-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSO: Invalid redirect URI when using Azure OIDC or SAML 2.0 #2500
Comments
I think I got the same error like this before, the internal redirection from In your case it might be need to change to |
Hmm, I could see it being something like that that. I tried setting I also tried setting it to: Is there any other way I can change the redirect URI on the application side? Can't/shouldn't change |
@ErikHumphrey Any errors logged from the SSO or Identity application under /etc/bitwarden/logs? |
@kspearrin 2022-12-15 18:44:51.616 +00:00 [ERR] Invalid redirect_uri: http://bitwarden.dev.rcgtconsulting.io/identity/signin-oidc
{"ClientId":"oidc-identity","ClientName":null,"RedirectUri":null,"AllowedRedirectUris":["https://bitwarden.domain.com/identity/signin-oidc"],"SubjectId":"anonymous","ResponseType":null,"ResponseMode":null,"GrantType":null,"RequestedScopes":"","State":null,"UiLocales":null,"Nonce":null,"AuthenticationContextReferenceClasses":null,"DisplayMode":null,"PromptMode":"","MaxAge":null,"LoginHint":null,"SessionId":null,"Raw":{"client_id":"oidc-identity","redirect_uri":"http://bitwarden.domain.com/identity/signin-oidc","response_type":"code","scope":"openid profile","code_challenge":"redacted","code_challenge_method":"S256","response_mode":"form_post","nonce":"redacted","domain_hint":"foo","organizationId":"redacted","ssoToken":"BWUserPrefix_redacted","state":"redacted","x-client-SKU":"ID_NETSTANDARD2_0","x-client-ver":"6.10.0.0"},"$type":"AuthorizeRequestValidationLog"}
2022-12-15 18:44:51.616 +00:00 [ERR] Request validation failed Looks like the Edit: Thanks for the replies; I'll investigate this more next week or two. |
Hmm, we need to figure out how to get Identity to redirect to SSO with https. I imagine this is happening because somewhere is not respecting your proxied protocol. Maybe something can be set in your nginx proxy to properly forward the protocol? I am not an expert with Nginx. |
@ErikHumphrey , After I checked in the container, its whether like the SSO not enable by default (need to add sso env enable yes or something) or just the NGINX routing is not there. If you go to |
@Rezkmike you just need to set BW_ENABLE_SSO to true to get that going. @ErikHumphrey mentioned that he already did that. |
Wasn't able to pull off anything with the Nginx configuration, I don't see any issues there. It likely needs a change on the Bitwarden end & is web server/proxy-agnostic. Assuming it's unique to Unified, I'll try the main deployment in the meantime. |
I was having the same issue and was able to resolve it by:
It would be nice to not need to enable SSL on the container when my load balancer is already doing SSL termination. I also had to edit
Otherwise, the sso-connector.html file didn't load properly. |
@sniper7kills Although enabling SSL did work, but some of us are hosting Bitwarden behind an IIS proxy, and IIS does not support SSL passthrough. We also had leveraged our IIS infrastructure as our SSL offloading proxy. We tried disabling SSL on unified and set X-Forwarded-Proto but it still doesn't help. The redirect URL generated by Bitwarden is still http. We tried to set redirect URL in Azure AD to also allow http, but that is not allowed because Azure AD required https for redirect URIs unless it is localhost |
I have reproduced this and traced the issue back to our proxy.conf file here: Setting the following values manually to
This is because in order to properly handle redirects, ASP.NET Core requires that We already do all of this. The problem seems to manifest itself whenever using more than one proxy server. Internally, the Bitwarden unified container is already running a nginx proxy and is directing traffic to various ASP.NET Core applications running at http://localhost:5xxx. In front of that, I have another nginx proxy that terminates SSL and is directing traffic from the public host to the unified container. So you end up with a chain that looks something like this:
With this chain, you can see the As I mentioned earlier, you could just hardcode the I am not a nginx expert, but does anyone know of a way to handle this dynamically? We need some way to see what the original upstream host and protocol is to properly pass through the chain of proxies. |
I'm not an Nginx expert either and can't test this at the moment, but would work if we set Upstream public proxy: proxy_set_header X-Forwarded-Proto $scheme; Bitwarden Unified proxy: proxy_set_header X-Forwarded-Proto $scheme; # Normally empty by default, but set upstream That could cause issues if you don't have an upstream proxy as it needs to be set, as you said. So something like: proxy_set_header X-Forwarded-Proto $scheme;
if ($http_x_forwarded_proto) {
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
} or something similar to that effect: set $forwarded_proto $http_x_forwarded_proto;
if ($forwarded_proto = '') {
set $forwarded_proto $scheme;
}
proxy_set_header X-Forwarded-Proto $forwarded_proto; |
I think I got this working with something like
This null coalesces the upstream |
#2847 should resolve the issue. Feel free to try the |
Steps To Reproduce
image: bitwarden/self-host:dev
with SSO enabled.(The same issue was also encountered using the
beta
tag.)The internal port of the Bitwarden container is
8080
.An Nginx termination proxy is in front of it; you can access the Bitwarden web client at https://bitwarden.domain.com (i.e., port
443
).The same error will have appeared regardless of whether you used SAML or OIDC.
Redirect behaviour and binding type also do not matter.
Expected Result
Enterprise sign-in with Azure OIDC / Azure SAML 2.0 works as expected, bringing you to a Microsoft AAD log-in screen and signing you into the Bitwarden server.
Actual Result
Enterprise sign-in with Azure OIDC / Azure SAML 2.0 fails. Before seeing a Microsoft AAD login screen, you see the above error message at https://bitwarden.domain.com/sso/Error?errorId=REDACTED
Screenshots or Videos
Additional Context
I tried contacting Bitwarden's technical support team regarding this, but the confirmation email never showed up.Nvm; the site says there's a confirmation email but it goes through anyway without one.These requests appear in the Nginx server logs after clicking the "Log in" button shown above.
I'm not really sure what the issue is here. At one point it's using the HTTPS URI and at another point it's using the HTTPS URI, but it's a 302 so maybe it's redirecting correctly. The URL encoded characters could also be causing issues? Not sure. In Azure, my redirect URL is
https://bitwarden.domain.com/sso/oidc-signin
, with HTTPS. I've taken a look at the code in bitwarden/clients, but I'm not sure what I'm doing wrong.BW_ENABLE_SSO
is set to"true"
and the organization has an active Bitwarden Enterprise licence.BW_DOMAIN
is of the format:bitwarden.domain.com
https://bitwarden.domain.com/sso/oidc-signin
Please let me know if this issue may not be unique to Bitwarden Unified and is instead an issue with bitwarden/clients or my configuration.
Githash Version
7cbc4a8-dirty
Environment Details
Standard_B2s
Azure virtual machine)Database Image
postgres:14.6-alpine
Issue-Link
#2480
Issue Tracking Info
The text was updated successfully, but these errors were encountered: