
// JWT Handling
-//
-use chrono::{TimeDelta, Utc};
+use chrono::{DateTime, TimeDelta, Utc};
use num_traits::FromPrimitive;
use once_cell::sync::{Lazy, OnceCell};
@@ -9,18 +8,29 @@ use openssl::rsa::Rsa;
use serde::de::DeserializeOwned;
use serde::ser::Serialize;
-use crate::{error::Error, CONFIG};
+use crate::{
+ api::ApiResult,
+ db::{
+ models::{Collection, Device, User, UserOrgStatus, UserOrgType, UserOrganization, UserStampException},
+ DbConn,
+ },
+ error::Error,
+ sso, CONFIG,
+};
const JWT_ALGORITHM: Algorithm = Algorithm::RS256;
-pub static DEFAULT_VALIDITY: Lazy = Lazy::new(|| TimeDelta::try_hours(2).unwrap());
+// Limit when BitWarden consider the token as expired
+pub static BW_EXPIRATION: Lazy = Lazy::new(|| TimeDelta::try_minutes(5).unwrap());
+
+pub static DEFAULT_REFRESH_VALIDITY: Lazy = Lazy::new(|| TimeDelta::try_days(30).unwrap());
+pub static DEFAULT_ACCESS_VALIDITY: Lazy = Lazy::new(|| TimeDelta::try_hours(2).unwrap());
static JWT_HEADER: Lazy = Lazy::new(|| Header::new(JWT_ALGORITHM));
pub static JWT_LOGIN_ISSUER: Lazy = Lazy::new(|| format!("{}|login", CONFIG.domain_origin()));
static JWT_INVITE_ISSUER: Lazy = Lazy::new(|| format!("{}|invite", CONFIG.domain_origin()));
static JWT_EMERGENCY_ACCESS_INVITE_ISSUER: Lazy =
Lazy::new(|| format!("{}|emergencyaccessinvite", CONFIG.domain_origin()));
-static JWT_SSOTOKEN_ISSUER: Lazy = Lazy::new(|| format!("{}|ssotoken", CONFIG.domain_origin()));
static JWT_DELETE_ISSUER: Lazy = Lazy::new(|| format!("{}|delete", CONFIG.domain_origin()));
static JWT_VERIFYEMAIL_ISSUER: Lazy = Lazy::new(|| format!("{}|verifyemail", CONFIG.domain_origin()));
static JWT_ADMIN_ISSUER: Lazy = Lazy::new(|| format!("{}|admin", CONFIG.domain_origin()));
@@ -73,7 +83,7 @@ pub fn encode_jwt(claims: &T) -> String {
}
}
-fn decode_jwt(token: &str, issuer: String) -> Result {
+pub fn decode_jwt(token: &str, issuer: String) -> Result {
let mut validation = jsonwebtoken::Validation::new(JWT_ALGORITHM);
validation.leeway = 30; // 30 seconds
validation.validate_exp = true;
@@ -92,6 +102,10 @@ fn decode_jwt(token: &str, issuer: String) -> Result Result {
+ decode_jwt(token, JWT_LOGIN_ISSUER.to_string())
+}
+
pub fn decode_login(token: &str) -> Result {
decode_jwt(token, JWT_LOGIN_ISSUER.to_string())
}
@@ -165,6 +179,73 @@ pub struct LoginJwtClaims {
pub amr: Vec,
}
+impl LoginJwtClaims {
+ pub fn new(device: &Device, user: &User, nbf: i64, exp: i64, scope: Vec, now: DateTime) -> Self {
+ // ---
+ // Disabled these keys to be added to the JWT since they could cause the JWT to get too large
+ // Also These key/value pairs are not used anywhere by either Vaultwarden or Bitwarden Clients
+ // Because these might get used in the future, and they are added by the Bitwarden Server, lets keep it, but then commented out
+ // ---
+ // fn arg: orgs: Vec,
+ // ---
+ // let orgowner: Vec<_> = orgs.iter().filter(|o| o.atype == 0).map(|o| o.org_uuid.clone()).collect();
+ // let orgadmin: Vec<_> = orgs.iter().filter(|o| o.atype == 1).map(|o| o.org_uuid.clone()).collect();
+ // let orguser: Vec<_> = orgs.iter().filter(|o| o.atype == 2).map(|o| o.org_uuid.clone()).collect();
+ // let orgmanager: Vec<_> = orgs.iter().filter(|o| o.atype == 3).map(|o| o.org_uuid.clone()).collect();
+
+ if exp <= (now + *BW_EXPIRATION).timestamp() {
+ warn!("Raise access_token lifetime to more than 5min.")
+ }
+
+ // Create the JWT claims struct, to send to the client
+ Self {
+ nbf,
+ exp,
+ iss: JWT_LOGIN_ISSUER.to_string(),
+ sub: user.uuid.clone(),
+ premium: true,
+ name: user.name.clone(),
+ email: user.email.clone(),
+ email_verified: !CONFIG.mail_enabled() || user.verified_at.is_some(),
+
+ // ---
+ // Disabled these keys to be added to the JWT since they could cause the JWT to get too large
+ // Also These key/value pairs are not used anywhere by either Vaultwarden or Bitwarden Clients
+ // Because these might get used in the future, and they are added by the Bitwarden Server, lets keep it, but then commented out
+ // See: https://github.com/dani-garcia/vaultwarden/issues/4156
+ // ---
+ // orgowner,
+ // orgadmin,
+ // orguser,
+ // orgmanager,
+ sstamp: user.security_stamp.clone(),
+ device: device.uuid.clone(),
+ scope,
+ amr: vec!["Application".into()],
+ }
+ }
+
+ pub fn default(device: &Device, user: &User, auth_method: &AuthMethod) -> Self {
+ let time_now = Utc::now();
+ Self::new(
+ device,
+ user,
+ time_now.timestamp(),
+ (time_now + *DEFAULT_ACCESS_VALIDITY).timestamp(),
+ auth_method.scope_vec(),
+ time_now,
+ )
+ }
+
+ pub fn token(&self) -> String {
+ encode_jwt(&self)
+ }
+
+ pub fn expires_in(&self) -> i64 {
+ self.exp - Utc::now().timestamp()
+ }
+}
+
#[derive(Debug, Serialize, Deserialize)]
pub struct InviteJwtClaims {
// Not before
@@ -318,28 +399,6 @@ pub fn generate_delete_claims(uuid: String) -> BasicJwtClaims {
}
}
-#[derive(Debug, Serialize, Deserialize)]
-pub struct SsoTokenJwtClaims {
- // Not before
- pub nbf: i64,
- // Expiration time
- pub exp: i64,
- // Issuer
- pub iss: String,
- // Subject
- pub sub: String,
-}
-
-pub fn generate_ssotoken_claims() -> SsoTokenJwtClaims {
- let time_now = Utc::now().naive_utc();
- SsoTokenJwtClaims {
- nbf: time_now.timestamp(),
- exp: (time_now + Duration::minutes(2)).timestamp(),
- iss: JWT_SSOTOKEN_ISSUER.to_string(),
- sub: "vaultwarden".to_string(),
- }
-}
-
pub fn generate_verify_email_claims(uuid: String) -> BasicJwtClaims {
let time_now = Utc::now();
let expire_hours = i64::from(CONFIG.invitation_expiration_hours());
@@ -379,11 +438,6 @@ use rocket::{
request::{FromRequest, Outcome, Request},
};
-use crate::db::{
- models::{Collection, Device, User, UserOrgStatus, UserOrgType, UserOrganization, UserStampException},
- DbConn,
-};
-
pub struct Host {
pub host: String,
}
@@ -887,3 +941,150 @@ impl<'r> FromRequest<'r> for WsAccessTokenHeader {
})
}
}
+
+#[derive(Clone, Debug, Ord, PartialOrd, Eq, PartialEq, Serialize, Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum AuthMethod {
+ OrgApiKey,
+ Password,
+ Sso,
+ UserApiKey,
+}
+
+pub trait AuthMethodScope {
+ fn scope_vec(&self) -> Vec;
+ fn scope(&self) -> String;
+ fn check_scope(&self, scope: Option<&String>) -> ApiResult;
+}
+
+impl AuthMethodScope for AuthMethod {
+ fn scope(&self) -> String {
+ match self {
+ AuthMethod::OrgApiKey => "api.organization".to_string(),
+ AuthMethod::Password => "api offline_access".to_string(),
+ AuthMethod::Sso => "api offline_access".to_string(),
+ AuthMethod::UserApiKey => "api".to_string(),
+ }
+ }
+
+ fn scope_vec(&self) -> Vec {
+ self.scope().split_whitespace().map(str::to_string).collect()
+ }
+
+ fn check_scope(&self, scope: Option<&String>) -> ApiResult {
+ let method_scope = self.scope();
+ match scope {
+ None => err!("Missing scope"),
+ Some(scope) if scope == &method_scope => Ok(method_scope),
+ Some(scope) => err!(format!("Scope ({scope}) not supported")),
+ }
+ }
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum TokenWrapper {
+ Access(String),
+ Refresh(String),
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct RefreshJwtClaims {
+ // Not before
+ pub nbf: i64,
+ // Expiration time
