Vaultwarden commit introduces SSO using OpenID Connect
183 points
3 days ago
| 13 comments
| github.com
| HN
DoctorOW
3 days ago
[-]
Most of the comments seem to confirm (all but one at time of writing) that this feature is more intended for corporate/business environments. Does anyone know if Vaultwarden has commercial users? By no means am I arguing against the inclusion of this feature, I'm just curious. Everywhere I've worked that was big enough to use SSO was also wary of selfhosting FOSS tools. I should clarify I don't consider myself working in tech, fwiw.
reply
kuschku
3 days ago
[-]
SSO is really important in the "few tools, many users" case, but just as important in the "many tools, few users" case. I'm self hosting dozens of tools, and without SSO I'd have to set up username, password, TOTP and WebAuthn for each and every one of them, my 2FA app would be 90% my own services.

With SSO though, it's much simpler. I can just run an OIDC server and log into all my self-hosted services once, and I can use all of them. Vaultwarden is an exception to the rule though, as you can't really bootstrap that in the individual case.

Another use case I'm currently exploring is for sharing netflix/prime/disney+ passwords with roommates, partners and friends. They just sign in with their Google/Apple/whatever account and get access to the shared streaming provider passwords.

reply
arjvik
3 days ago
[-]
What's your (OSS?) OIDC server of choice?

Authelia? Authentik? Keycloak? (These are the three I see a lot about.) Something else?

reply
samgnesin
2 days ago
[-]
Pocket ID[1] is what I use, and I cannot recommend it enough. It's an incredible project.

[1] https://pocket-id.org

reply
udev4096
2 days ago
[-]
Love pocket-id. Do you use oauth2-proxy with it? How did you set up oauth2-proxy to work with multiple apps?
reply
gh02t
2 days ago
[-]
I used to use oauth2-proxy with PocketID, but migrated to caddy-security for stuff that doesn't directly support OIDC as part of a general move to Caddy. It's nice not needing the sidecar container, though the docs for caddy-security are a bit confusing and I still find Caddy's whole approach to plugins a bit... odd. It does give you quite a lot of flexibility once you figure it out, and I think it was worthwhile after the initial learning period.
reply
carlhjerpe
2 days ago
[-]
I've dabbled in oauth2-proxy but I'm not running it currently. I recall my goto was launching one instance per remote i want to target.
reply
udev4096
2 days ago
[-]
Yeah that's hard to scale when you have lots of services. For now, I am running multiple instances of oauth2-proxy instances and assigning user groups in pocket-id. How do you deal with apps not having native OIDC support?
reply
thedanbob
2 days ago
[-]
Adding another +1 to Pocket ID. I looked at a couple of the ones you mentioned but they looked too heavy and complex for what I wanted. Pocket ID does one thing and does it well.
reply
mmcnl
2 days ago
[-]
I've used Authelia for a few years and it's great. It does exactly what I need/want. Not more, not less. It's also never failed me.
reply
gh02t
2 days ago
[-]
For self hosting, PocketID is about as easy to set up and maintain as it gets.
reply
timc3
2 days ago
[-]
I use Authelia backed by lldap. Really like it so far
reply
eloh
2 days ago
[-]
Can recommend Kanidm
reply
sp0ck
2 days ago
[-]
Kanidm made some weird decision that ruled it out in one of big organisation I try to deploy it. Separate Radius password. For telco that’s half its use cases, and there is separate random password. Whole Network engineering department was like WTF ? You can’t have single password which is one of important reasons to have SSOA.
reply
gallexme
2 days ago
[-]
Mine is zitadel
reply
raybb
3 days ago
[-]
As someone who manages the vault warden instance for a nonprofit with many volunteers but no fulltime employees I see this as a wonderful thing. Yes bitwarden has a nonprofit discount but no playing wack a mole with which of the 20+ volunteers are active at any moment to avoid getting a huge bill isn't worth it vs self hosting.
reply
prometheon1
2 days ago
[-]
I'm in a similar situation, having many volunteers does not mean we have the budget to pay 5-10 euros per month for all of them for all the tools needed for work. Self-hosting and managed hosting of open-source software are the best option for us, including SSO and password management
reply
homebrewer
3 days ago
[-]
I support an installation for a couple hundred users. It's been working fine for several years now, including browser plugins and mobile clients. If the project goes under, it's easy to export everything and import into the official Bitwarden.

