SSO shouldn't require using email addresses #6204
Replies: 3 comments 3 replies
-
|
It is a requirement from Bitwarden. Nothing we can do about that. All the clients assume a mail address as login. |
Beta Was this translation helpful? Give feedback.
-
|
Ok, seems like there's no way around forcing the user to enter an email address since we don't control the UIs at all? 🤷 |
Beta Was this translation helpful? Give feedback.
-
|
If you want more details on how an |
Beta Was this translation helpful? Give feedback.
-
|
I understood how it's linked, it's just not ideal. But we're stuck with the bit warden clients we have I guess |
Beta Was this translation helpful? Give feedback.
-
It's even more useless, when I am logged in with [email protected] at Authentik, input [email protected] at Vaultwarden, and automatically get authorized as [email protected] as soon as I click on SSO, making the email input totally useless? |
Beta Was this translation helpful? Give feedback.
-
|
If you want you can patch the
But in the end this can be done only on the |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
SSO support shouldn't require referring to or using email addresses at all. Vaultwarden should support configuring a claim in the identity token to use as Vaultwarden's identifier. For example,
preferred_username. Then a user is identified by and able to login using this username.In fact, ideally, it should be possible to login without inputting anything at Vaultwarden's UI. Instead, Vaultwarden can directly redirect to the identity provider which handles authzn and Vaultwarden reads the identity from the token.
Additionally it should be noted that
emailand any other claims, according to the OIDC spec, should not be assumed to be unique. I.e. there can be more than one user with a given email address.Beta Was this translation helpful? Give feedback.
All reactions