+ pub exp: i64,
+ // Issuer
+ pub iss: String,
+ // Subject
+ pub sub: AuthMethod,
+
+ pub device_token: String,
+
+ pub token: Option,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct AuthTokens {
+ pub refresh_claims: RefreshJwtClaims,
+ pub access_claims: LoginJwtClaims,
+}
+
+impl AuthTokens {
+ pub fn refresh_token(&self) -> String {
+ encode_jwt(&self.refresh_claims)
+ }
+
+ pub fn access_token(&self) -> String {
+ self.access_claims.token()
+ }
+
+ pub fn expires_in(&self) -> i64 {
+ self.access_claims.expires_in()
+ }
+
+ pub fn scope(&self) -> String {
+ self.refresh_claims.sub.scope()
+ }
+
+ // Create refresh_token and access_token with default validity
+ pub fn new(device: &Device, user: &User, sub: AuthMethod) -> Self {
+ let time_now = Utc::now();
+
+ let access_claims = LoginJwtClaims::default(device, user, &sub);
+
+ let refresh_claims = RefreshJwtClaims {
+ nbf: time_now.timestamp(),
+ exp: (time_now + *DEFAULT_REFRESH_VALIDITY).timestamp(),
+ iss: JWT_LOGIN_ISSUER.to_string(),
+ sub,
+ device_token: device.refresh_token.clone(),
+ token: None,
+ };
+
+ Self {
+ refresh_claims,
+ access_claims,
+ }
+ }
+}
+
+pub async fn refresh_tokens(refresh_token: &str, conn: &mut DbConn) -> ApiResult<(Device, User, AuthTokens)> {
+ let time_now = Utc::now();
+
+ let refresh_claims = match decode_refresh(refresh_token) {
+ Err(err) => err!(format!("Impossible to read refresh_token: {err}")),
+ Ok(claims) => claims,
+ };
+
+ // Get device by refresh token
+ let mut device = match Device::find_by_refresh_token(&refresh_claims.device_token, conn).await {
+ None => err!("Invalid refresh token"),
+ Some(device) => device,
+ };
+
+ // Roll the Device.refresh_token this way it invalides old JWT refresh_token
+ device.roll_refresh_token();
+ device.save(conn).await?;
+
+ let user = match User::find_by_uuid(&device.user_uuid, conn).await {
+ None => err!("Impossible to find user"),
+ Some(user) => user,
+ };
+
+ if refresh_claims.exp < time_now.timestamp() {
+ err!("Expired refresh token");
+ }
+
+ let auth_tokens = match refresh_claims.sub {
+ AuthMethod::Sso if CONFIG.sso_enabled() && CONFIG.sso_auth_only_not_session() => {
+ AuthTokens::new(&device, &user, refresh_claims.sub)
+ }
+ AuthMethod::Sso if CONFIG.sso_enabled() => sso::exchange_refresh_token(&device, &user, &refresh_claims).await?,
+ AuthMethod::Sso => err!("SSO is now disabled, Login again using email and master password"),
+ AuthMethod::Password if CONFIG.sso_enabled() && CONFIG.sso_only() => err!("SSO is now required, Login again"),
+ AuthMethod::Password => AuthTokens::new(&device, &user, refresh_claims.sub),
+ _ => err!("Invalid auth method cannot refresh token"),
+ };
+
+ Ok((device, user, auth_tokens))
+}
diff --git a/src/config.rs b/src/config.rs
index 6b55a9b9..ce5d64d1 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -409,7 +409,9 @@ make_config! {
/// Auth Request cleanup schedule |> Cron schedule of the job that cleans old auth requests from the auth request.
/// Defaults to every minute. Set blank to disable this job.
auth_request_purge_schedule: String, false, def, "30 * * * * *".to_string();
-
+ /// Purge incomplete sso nonce.
+ /// Defaults to daily. Set blank to disable this job.
+ purge_incomplete_sso_nonce: String, false, def, "0 20 0 * * *".to_string();
},
/// General settings
@@ -609,19 +611,33 @@ make_config! {
/// OpenID Connect SSO settings
sso {
/// Enabled
- sso_enabled: bool, true, def, false;
- /// Force SSO login
- sso_only: bool, true, def, false;
+ sso_enabled: bool, true, def, false;
+ /// Disable Email+Master Password login
+ sso_only: bool, true, def, false;
+ /// Associate existing user based on email
+ sso_signups_match_email: bool, true, def, true;
/// Client ID
- sso_client_id: String, true, def, String::new();
+ sso_client_id: String, false, def, String::new();
/// Client Key
- sso_client_secret: Pass, true, def, String::new();
+ sso_client_secret: Pass, false, def, String::new();
/// Authority Server
- sso_authority: String, true, def, String::new();
+ sso_authority: String, false, def, String::new();
+ /// Scopes required for authorize
+ sso_scopes: String, false, def, "email profile".to_string();
+ /// Additionnal authorization url parameters
+ sso_authorize_extra_params: String, false, def, String::new();
+ /// Use PKCE during Auth Code flow
+ sso_pkce: bool, false, def, false;
+ /// Regex for additionnal trusted Id token audience
+ sso_audience_trusted: String, false, option;
/// CallBack Path
- sso_callback_path: String, false, gen, |c| generate_sso_callback_path(&c.domain);
- /// Allow workaround so SSO logins accept all invites
- sso_acceptall_invites: bool, true, def, false;
+ sso_callback_path: String, false, gen, |c| generate_sso_callback_path(&c.domain);
+ /// Optional sso master password policy
+ sso_master_password_policy: String, true, option;
+ /// Use sso only for auth not the session lifecycle
+ sso_auth_only_not_session: bool, true, def, false;
+ /// Log all tokens, LOG_LEVEL=debug is required
+ sso_debug_tokens: bool, true, def, false;
},
/// Yubikey settings
@@ -647,7 +663,7 @@ make_config! {
/// Host
duo_host: String, true, option;
/// Application Key (generated automatically)
- _duo_akey: Pass, false, option;
+ _duo_akey: Pass, true, option;
},
/// SMTP Email Settings
@@ -833,10 +849,14 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
err!("All Duo options need to be set for global Duo support")
}
- if cfg.sso_enabled
- && (cfg.sso_client_id.is_empty() || cfg.sso_client_secret.is_empty() || cfg.sso_authority.is_empty())
- {
- err!("`SSO_CLIENT_ID`, `SSO_CLIENT_SECRET` and `SSO_AUTHORITY` must be set for SSO support")
+ if cfg.sso_enabled {
+ if cfg.sso_client_id.is_empty() || cfg.sso_client_secret.is_empty() || cfg.sso_authority.is_empty() {
+ err!("`SSO_CLIENT_ID`, `SSO_CLIENT_SECRET` and `SSO_AUTHORITY` must be set for SSO support")
+ }
+
+ internal_sso_issuer_url(&cfg.sso_authority)?;
+ internal_sso_redirect_url(&cfg.sso_callback_path)?;
+ check_master_password_policy(&cfg.sso_master_password_policy)?;
}
if cfg._enable_yubico {
@@ -1011,6 +1031,28 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
Ok(())
}
+fn internal_sso_issuer_url(sso_authority: &String) -> Result {
+ match openidconnect::IssuerUrl::new(sso_authority.clone()) {
+ Err(err) => err!(format!("Invalid sso_authority UR ({sso_authority}): {err}")),
+ Ok(issuer_url) => Ok(issuer_url),
+ }
+}
+
+fn internal_sso_redirect_url(sso_callback_path: &String) -> Result {
+ match openidconnect::RedirectUrl::new(sso_callback_path.clone()) {
+ Err(err) => err!(format!("Invalid sso_callback_path ({sso_callback_path} built using `domain`) URL: {err}")),
+ Ok(redirect_url) => Ok(redirect_url),
+ }
+}
+
+fn check_master_password_policy(sso_master_password_policy: &Option) -> Result<(), Error> {
+ let policy = sso_master_password_policy.as_ref().map(|mpp| serde_json::from_str::(mpp));
+ if let Some(Err(error)) = policy {
+ err!(format!("Invalid sso_master_password_policy ({error}), Ensure that it's correctly escaped with ''"))
+ }
+ Ok(())
+}
+
/// Extracts an RFC 6454 web origin from a URL.