(Whose server I really don't enjoy, it's very enterprise-y and heavy on resources for no real reason I could find.)

reply
toomuchtodo
3 days ago
[-]
SSO isn’t an enterprise feature, it is an access control and governance feature regardless of user population.
reply
rat9988
3 days ago
[-]
Who needs it except entreprises for the 99.99% usecase?
reply
arjvik
3 days ago
[-]
E.g. the homelab admin who doesn't want their family to have to create and manage accounts on 12 different self-hosted services.
reply
cyberax
3 days ago
[-]
Self-hosters so you don't need to record 100 different passwords for your own services?
reply
mcpherrinm
2 days ago
[-]
Everyone from the single-user homelab to the biggest companies should have SSO.
reply
preisschild
3 days ago
[-]
Vaultwarden is a lot easier to self host than Bitwarden

But like all community-made open source stuff, If you want to use it for "production" stuff you should invest in audits and contribute/fund development

reply
warkdarrior
3 days ago
[-]
I've been self-hosting Bitwarden (and giving them money) for a few years now, it is really easy with Docker and a reverse proxy. What kind of challenges did you encounter with Bitwarden?
reply
fkyoureadthedoc
3 days ago
[-]
Vaultwarden uses fewer resources and runs fine on a $5 digital ocean VPS where I had some issues with Bitwarden. I hardly have to remember that I'm running it myself.
reply
warkdarrior
3 days ago
[-]
Resource usage is a fair point. My home computer is 64 cores and 1TB RAM so I don't even notice Bitwarden running.
reply
preisschild
3 days ago
[-]
Last time i checked you needed a MS SQL db...
reply
aaronax
2 days ago
[-]
https://bitwarden.com/help/database-options/

"All Bitwarden self-hosted server deployments, except for unified, ship with an MSSQL Express image by default."

reply
cheema33
2 days ago
[-]
> Last time i checked you needed a MS SQL db...

For real? That would mean a requirement for a software license that costs about $1,000 for the cheapest option.

reply
seized
2 days ago
[-]
There is a new Unified one that can use SQLite and other options. I have been using that one for a year or more
reply
warkdarrior
3 days ago
[-]
It is all included in their Docker compose file.
reply
preisschild
3 days ago
[-]
I use Kubernetes

But also what about the whole lifecycle?

I can easily deploy a HA Postgres cluster that is backed up for me. I'd have to do the same thing to back up BW.

reply
warkdarrior
2 days ago
[-]
Don't know much about HA (it looks like Bitwarden does this through Helm https://bitwarden.com/help/self-host-with-helm/), but backup is a matter of simply copying files: https://bitwarden.com/help/backup-on-premise/
reply
Timshel
3 days ago
[-]
Started working (based on previous work already done) then maintaining the PR for my personal self-hosted stack.

Had then some fun adding roles/groups support (not yet merged).

reply
c0balt
3 days ago
[-]
I'm hosting it for our team at a public institute, we are strongly supportive of OSS and have interest in keeping our data on premise.

Team of <10 though so hosting is trivial with NixOS. We also have almost no money available for purchasing software so official self-hosted bitwarden was not an option unfortunately (if we had money, that would've been the way to go).

reply
Disposal8433
3 days ago
[-]
I'm a user, not an expert on all this but: SSO is indeed meant for a corporate environment, not for personal use. And from what I saw, companies would rather pay for a simple SSO provider than use any self-hosted solution. That means you either use Google or Microsoft, nothing else.

LastPass is out of question due to the security issues in the past. I always advocate for Bitwarden but I'm not sure they can handle any kind of SSO yet. And Vaultwarden, being a fork of a not-so-famous-yet password vault (at least in the managers's world), is not a contender anywhere.

reply
ffsm8
2 days ago
[-]
Vaultwarden is not a fork though?

And also, in what world is SSO meant for enterprise?

It's Single Sign On, not having to login separately for each service is perfect for any context of any size - wherever these services only have 1 user or 100 thousand.

reply
threePointFive
3 days ago
[-]
My company just implemented the SaaS Bitwarden with Google SAML on their Enterprise Plan. Very easy to set up, not too expensive ($6/user/month). Their compliance page made it much easier to sell to my manager who had to give the final approval: https://bitwarden.com/compliance/. It is only used by my department so far and we're still doing manual invites rather than integrating with the SCIM features so I can't speak to that. My biggest annoyance is that, as an admin, unlocking the vault still prompts for the master password rather than letting me select SSO without logging all the way out.
reply
stronglikedan
3 days ago
[-]
> That means you either use Google or Microsoft, nothing else.

