ContextQMD
Back to Authelia

Vaultwarden

docs/content/integration/openid-connect/clients/vaultwarden/index.md

4.39.194.6 KB
Original Source

Tested Versions

{{% oidc-common %}}

Assumptions

This example makes the following assumptions:

  • Application Root URL: https://vault.{{< sitevar name="domain" nojs="example.com" >}}/
    • This option determines the redirect URI in the format of https://vault.{{< sitevar name="domain" nojs="example.com" >}}/identity/connect/oidc-signin. This means if you change this value, you need to update the redirect URI.
  • Authelia Root URL: https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/
  • Client ID: vaultwarden
  • Client Secret: insecure_secret

Some of the values presented in this guide can automatically be replaced with documentation variables.

{{< sitevar-preferences >}}

Configuration

Authelia

{{< callout context="tip" title="Did you know?" icon="outline/rocket" >}} The vaultwarden_roles user attribute renders the value ["admin"] if the user is in the vaultwarden_admins group within Authelia, renders the value ["user"] if they are in the vaultwarden_users group, otherwise it renders "". You can adjust this to your preference to assign a role to the appropriate user groups. {{< /callout >}}

The following YAML configuration is an example Authelia client configuration for use with Vaultwarden which will operate with the application example:

yaml
definitions:
  user_attributes:
    vaultwarden_roles:
      expression: '"vaultwarden_admins" in groups ? ["admin"] : "vaultwarden_users" in groups ? ["user"] : [""]'
identity_providers:
  oidc:
    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    claims_policies:
      vaultwarden:
        id_token: ['vaultwarden_roles']
        custom_claims:
          vaultwarden_roles: {}
    scopes:
      vaultwarden:
        claims: ['vaultwarden_roles']
    clients:
    - client_id: 'vaultwarden'
      client_name: 'Vaultwarden'
      client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
      public: false
      authorization_policy: 'two_factor'
      require_pkce: true
      pkce_challenge_method: 'S256'
      claims_policy: 'vaultwarden'
      redirect_uris:
        - 'https://vault.{{< sitevar name="domain" nojs="example.com" >}}/identity/connect/oidc-signin'
      scopes:
        - 'openid'
        - 'offline_access'
        - 'profile'
        - 'email'
        - 'vaultwarden'
      response_types:
        - 'code'
      grant_types:
        - 'authorization_code'
        - 'refresh_token'
      access_token_signed_response_alg: 'none'
      userinfo_signed_response_alg: 'none'
      token_endpoint_auth_method: 'client_secret_basic'

Application

To configure Vaultwarden there is one method, using the Environment Variables.

Environment Variables

To configure Vaultwarden to utilize Authelia as an OpenID Connect 1.0 Provider, use the following environment variables:

Standard
shell
SSO_ENABLED=true
SSO_ONLY=false
SSO_AUTHORITY=https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}
SSO_SCOPES=profile email offline_access vaultwarden
SSO_PKCE=true
SSO_CLIENT_ID=vaultwarden
SSO_CLIENT_SECRET=insecure_secret
SSO_ROLES_ENABLED=true
SSO_ROLES_DEFAULT_TO_USER=true
SSO_ROLES_TOKEN_PATH=/vaultwarden_roles
Docker Compose
yaml
services:
  vaultwarden:
    environment:
      - SSO_ENABLED=true
      - SSO_ONLY=false
      - SSO_AUTHORITY=https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}
      - SSO_SCOPES=profile email offline_access vaultwarden
      - SSO_PKCE=true
      - SSO_CLIENT_ID=vaultwarden
      - SSO_CLIENT_SECRET=insecure_secret
      - SSO_ROLES_ENABLED=true
      - SSO_ROLES_DEFAULT_TO_USER=true
      - SSO_ROLES_TOKEN_PATH=/vaultwarden_roles

See Also