fn extract_url_origin(url: &str) -> String {
match Url::parse(url) {
@@ -1088,6 +1130,26 @@ fn smtp_convert_deprecated_ssl_options(smtp_ssl: Option, smtp_explicit_tls
"starttls".to_string()
}
+/// Allow to parse a multiline list of Key/Values (`key=value`)
+/// Will ignore comment lines (starting with `//`)
+fn parse_param_list(config: String) -> Vec<(String, String)> {
+ config
+ .lines()
+ .map(|l| l.trim())
+ .filter(|l| !l.is_empty() && !l.starts_with("//"))
+ .filter_map(|l| {
+ let split = l.split('=').collect::>();
+ match &split[..] {
+ [key, value] => Some(((*key).to_string(), (*value).to_string())),
+ _ => {
+ println!("[WARNING] Failed to parse ({l}). Expected key=value");
+ None
+ }
+ }
+ })
+ .collect()
+}
+
impl Config {
pub fn load() -> Result {
// Loading from env and file
@@ -1277,6 +1339,22 @@ impl Config {
}
}
}
+
+ pub fn sso_issuer_url(&self) -> Result {
+ internal_sso_issuer_url(&self.sso_authority())
+ }
+
+ pub fn sso_redirect_url(&self) -> Result {
+ internal_sso_redirect_url(&self.sso_callback_path())
+ }
+
+ pub fn sso_scopes_vec(&self) -> Vec {
+ self.sso_scopes().split_whitespace().map(str::to_string).collect()
+ }
+
+ pub fn sso_authorize_extra_params_vec(&self) -> Vec<(String, String)> {
+ parse_param_list(self.sso_authorize_extra_params())
+ }
}
use handlebars::{
@@ -1335,6 +1413,7 @@ where
reg!("email/send_single_org_removed_from_org", ".html");
reg!("email/set_password", ".html");
reg!("email/smtp_test", ".html");
+ reg!("email/sso_change_email", ".html");
reg!("email/twofactor_email", ".html");
reg!("email/verify_email", ".html");
reg!("email/welcome_must_verify", ".html");
diff --git a/src/db/models/device.rs b/src/db/models/device.rs
index 60c63589..e5e165e5 100644
--- a/src/db/models/device.rs
+++ b/src/db/models/device.rs
@@ -1,6 +1,7 @@
use chrono::{NaiveDateTime, Utc};
+use data_encoding::{BASE64, BASE64URL};
-use crate::{crypto, CONFIG};
+use crate::crypto;
use core::fmt;
db_object! {
@@ -42,13 +43,16 @@ impl Device {
push_uuid: None,
push_token: None,
- refresh_token: String::new(),
+ refresh_token: crypto::encode_random_bytes::<64>(BASE64URL),
twofactor_remember: None,
}
}
+ pub fn roll_refresh_token(&mut self) {
+ self.refresh_token = crypto::encode_random_bytes::<64>(BASE64URL)
+ }
+
pub fn refresh_twofactor_remember(&mut self) -> String {
- use data_encoding::BASE64;
let twofactor_remember = crypto::encode_random_bytes::<180>(BASE64);
self.twofactor_remember = Some(twofactor_remember.clone());
@@ -59,61 +63,6 @@ impl Device {
self.twofactor_remember = None;
}
- pub fn refresh_tokens(&mut self, user: &super::User, scope: Vec) -> (String, i64) {
- // If there is no refresh token, we create one
- if self.refresh_token.is_empty() {
- use data_encoding::BASE64URL;
- self.refresh_token = crypto::encode_random_bytes::<64>(BASE64URL);
- }
-
- // Update the expiration of the device and the last update date
- let time_now = Utc::now();
- self.updated_at = time_now.naive_utc();
-
- // ---
- // Disabled these keys to be added to the JWT since they could cause the JWT to get too large
- // Also These key/value pairs are not used anywhere by either Vaultwarden or Bitwarden Clients
- // Because these might get used in the future, and they are added by the Bitwarden Server, lets keep it, but then commented out
- // ---
- // fn arg: orgs: Vec,
- // ---
- // let orgowner: Vec<_> = orgs.iter().filter(|o| o.atype == 0).map(|o| o.org_uuid.clone()).collect();
- // let orgadmin: Vec<_> = orgs.iter().filter(|o| o.atype == 1).map(|o| o.org_uuid.clone()).collect();
- // let orguser: Vec<_> = orgs.iter().filter(|o| o.atype == 2).map(|o| o.org_uuid.clone()).collect();
- // let orgmanager: Vec<_> = orgs.iter().filter(|o| o.atype == 3).map(|o| o.org_uuid.clone()).collect();
-
- // Create the JWT claims struct, to send to the client
- use crate::auth::{encode_jwt, LoginJwtClaims, DEFAULT_VALIDITY, JWT_LOGIN_ISSUER};
- let claims = LoginJwtClaims {
- nbf: time_now.timestamp(),
- exp: (time_now + *DEFAULT_VALIDITY).timestamp(),
- iss: JWT_LOGIN_ISSUER.to_string(),
- sub: user.uuid.clone(),
-
- premium: true,
- name: user.name.clone(),
- email: user.email.clone(),
- email_verified: !CONFIG.mail_enabled() || user.verified_at.is_some(),
-
- // ---
- // Disabled these keys to be added to the JWT since they could cause the JWT to get too large
- // Also These key/value pairs are not used anywhere by either Vaultwarden or Bitwarden Clients
- // Because these might get used in the future, and they are added by the Bitwarden Server, lets keep it, but then commented out
- // See: https://github.com/dani-garcia/vaultwarden/issues/4156
- // ---
- // orgowner,
- // orgadmin,
- // orguser,
- // orgmanager,
- sstamp: user.security_stamp.clone(),
- device: self.uuid.clone(),
- scope,
- amr: vec!["Application".into()],
- };
-
- (encode_jwt(&claims), DEFAULT_VALIDITY.num_seconds())
- }
-
pub fn is_push_device(&self) -> bool {
matches!(DeviceType::from_i32(self.atype), DeviceType::Android | DeviceType::Ios)
}
diff --git a/src/db/models/mod.rs b/src/db/models/mod.rs
index 9a4e7585..465ea5c7 100644
--- a/src/db/models/mod.rs
+++ b/src/db/models/mod.rs
@@ -32,4 +32,4 @@ pub use self::send::{Send, SendType};
pub use self::sso_nonce::SsoNonce;
pub use self::two_factor::{TwoFactor, TwoFactorType};
pub use self::two_factor_incomplete::TwoFactorIncomplete;
-pub use self::user::{Invitation, User, UserKdfType, UserStampException};
+pub use self::user::{Invitation, SsoUser, User, UserKdfType, UserStampException};
diff --git a/src/db/models/org_policy.rs b/src/db/models/org_policy.rs
index e5a845f6..92f4d999 100644
--- a/src/db/models/org_policy.rs
+++ b/src/db/models/org_policy.rs
@@ -27,7 +27,7 @@ pub enum OrgPolicyType {
MasterPassword = 1,
PasswordGenerator = 2,
SingleOrg = 3,
- RequireSso = 4,
+ // RequireSso = 4, // Not supported
PersonalOwnership = 5,
DisableSend = 6,
SendOptions = 7,
@@ -77,12 +77,11 @@ impl OrgPolicy {
}
pub fn to_json(&self) -> Value {
- let data_json: Value = serde_json::from_str(&self.data).unwrap_or(Value::Null);
json!({
"id": self.uuid,
"organizationId": self.org_uuid,
"type": self.atype,
- "data": data_json,
+ "data": serde_json::from_str(&self.data).unwrap_or(Value::Null),
"enabled": self.enabled,
"object": "policy",
})
diff --git a/src/db/models/organization.rs b/src/db/models/organization.rs
index fd952955..b7e68475 100644
--- a/src/db/models/organization.rs
+++ b/src/db/models/organization.rs
@@ -25,6 +25,7 @@ db_object! {
pub uuid: String,
pub user_uuid: String,
pub org_uuid: String,
+ pub invited_by_email: Option,
pub access_all: bool,
pub akey: String,
@@ -167,7 +168,7 @@ impl Organization {
"useTotp": true,
"usePolicies": true,
// "UseScim": false, // Not supported (Not AGPLv3 Licensed)
- "useSso": CONFIG.sso_enabled(),
+ "useSso": false, // Not supported
// "UseKeyConnector": false, // Not supported
"selfHost": true,
"useApi": true,
@@ -197,12 +198,13 @@ impl Organization {
static ACTIVATE_REVOKE_DIFF: i32 = 128;
impl UserOrganization {
- pub fn new(user_uuid: String, org_uuid: String) -> Self {
+ pub fn new(user_uuid: String, org_uuid: String, invited_by_email: Option) -> Self {
Self {
uuid: crate::util::get_uuid(),
user_uuid,
org_uuid,
+ invited_by_email,
access_all: false,
akey: String::new(),
@@ -385,7 +387,7 @@ impl UserOrganization {
"resetPasswordEnrolled": self.reset_password_key.is_some(),
"useResetPassword": CONFIG.mail_enabled(),
"ssoBound": false, // Not supported
- "useSso": CONFIG.sso_enabled(),
+ "useSso": false, // Not supported
"useKeyConnector": false,
"useSecretsManager": false,
"usePasswordManager": true,
@@ -652,6 +654,17 @@ impl UserOrganization {
}}
}
+ pub async fn confirm_user_invitations(user_uuid: &str, conn: &mut DbConn) -> EmptyResult {
+ db_run! { conn: {
+ diesel::update(users_organizations::table)
+ .filter(users_organizations::user_uuid.eq(user_uuid))
+ .filter(users_organizations::status.eq(UserOrgStatus::Invited as i32))
+ .set(users_organizations::status.eq(UserOrgStatus::Accepted as i32))
+ .execute(conn)
+ .map_res("Error confirming invitations")
+ }}
+ }
+
pub async fn find_any_state_by_user(user_uuid: &str, conn: &mut DbConn) -> Vec {
db_run! { conn: {
users_organizations::table
diff --git a/src/db/models/sso_nonce.rs b/src/db/models/sso_nonce.rs
index 0a9533e0..881f075b 100644
--- a/src/db/models/sso_nonce.rs
+++ b/src/db/models/sso_nonce.rs
@@ -1,21 +1,34 @@
+use chrono::{NaiveDateTime, Utc};
+
use crate::api::EmptyResult;
-use crate::db::DbConn;
+use crate::db::{DbConn, DbPool};
use crate::error::MapResult;
+use crate::sso::NONCE_EXPIRATION;
db_object! {
#[derive(Identifiable, Queryable, Insertable)]
#[diesel(table_name = sso_nonce)]
- #[diesel(primary_key(nonce))]
+ #[diesel(primary_key(state))]
pub struct SsoNonce {
+ pub state: String,
pub nonce: String,
+ pub verifier: Option,
+ pub redirect_uri: String,
+ pub created_at: NaiveDateTime,
}
}
/// Local methods
impl SsoNonce {
- pub fn new(nonce: String) -> Self {
- Self {
+ pub fn new(state: String, nonce: String, verifier: Option, redirect_uri: String) -> Self {
+ let now = Utc::now().naive_utc();
+
+ SsoNonce {
+ state,
nonce,
+ verifier,
+ redirect_uri,
+ created_at: now,
}
}
}
@@ -28,7 +41,7 @@ impl SsoNonce {
diesel::replace_into(sso_nonce::table)
.values(SsoNonceDb::to_db(self))
.execute(conn)
- .map_res("Error saving SSO device")
+ .map_res("Error saving SSO nonce")
}
postgresql {
let value = SsoNonceDb::to_db(self);
@@ -40,21 +53,37 @@ impl SsoNonce {
}
}
- pub async fn delete(self, conn: &mut DbConn) -> EmptyResult {
+ pub async fn delete(state: &str, conn: &mut DbConn) -> EmptyResult {
db_run! { conn: {
- diesel::delete(sso_nonce::table.filter(sso_nonce::nonce.eq(self.nonce)))
+ diesel::delete(sso_nonce::table.filter(sso_nonce::state.eq(state)))
.execute(conn)
.map_res("Error deleting SSO nonce")
}}
}
- pub async fn find(nonce: &str, conn: &mut DbConn) -> Option {
+ pub async fn find(state: &str, conn: &DbConn) -> Option {
+ let oldest = Utc::now().naive_utc() - *NONCE_EXPIRATION;
db_run! { conn: {
sso_nonce::table
- .filter(sso_nonce::nonce.eq(nonce))
+ .filter(sso_nonce::state.eq(state))
+ .filter(sso_nonce::created_at.ge(oldest))
.first::(conn)
.ok()
.from_db()
}}
}
+
+ pub async fn delete_expired(pool: DbPool) -> EmptyResult {
+ debug!("Purging expired sso_nonce");
+ if let Ok(conn) = pool.get().await {
+ let oldest = Utc::now().naive_utc() - *NONCE_EXPIRATION;
+ db_run! { conn: {
+ diesel::delete(sso_nonce::table.filter(sso_nonce::created_at.lt(oldest)))
+ .execute(conn)
+ .map_res("Error deleting expired SSO nonce")
+ }}
+ } else {
+ err!("Failed to get DB connection while purging expired sso_nonce")
+ }
+ }
}
diff --git a/src/db/models/user.rs b/src/db/models/user.rs
index a02b694d..1369aa07 100644
--- a/src/db/models/user.rs
+++ b/src/db/models/user.rs
@@ -5,7 +5,7 @@ use crate::crypto;
use crate::CONFIG;
db_object! {
- #[derive(Identifiable, Queryable, Insertable, AsChangeset)]
+ #[derive(Identifiable, Queryable, Insertable, AsChangeset, Selectable)]
#[diesel(table_name = users)]
#[diesel(treat_none_as_null = true)]
#[diesel(primary_key(uuid))]
@@ -60,6 +60,14 @@ db_object! {
pub struct Invitation {
pub email: String,
}
+
+ #[derive(Identifiable, Queryable, Insertable, Selectable)]
+ #[diesel(table_name = sso_users)]
+ #[diesel(primary_key(user_uuid))]
+ pub struct SsoUser {
+ pub user_uuid: String,
+ pub identifier: String,
+ }
}
pub enum UserKdfType {
@@ -85,7 +93,7 @@ impl User {
pub const CLIENT_KDF_TYPE_DEFAULT: i32 = UserKdfType::Pbkdf2 as i32;
pub const CLIENT_KDF_ITER_DEFAULT: i32 = 600_000;
- pub fn new(email: String) -> Self {
+ pub fn new(email: String, name: Option) -> Self {
let now = Utc::now().naive_utc();
let email = email.to_lowercase();
@@ -97,7 +105,7 @@ impl User {
verified_at: None,
last_verifying_at: None,
login_verify_count: 0,
- name: email.clone(),
+ name: name.unwrap_or(email.clone()),
email,
akey: String::new(),
email_new: None,
@@ -456,3 +464,51 @@ impl Invitation {
}
}
}
+
+impl SsoUser {
+ pub async fn save(&self, conn: &mut DbConn) -> EmptyResult {
+ db_run! { conn:
+ sqlite, mysql {
+ diesel::replace_into(sso_users::table)
+ .values(SsoUserDb::to_db(self))
+ .execute(conn)
+ .map_res("Error saving SSO user")
+ }
+ postgresql {
+ let value = SsoUserDb::to_db(self);
+ diesel::insert_into(sso_users::table)
+ .values(&value)
+ .execute(conn)
+ .map_res("Error saving SSO user")
+ }
+ }
+ }
+
+ // Written as an union to make the query more lisible than using an `or_filter`.