My fairly large (>20k) company uses Okta. That's just to say, be wary of issuing ultimatums.

reply
tracker1
3 days ago
[-]
I recall a happy/fun environment using Microsoft Entra (Azure AD) SSO, in order to sign into Okta SSO, in order to access Azure environment(s), among other apps. SSO Inception.
reply
maxwellg
2 days ago
[-]
SSO chaining is super common in large corporate environments. Different orgs might have their own SSO IDP, acquisitions often bring their own, etc. Once a provider is in use, it is quite difficult to tear out later while keeping everyone in their proper accounts in all the apps that tie in. Many apps are really bad at SSO migrations, or deduplicating multiple SSO identities to a single user account.
reply
franga2000
3 days ago
[-]
The whole "SSO is meant for enterprise" thing is sales bullshit. Big enterprises can't live without SSO, so everyone started charging extra for that to milk more money out of them, but this doesn't mean it's not hugely beneficial or "meant for" smaller orgs or even individuals.

Anyone can spin up an Authentik/Authelia/Keycloak/whatever instance or even use Microsoft/Google if they already pay for it in a matter of minutes. The only reason people don't is because tons of apps make it annoyingly difficult to integrate SSO or don't offer it at all in the lower price tiers.

If app installers started with "create a root user or paste the OIDC secret here", everyone and their dog would be running SSO. But that's not as profitable.

reply
FuriouslyAdrift
3 days ago
[-]
Paid Bitwarden does SSO (SAML 2.0 or OIDC)

https://bitwarden.com/help/about-sso/

reply
Gormo
1 day ago
[-]
> Does anyone know if Vaultwarden has commercial users?

Yes, it does.

reply
kriops
2 days ago
[-]
I’ve used it at a previous job. SMB, ca. 200(?) employees.
reply
chrissssdotcom
1 day ago
[-]
Same here! - 350-400 employees, but the main requirement was that it could be accessed with no internet. Came from Keepass, love it. SSO just makes it better.
reply
prmoustache
2 days ago
[-]
My company just started hosting an instance for its employees 2 months ago.
reply
BirAdam
2 days ago
[-]
Vaultwarden has been in use at two companies I’ve worked for, yeah. Modest, mid-size companies, one with a delusion of grandeur. While both didn’t care for self-hosting, the executives were wary, in both cases, of SaaS password management after LastPass.
reply
ronnier
3 days ago
[-]
I love this product have used it for a long time now but more recently started getting worried about security. I hope the maintainers are doing their due diligence around securing their docker hub account (many of us run VW in docker) and are careful about libraries the project depends on. Some questionable coding practices were made that I'm not sure I agree with (calling a 3rd party sites in some scenarios). As more of us switch to self hosting VW it will become a juicer target for bad actors. Really hoping we don't wake up one day to find out that our database was uploaded by a BA
reply
crimsonnoodle58
3 days ago
[-]
If you're running on kubernetes, a simple network policy and blocking the container from using DNS will stop any compromised image from performing a data exfill.

I do this for most containers.

If the container must have web access in some form, setup a squid proxy and only whitelist safe and trusted domains that can't be exfilled to.

reply
victor106
3 days ago
[-]
> a simple network policy and blocking the container from using DNS

Can you please point to some resources that can help with how to do this?

reply
NewJazz
2 days ago
[-]
Not sure about the DNS part, but NetworkPolicies should be familiar to anyone who takes Kubernetes seriously.

https://kubernetes.io/docs/concepts/services-networking/netw...

Edit: Did some research and found that Calico has a feature for some kind of DNS filtering

https://www.tigera.io/blog/how-to-secure-kubernetes-workload...

reply
caymanjim
2 days ago
[-]
Why do you think that DNS is required? Anything malicious could (and likely should) hard-code an IP.
reply
crimsonnoodle58
2 days ago
[-]
You ensure DNS is disabled to stop DNS exfil. You can google it, but basically they exfil data by looking up encoded subdomains.