+ // But `first()` does not appear to work with `union()` so we use `load()`.
+ pub async fn find_by_identifier_or_email(
+ identifier: &str,
+ mail: &str,
+ conn: &DbConn,
+ ) -> Option<(User, Option)> {
+ let lower_mail = mail.to_lowercase();
+
+ db_run! {conn: {
+ users::table
+ .inner_join(sso_users::table)
+ .select(<(UserDb, Option)>::as_select())
+ .filter(sso_users::identifier.eq(identifier))
+ .union(
+ users::table
+ .left_join(sso_users::table)
+ .select(<(UserDb, Option)>::as_select())
+ .filter(users::email.eq(lower_mail))
+ )
+ .load(conn)
+ .expect("Error searching user by SSO identifier and email")
+ .into_iter()
+ .next()
+ .map(|(user, sso_user)| { (user.from_db(), sso_user.from_db()) })
+ }}
+ }
+}
diff --git a/src/db/schemas/mysql/schema.rs b/src/db/schemas/mysql/schema.rs
index 91392524..bfcdf234 100644
--- a/src/db/schemas/mysql/schema.rs
+++ b/src/db/schemas/mysql/schema.rs
@@ -224,6 +224,7 @@ table! {
uuid -> Text,
user_uuid -> Text,
org_uuid -> Text,
+ invited_by_email -> Nullable,
access_all -> Bool,
akey -> Text,
status -> Integer,
@@ -244,8 +245,19 @@ table! {
}
table! {
- sso_nonce (nonce) {
+ sso_nonce (state) {
+ state -> Text,
nonce -> Text,
+ verifier -> Nullable,
+ redirect_uri -> Text,
+ created_at -> Timestamp,
+ }
+}
+
+table! {
+ sso_users (user_uuid) {
+ user_uuid -> Text,
+ identifier -> Text,
}
}
@@ -342,6 +354,7 @@ joinable!(collections_groups -> collections (collections_uuid));
joinable!(collections_groups -> groups (groups_uuid));
joinable!(event -> users_organizations (uuid));
joinable!(auth_requests -> users (user_uuid));
+joinable!(sso_users -> users (user_uuid));
allow_tables_to_appear_in_same_query!(
attachments,
@@ -355,6 +368,7 @@ allow_tables_to_appear_in_same_query!(
org_policies,
organizations,
sends,
+ sso_users,
twofactor,
users,
users_collections,
diff --git a/src/db/schemas/postgresql/schema.rs b/src/db/schemas/postgresql/schema.rs
index fad549d8..7621ad43 100644
--- a/src/db/schemas/postgresql/schema.rs
+++ b/src/db/schemas/postgresql/schema.rs
@@ -224,6 +224,7 @@ table! {
uuid -> Text,
user_uuid -> Text,
org_uuid -> Text,
+ invited_by_email -> Nullable,
access_all -> Bool,
akey -> Text,
status -> Integer,
@@ -244,8 +245,19 @@ table! {
}
table! {
- sso_nonce (nonce) {
+ sso_nonce (state) {
+ state -> Text,
nonce -> Text,
+ verifier -> Nullable,
+ redirect_uri -> Text,
+ created_at -> Timestamp,
+ }
+}
+
+table! {
+ sso_users (user_uuid) {
+ user_uuid -> Text,
+ identifier -> Text,
}
}
@@ -342,6 +354,7 @@ joinable!(collections_groups -> collections (collections_uuid));
joinable!(collections_groups -> groups (groups_uuid));
joinable!(event -> users_organizations (uuid));
joinable!(auth_requests -> users (user_uuid));
+joinable!(sso_users -> users (user_uuid));
allow_tables_to_appear_in_same_query!(
attachments,
@@ -355,6 +368,7 @@ allow_tables_to_appear_in_same_query!(
org_policies,
organizations,
sends,
+ sso_users,
twofactor,
users,
users_collections,
diff --git a/src/db/schemas/sqlite/schema.rs b/src/db/schemas/sqlite/schema.rs
index fad549d8..7621ad43 100644
--- a/src/db/schemas/sqlite/schema.rs
+++ b/src/db/schemas/sqlite/schema.rs
@@ -224,6 +224,7 @@ table! {
uuid -> Text,
user_uuid -> Text,
org_uuid -> Text,
+ invited_by_email -> Nullable,
access_all -> Bool,
akey -> Text,
status -> Integer,
@@ -244,8 +245,19 @@ table! {
}
table! {
- sso_nonce (nonce) {
+ sso_nonce (state) {
+ state -> Text,
nonce -> Text,
+ verifier -> Nullable,
+ redirect_uri -> Text,
+ created_at -> Timestamp,
+ }
+}
+
+table! {
+ sso_users (user_uuid) {
+ user_uuid -> Text,
+ identifier -> Text,
}
}
@@ -342,6 +354,7 @@ joinable!(collections_groups -> collections (collections_uuid));
joinable!(collections_groups -> groups (groups_uuid));
joinable!(event -> users_organizations (uuid));
joinable!(auth_requests -> users (user_uuid));
+joinable!(sso_users -> users (user_uuid));
allow_tables_to_appear_in_same_query!(
attachments,
@@ -355,6 +368,7 @@ allow_tables_to_appear_in_same_query!(
org_policies,
organizations,
sends,
+ sso_users,
twofactor,
users,
users_collections,
diff --git a/src/mail.rs b/src/mail.rs
index 4ff6725a..dc248b28 100644
--- a/src/mail.rs
+++ b/src/mail.rs
@@ -492,6 +492,18 @@ pub async fn send_change_email(address: &str, token: &str) -> EmptyResult {
send_email(address, &subject, body_html, body_text).await
}
+pub async fn send_sso_change_email(address: &str) -> EmptyResult {
+ let (subject, body_html, body_text) = get_text(
+ "email/sso_change_email",
+ json!({
+ "url": format!("{}/#/settings/account", CONFIG.domain()),
+ "img_src": CONFIG._smtp_img_src(),
+ }),
+ )?;
+
+ send_email(address, &subject, body_html, body_text).await
+}
+
pub async fn send_set_password(address: &str, user_name: &str) -> EmptyResult {
let (subject, body_html, body_text) = get_text(
"email/set_password",
diff --git a/src/main.rs b/src/main.rs
index 73085901..4ceb7756 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -49,6 +49,7 @@ mod crypto;
mod db;
mod mail;
mod ratelimit;
+mod sso;
mod util;
use crate::api::purge_auth_requests;
@@ -594,6 +595,13 @@ fn schedule_jobs(pool: db::DbPool) {
}));
}
+ // Purge sso nonce from incomplete flow (default to daily at 00h20).
+ if !CONFIG.purge_incomplete_sso_nonce().is_empty() {
+ sched.add(Job::new(CONFIG.purge_incomplete_sso_nonce().parse().unwrap(), || {
+ runtime.spawn(db::models::SsoNonce::delete_expired(pool.clone()));
+ }));
+ }
+
// Periodically check for jobs to run. We probably won't need any
// jobs that run more often than once a minute, so a default poll
// interval of 30 seconds should be sufficient. Users who want to
diff --git a/src/sso.rs b/src/sso.rs
new file mode 100644
index 00000000..d3ab90d6
--- /dev/null
+++ b/src/sso.rs
@@ -0,0 +1,536 @@
+use chrono::Utc;
+use regex::Regex;
+use std::borrow::Cow;
+use std::sync::RwLock;
+use std::time::Duration;
+use url::Url;
+
+use mini_moka::sync::Cache;
+use once_cell::sync::Lazy;
+use openidconnect::core::{
+ CoreClient, CoreIdTokenVerifier, CoreProviderMetadata, CoreResponseType, CoreUserInfoClaims,
+};
+use openidconnect::reqwest::async_http_client;
+use openidconnect::{
+ AccessToken, AuthDisplay, AuthPrompt, AuthenticationFlow, AuthorizationCode, AuthorizationRequest, ClientId,
+ ClientSecret, CsrfToken, Nonce, OAuth2TokenResponse, PkceCodeChallenge, PkceCodeVerifier, RefreshToken,
+ ResponseType, Scope,
+};
+
+use crate::{
+ api::ApiResult,
+ auth,
+ auth::{AuthMethod, AuthMethodScope, AuthTokens, TokenWrapper, BW_EXPIRATION, DEFAULT_REFRESH_VALIDITY},
+ db::{
+ models::{Device, SsoNonce, User},
+ DbConn,
+ },
+ CONFIG,
+};
+
+static AC_CACHE: Lazy> =
+ Lazy::new(|| Cache::builder().max_capacity(1000).time_to_live(Duration::from_secs(10 * 60)).build());
+
+static CLIENT_CACHE: RwLock> = RwLock::new(None);
+
+static SSO_JWT_ISSUER: Lazy = Lazy::new(|| format!("{}|sso", CONFIG.domain_origin()));
+
+pub static NONCE_EXPIRATION: Lazy = Lazy::new(|| chrono::TimeDelta::try_minutes(10).unwrap());
+
+trait AuthorizationRequestExt<'a> {
+ fn add_extra_params>, V: Into>>(self, params: Vec<(N, V)>) -> Self;
+}
+
+impl<'a, AD: AuthDisplay, P: AuthPrompt, RT: ResponseType> AuthorizationRequestExt<'a>
+ for AuthorizationRequest<'a, AD, P, RT>
+{
+ fn add_extra_params>, V: Into>>(mut self, params: Vec<(N, V)>) -> Self {
+ for (key, value) in params {
+ self = self.add_extra_param(key, value);
+ }
+ self
+ }
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct SsoTokenJwtClaims {
+ // Not before
+ pub nbf: i64,
+ // Expiration time
+ pub exp: i64,
+ // Issuer
+ pub iss: String,
+ // Subject
+ pub sub: String,
+}
+
+pub fn encode_ssotoken_claims() -> String {
+ let time_now = Utc::now();
+ let claims = SsoTokenJwtClaims {
+ nbf: time_now.timestamp(),
+ exp: (time_now + chrono::TimeDelta::try_minutes(2).unwrap()).timestamp(),
+ iss: SSO_JWT_ISSUER.to_string(),
+ sub: "vaultwarden".to_string(),
+ };
+
+ auth::encode_jwt(&claims)
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum OIDCCodeWrapper {
+ Ok {
+ code: String,
+ state: String,
+ },
+ Error {
+ state: String,
+ error: String,
+ error_description: Option,
+ },
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct OIDCCodeClaims {
+ // Expiration time
+ pub exp: i64,
+ // Issuer
+ pub iss: String,
+
+ pub code: OIDCCodeWrapper,
+}
+
+pub fn encode_code_claims(code: OIDCCodeWrapper) -> String {
+ let time_now = Utc::now();
+ let claims = OIDCCodeClaims {
+ exp: (time_now + chrono::TimeDelta::try_minutes(5).unwrap()).timestamp(),
+ iss: SSO_JWT_ISSUER.to_string(),
+ code,
+ };
+
+ auth::encode_jwt(&claims)
+}
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+struct BasicTokenClaims {
+ iat: Option,
+ nbf: Option,
+ exp: i64,
+}
+
+impl BasicTokenClaims {
+ fn nbf(&self) -> i64 {
+ self.nbf.or(self.iat).unwrap_or_else(|| Utc::now().timestamp())
+ }
+}
+
+fn decode_token_claims(token_name: &str, token: &str) -> ApiResult {
+ let mut validation = jsonwebtoken::Validation::default();
+ validation.set_issuer(&[CONFIG.sso_authority()]);
+ validation.insecure_disable_signature_validation();
+ validation.validate_aud = false;
+
+ match jsonwebtoken::decode(token, &jsonwebtoken::DecodingKey::from_secret(&[]), &validation) {
+ Ok(btc) => Ok(btc.claims),
+ Err(err) => err_silent!(format!("Failed to decode basic token claims from {token_name}: {err}")),
+ }
+}
+
+#[rocket::async_trait]
+trait CoreClientExt {
+ async fn _get_client() -> ApiResult;
+ async fn cached() -> ApiResult;
+
+ async fn user_info_async(&self, access_token: AccessToken) -> ApiResult;
+
+ fn vw_id_token_verifier(&self) -> CoreIdTokenVerifier<'_>;
+}
+
+#[rocket::async_trait]
+impl CoreClientExt for CoreClient {
+ // Call the OpenId discovery endpoint to retrieve configuration
+ async fn _get_client() -> ApiResult {
+ let client_id = ClientId::new(CONFIG.sso_client_id());
+ let client_secret = ClientSecret::new(CONFIG.sso_client_secret());
+
+ let issuer_url = CONFIG.sso_issuer_url()?;
+
+ let provider_metadata = match CoreProviderMetadata::discover_async(issuer_url, async_http_client).await {
+ Err(err) => err!(format!("Failed to discover OpenID provider: {err}")),
+ Ok(metadata) => metadata,
+ };
+
+ Ok(CoreClient::from_provider_metadata(provider_metadata, client_id, Some(client_secret))
+ .set_redirect_uri(CONFIG.sso_redirect_url()?))
+ }
+
+ // Simple cache to prevent recalling the discovery endpoint each time
+ async fn cached() -> ApiResult {
+ let cc_client = CLIENT_CACHE.read().ok().and_then(|rw_lock| rw_lock.clone());
+ match cc_client {
+ Some(client) => Ok(client),
+ None => Self::_get_client().await.map(|client| {
+ let mut cached_client = CLIENT_CACHE.write().unwrap();
+ *cached_client = Some(client.clone());
+ client
+ }),
+ }
+ }
+
+ async fn user_info_async(&self, access_token: AccessToken) -> ApiResult {
+ let endpoint = match self.user_info(access_token, None) {
+ Err(err) => err!(format!("No user_info endpoint: {err}")),
+ Ok(endpoint) => endpoint,
+ };
+
+ match endpoint.request_async(async_http_client).await {
+ Err(err) => err!(format!("Request to user_info endpoint failed: {err}")),
+ Ok(user_info) => Ok(user_info),
+ }
+ }
+
+ fn vw_id_token_verifier(&self) -> CoreIdTokenVerifier<'_> {
+ let mut verifier = self.id_token_verifier();
+ if let Some(regex_str) = CONFIG.sso_audience_trusted() {
+ match Regex::new(®ex_str) {
+ Ok(regex) => {
+ verifier = verifier.set_other_audience_verifier_fn(move |aud| regex.is_match(aud));
+ }
+ Err(err) => {
+ error!("Failed to parse SSO_AUDIENCE_TRUSTED={regex_str} regex: {err}");
+ }
+ }
+ }
+ verifier
+ }
+}
+
+// The `nonce` allow to protect against replay attacks
+// redirect_uri from: https://github.com/bitwarden/server/blob/main/src/Identity/IdentityServer/ApiClient.cs
+pub async fn authorize_url(state: String, client_id: &str, raw_redirect_uri: &str, mut conn: DbConn) -> ApiResult {
+ let scopes = CONFIG.sso_scopes_vec().into_iter().map(Scope::new);
+
+ let redirect_uri = match client_id {
+ "web" | "browser" => format!("{}/sso-connector.html", CONFIG.domain()),
+ "desktop" | "mobile" => "bitwarden://sso-callback".to_string(),
+ "cli" => {
+ let port_regex = Regex::new(r"^http://localhost:([0-9]{4})$").unwrap();
+ match port_regex.captures(raw_redirect_uri).and_then(|captures| captures.get(1).map(|c| c.as_str())) {
+ Some(port) => format!("http://localhost:{}", port),
+ None => err!("Failed to extract port number"),
+ }
+ }
+ _ => err!(format!("Unsupported client {client_id}")),
+ };
+
+ let client = CoreClient::cached().await?;
+ let mut auth_req = client
+ .authorize_url(
+ AuthenticationFlow::::AuthorizationCode,
+ || CsrfToken::new(state),
+ Nonce::new_random,
+ )
+ .add_scopes(scopes)
+ .add_extra_params(CONFIG.sso_authorize_extra_params_vec());
+
+ let verifier = if CONFIG.sso_pkce() {
+ let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
+ auth_req = auth_req.set_pkce_challenge(pkce_challenge);
+ Some(pkce_verifier.secret().to_string())
+ } else {
+ None
+ };
+
+ let (auth_url, csrf_state, nonce) = auth_req.url();
+
+ let sso_nonce = SsoNonce::new(csrf_state.secret().to_string(), nonce.secret().to_string(), verifier, redirect_uri);
+ sso_nonce.save(&mut conn).await?;
+
+ Ok(auth_url)
+}
+
+#[derive(Clone, Debug)]
+pub struct AuthenticatedUser {
+ pub refresh_token: Option,
+ pub access_token: String,
+ pub expires_in: Option,
+ pub identifier: String,
+ pub email: String,
+ pub email_verified: Option,
+ pub user_name: Option,
+}
+
+#[derive(Clone, Debug)]
+pub struct UserInformation {
+ pub state: String,
+ pub identifier: String,
+ pub email: String,
+ pub email_verified: Option,
+ pub user_name: Option,
+}
+
+async fn decode_code_claims(code: &str, conn: &mut DbConn) -> ApiResult<(String, String)> {
+ match auth::decode_jwt::(code, SSO_JWT_ISSUER.to_string()) {
+ Ok(code_claims) => match code_claims.code {
+ OIDCCodeWrapper::Ok {
+ code,
+ state,
+ } => Ok((code, state)),
+ OIDCCodeWrapper::Error {
+ state,
+ error,
+ error_description,
+ } => {
+ if let Err(err) = SsoNonce::delete(&state, conn).await {
+ error!("Failed to delete database sso_nonce using {state}: {err}")
+ }
+ err!(format!(
+ "SSO authorization failed: {error}, {}",
+ error_description.as_ref().unwrap_or(&String::new())
+ ))
+ }
+ },
+ Err(err) => err!(format!("Failed to decode code wrapper: {err}")),
+ }
+}
+
+// During the 2FA flow we will
+// - retrieve the user information and then only discover he needs 2FA.
+// - second time we will rely on the `AC_CACHE` since the `code` has already been exchanged.
+// The `nonce` will ensure that the user is authorized only once.
+// We return only the `UserInformation` to force calling `redeem` to obtain the `refresh_token`.
+pub async fn exchange_code(wrapped_code: &str, conn: &mut DbConn) -> ApiResult {
+ let (code, state) = decode_code_claims(wrapped_code, conn).await?;
+
+ if let Some(authenticated_user) = AC_CACHE.get(&state) {
+ return Ok(UserInformation {
+ state,
+ identifier: authenticated_user.identifier,
+ email: authenticated_user.email,
+ email_verified: authenticated_user.email_verified,
+ user_name: authenticated_user.user_name,
+ });
+ }
+
+ let oidc_code = AuthorizationCode::new(code.clone());
+ let client = CoreClient::cached().await?;
+
+ let nonce = match SsoNonce::find(&state, conn).await {
+ None => err!(format!("Invalid state cannot retrieve nonce")),
+ Some(nonce) => nonce,
+ };
+
+ let mut exchange = client.exchange_code(oidc_code);
+
+ if CONFIG.sso_pkce() {
+ match nonce.verifier {
+ None => err!(format!("Missing verifier in the DB nonce table")),
+ Some(secret) => exchange = exchange.set_pkce_verifier(PkceCodeVerifier::new(secret)),
+ }
+ }
+
+ match exchange.request_async(async_http_client).await {
+ Ok(token_response) => {
+ let user_info = client.user_info_async(token_response.access_token().to_owned()).await?;
+ let oidc_nonce = Nonce::new(nonce.nonce.clone());
+
+ let id_token = match token_response.extra_fields().id_token() {
+ None => err!("Token response did not contain an id_token"),
+ Some(token) => token,
+ };
+
+ if CONFIG.sso_debug_tokens() {
+ debug!("Id token: {}", id_token.to_string());
+ debug!("Access token: {}", token_response.access_token().secret().to_string());
+ debug!("Refresh token: {:?}", token_response.refresh_token().map(|t| t.secret().to_string()));
+ debug!("Expiration time: {:?}", token_response.expires_in());
+ }
+
+ let id_claims = match id_token.claims(&client.vw_id_token_verifier(), &oidc_nonce) {
+ Err(err) => err!(format!("Could not read id_token claims, {err}")),
+ Ok(claims) => claims,
+ };
+
+ let email = match id_claims.email() {
+ Some(email) => email.to_string(),
+ None => match user_info.email() {
+ None => err!("Neither id token nor userinfo contained an email"),
+ Some(email) => email.to_owned().to_string(),
+ },
+ }
+ .to_lowercase();
+
+ let user_name = user_info.preferred_username().map(|un| un.to_string());
+
+ let refresh_token = token_response.refresh_token().map(|t| t.secret().to_string());
+ if refresh_token.is_none() && CONFIG.sso_scopes_vec().contains(&"offline_access".to_string()) {
+ error!("Scope offline_access is present but response contain no refresh_token");
+ }
+
+ let identifier = format!("{}/{}", **id_claims.issuer(), **id_claims.subject());
+
+ let authenticated_user = AuthenticatedUser {
+ refresh_token,
+ access_token: token_response.access_token().secret().to_string(),
+ expires_in: token_response.expires_in(),
+ identifier: identifier.clone(),
+ email: email.clone(),
+ email_verified: id_claims.email_verified(),
+ user_name: user_name.clone(),
+ };
+
+ AC_CACHE.insert(state.clone(), authenticated_user.clone());
+
+ Ok(UserInformation {
+ state,
+ identifier,
+ email,
+ email_verified: id_claims.email_verified(),
+ user_name,
+ })
+ }
+ Err(err) => err!(format!("Failed to contact token endpoint: {err}")),
+ }
+}
+
+// User has passed 2FA flow we can delete `nonce` and clear the cache.
+pub async fn redeem(state: &String, conn: &mut DbConn) -> ApiResult {
+ if let Err(err) = SsoNonce::delete(state, conn).await {
+ error!("Failed to delete database sso_nonce using {state}: {err}")
+ }
+
+ if let Some(au) = AC_CACHE.get(state) {
+ AC_CACHE.invalidate(state);
+ Ok(au)
+ } else {
+ err!("Failed to retrieve user info from sso cache")
+ }
+}
+
+// We always return a refresh_token (with no refresh_token some secrets are not displayed in the web front).
+// If there is no SSO refresh_token, we keep the access_token to be able to call user_info to check for validity
+pub fn create_auth_tokens(
+ device: &Device,
+ user: &User,
+ refresh_token: Option,
+ access_token: &str,
+ expires_in: Option,
+) -> ApiResult {
+ if !CONFIG.sso_auth_only_not_session() {
+ let now = Utc::now();
+
+ let (ap_nbf, ap_exp) = match (decode_token_claims("access_token", access_token), expires_in) {
+ (Ok(ap), _) => (ap.nbf(), ap.exp),
+ (Err(_), Some(exp)) => (now.timestamp(), (now + exp).timestamp()),
+ _ => err!("Non jwt access_token and empty expires_in"),
+ };
+
+ let access_claims =
+ auth::LoginJwtClaims::new(device, user, ap_nbf, ap_exp, auth::AuthMethod::Sso.scope_vec(), now);
+
+ _create_auth_tokens(device, refresh_token, access_claims, access_token)
+ } else {
+ Ok(AuthTokens::new(device, user, AuthMethod::Sso))
+ }
+}
+
+fn _create_auth_tokens(
+ device: &Device,
+ refresh_token: Option,
+ access_claims: auth::LoginJwtClaims,
+ access_token: &str,
+) -> ApiResult {
+ let (nbf, exp, token) = if let Some(rt) = refresh_token.as_ref() {
+ match decode_token_claims("refresh_token", rt) {
+ Err(_) => {
+ let time_now = Utc::now();
+ let exp = (time_now + *DEFAULT_REFRESH_VALIDITY).timestamp();
+ debug!("Non jwt refresh_token (expiration set to {})", exp);
+ (time_now.timestamp(), exp, TokenWrapper::Refresh(rt.to_string()))
+ }
+ Ok(refresh_payload) => {
+ debug!("Refresh_payload: {:?}", refresh_payload);
+ (refresh_payload.nbf(), refresh_payload.exp, TokenWrapper::Refresh(rt.to_string()))
+ }
+ }
+ } else {
+ debug!("No refresh_token present");
+ (access_claims.nbf, access_claims.exp, TokenWrapper::Access(access_token.to_string()))
+ };
+
+ let refresh_claims = auth::RefreshJwtClaims {
+ nbf,
+ exp,
+ iss: auth::JWT_LOGIN_ISSUER.to_string(),
+ sub: auth::AuthMethod::Sso,
+ device_token: device.refresh_token.clone(),
+ token: Some(token),
+ };
+
+ Ok(auth::AuthTokens {
+ refresh_claims,
+ access_claims,
+ })
+}
+
+// This endpoint is called in two case
+// - the session is close to expiration we will try to extend it
+// - the user is going to make an action and we check that the session is still valid
+pub async fn exchange_refresh_token(
+ device: &Device,
+ user: &User,
+ refresh_claims: &auth::RefreshJwtClaims,
+) -> ApiResult {
+ match &refresh_claims.token {
+ Some(TokenWrapper::Refresh(refresh_token)) => {
+ let rt = RefreshToken::new(refresh_token.to_string());
+
+ let client = CoreClient::cached().await?;
+
+ let token_response = match client.exchange_refresh_token(&rt).request_async(async_http_client).await {
+ Err(err) => err!(format!("Request to exchange_refresh_token endpoint failed: {:?}", err)),
+ Ok(token_response) => token_response,
+ };
+
+ // Use new refresh_token if returned
+ let rolled_refresh_token = token_response
+ .refresh_token()
+ .map(|token| token.secret().to_string())
+ .unwrap_or(refresh_token.to_string());
+
+ create_auth_tokens(
+ device,
+ user,
+ Some(rolled_refresh_token),
+ token_response.access_token().secret(),
+ token_response.expires_in(),
+ )
+ }
+ Some(TokenWrapper::Access(access_token)) => {
+ let now = Utc::now();
+ let exp_limit = (now + *BW_EXPIRATION).timestamp();
+
+ if refresh_claims.exp < exp_limit {
+ err_silent!("Access token is close to expiration but we have no refresh token")
+ }
+
+ let client = CoreClient::cached().await?;
+ match client.user_info_async(AccessToken::new(access_token.to_string())).await {
+ Err(err) => {
+ err_silent!(format!("Failed to retrieve user info, token has probably been invalidated: {err}"))
+ }
+ Ok(_) => {
+ let access_claims = auth::LoginJwtClaims::new(
+ device,
+ user,
+ now.timestamp(),
+ refresh_claims.exp,
+ auth::AuthMethod::Sso.scope_vec(),
+ now,
+ );
+ _create_auth_tokens(device, None, access_claims, access_token)
+ }
+ }
+ }
+ None => err!("No token present while in SSO"),
+ }
+}
diff --git a/src/static/templates/email/sso_change_email.hbs b/src/static/templates/email/sso_change_email.hbs
new file mode 100644
index 00000000..5a512280
--- /dev/null
+++ b/src/static/templates/email/sso_change_email.hbs
@@ -0,0 +1,4 @@
+Your Email Changed
+
+Your email was changed in your SSO Provider. Please update your email in Account Settings ({{url}}).
+{{> email/email_footer_text }}
diff --git a/src/static/templates/email/sso_change_email.html.hbs b/src/static/templates/email/sso_change_email.html.hbs
new file mode 100644
index 00000000..74cd445c
--- /dev/null
+++ b/src/static/templates/email/sso_change_email.html.hbs
@@ -0,0 +1,11 @@
+Your Email Changed
+
+{{> email/email_header }}
+
+
+
+ Your email was changed in your SSO Provider. Please update your email in Account Settings.
+
+
+
+{{> email/email_footer }}
diff --git a/src/util.rs b/src/util.rs
index 01e04adc..38e3c8ef 100644
--- a/src/util.rs
+++ b/src/util.rs
@@ -7,7 +7,7 @@ use num_traits::ToPrimitive;
use once_cell::sync::Lazy;
use rocket::{
fairing::{Fairing, Info, Kind},
- http::{ContentType, Cookie, CookieJar, Header, HeaderMap, Method, SameSite, Status},
+ http::{ContentType, Header, HeaderMap, Method, Status},
request::FromParam,
response::{self, Responder},
Data, Orbit, Request, Response, Rocket,
@@ -130,10 +130,12 @@ impl Cors {
// If a match exists, return it. Otherwise, return None.
fn get_allowed_origin(headers: &HeaderMap<'_>) -> Option {
let origin = Cors::get_header(headers, "Origin");
- let domain_origin = CONFIG.domain_origin();
- let sso_origin = CONFIG.sso_authority();
let safari_extension_origin = "file://";
- if origin == domain_origin || origin == safari_extension_origin || origin == sso_origin {
+
+ if origin == CONFIG.domain_origin()
+ || origin == safari_extension_origin
+ || (CONFIG.sso_enabled() && origin == CONFIG.sso_authority())
+ {
Some(origin)
} else {
None
@@ -258,33 +260,6 @@ impl<'r> FromParam<'r> for SafeString {
}
}
-pub struct CustomRedirect {
- pub url: String,
- pub headers: Vec<(String, String)>,
-}
-
-impl<'r> rocket::response::Responder<'r, 'static> for CustomRedirect {
- fn respond_to(self, _: &rocket::request::Request<'_>) -> rocket::response::Result<'static> {
- let mut response = Response::build()
- .status(rocket::http::Status {
- code: 307,
- })
- .raw_header("Location", self.url)
- .header(ContentType::HTML)
- .finalize();
-
- // Normal headers
- response.set_raw_header("Referrer-Policy", "same-origin");
- response.set_raw_header("X-XSS-Protection", "0");
-
- for header in &self.headers {
- response.set_raw_header(header.0.clone(), header.1.clone());
- }
-
- Ok(response)
- }
-}
-
// Log all the routes from the main paths list, and the attachments endpoint
// Effectively ignores, any static file route, and the alive endpoint
const LOGGED_ROUTES: [&str; 7] = ["/api", "/admin", "/identity", "/icons", "/attachments", "/events", "/notifications"];
@@ -1022,29 +997,3 @@ mod tests {
});
}
}
-
-pub struct CookieManager<'a> {
- jar: &'a CookieJar<'a>,
-}
-
-impl<'a> CookieManager<'a> {
- pub fn new(jar: &'a CookieJar<'a>) -> Self {
- Self {
- jar,
- }
- }
-
- pub fn set_cookie(&self, name: String, value: String) {
- let cookie = Cookie::build((name, value)).same_site(SameSite::Lax);
-
- self.jar.add(cookie)
- }
-
- pub fn get_cookie(&self, name: String) -> Option {
- self.jar.get(&name).map(|c| c.value().to_string())
- }
-
- pub fn delete_cookie(&self, name: String) {
- self.jar.remove(Cookie::from(name));
- }
-}