Hardcoding an IP won't help if the network policy disallows all network access.

reply
currysausage
3 days ago
[-]
The web frontend could still send secrets to third parties.
reply
maxwellg
2 days ago
[-]
For extra security, an intermediary can set Content Security Policy (CSP) headers that instruct browsers to only connect to certain domains. CSP headers aren't a total solution, but they're a good tool in the toolkit for redundancy against exfiltration.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...

reply
NewJazz
2 days ago
[-]
It could be a system without a web ui, like a database or database proxy. Or it could have multiple web and native UIs (that are open source), e.g. a matrix service.
reply
ronnier
3 days ago
[-]
I use Docker (in Unraid).
reply
surge
3 days ago
[-]
I've threat modeled this myself, and as I understand it the Bitwarden client side decrypts/encrypts everything locally. So even if backend was entirely compromised, it's never getting anything without the master password, and that's never sent across by the client. Then again, there's also the web interface.
reply
ronnier
3 days ago
[-]
Yeah if an attacker was able to insert javascript then it's possible.
reply
blr_lpm
3 days ago
[-]
For this particular threat vector, where the client is compromised, the backend doesn’t matter.
reply
franga2000
3 days ago
[-]
A compromised server can inject exfil code into the web page it serves. If you only ever use the apps then you should be fine though.
reply
9cb14c1ec0
2 days ago
[-]
Which is only possible if logging into the web client and not when using the bitwarden desktop app or browser extensions.
reply
guerby
2 days ago
[-]
Security audits have been made by German BSI for vaultwarden (and other free software):

https://www.heise.de/en/news/Password-manager-BSI-reports-cr...

reply
guerby
2 days ago
[-]
Link to reports page: https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldunge...
reply
arjie
2 days ago
[-]
Mostly unrelated. Does anyone know of an alternative open source extension to the Bitwarden extension? I don't mind paying for the Bitwarden service to sync etc. but the new React-based extension is incredibly slow on my M1 Max.
reply
andix
3 days ago
[-]
A password manager is the one thing I'm very skeptical to use SSO for.
reply
lucasyvas
3 days ago
[-]
Difference between work and personal. For personal, you’re right because there is nothing to bootstrap off of.

But in corporate it’s provisioned to a user account that exists first.

My personal bootstrap is two Yubikeys (for redundancy) that contains the password and 2FA for my Proton Pass. This plays the role of what IT would in a company with a user directory.

reply
jchw
3 days ago
[-]
From this PR:

> A master password is still required and not controlled by the SSO

From the Bitwarden documentation[1]:

> Locking your vault will maintain vault data on the device, so unlocking your vault can be done offline. You will be required to enter your master password or PIN, or use biometrics, but won't need to use any active two-step login methods.

That really ought to quell the majority of the concerns IMO. Though for personal usage I use KeepassXC, because not having any remote authentication at all is even simpler than SSO.

[1]: https://bitwarden.com/help/vault-timeout/#vault-timeout-acti...

reply
vasco
3 days ago
[-]
So you're going to play IT and duplicate all the groups and all the roles manually that already are maintained and automated for on/off-boarding? And not have them be auto-offboarded when they are let go? That introduces compliance risks and imo more problems than having SSO on your password manager. Yes, keep some master password for a rainy day if you have to, but otherwise, the more "dangerous" the thing the more it should be hooked up to SSO.
reply
kriops
3 days ago
[-]
Separate accounts for work and private. SSO for the work account is perfectly fine for me as a dev and a big advantage for the company. But yes, don't conflate the two use cases.
reply
forty
2 days ago
[-]
Well, without SSO, we (people making password managers for business) are in a weird position where we tell people "you won't have to remember passwords" then the first thing we do is to ask to remember a new password (the master password).

SSO also has the benefit that admin can impersonate another account, which is generally a good thing in a corporate environment (think of employee turn over, bus factor, etc)

reply
wazzaps
3 days ago
[-]
It's most useful for companies, where the goal is as much SSO as possible.
reply
jedahan
3 days ago
[-]
Been using this since it was merged. No issues so far, appreciate the work.
reply
cromka
3 days ago
[-]
I selfhost vaultwarden for my use only. Can someone please explain it like I am 5 what's the use case of this new feature? Is it to log in to vaultwarden using an OpenID?
reply
the_gastropod
3 days ago
[-]
Yep, exactly. I selfhost Vaultwarden and a bunch of other apps that my family also use. So I run Authentik, which lets them only have to worry about remembering one login, and they then have a little dashboard of all our apps, and can click to login to whatever they want. It's a pretty decent little system, and I'm happy I can now add Vaultwarden to it.

The bigger your users x applications number, the bigger the benefit. It make user management easy (e.g., you only have to manage users in one place instead of N)

reply
simcop2387
3 days ago
[-]
Same usecase for myself too. One of the biggest advantages for me is that it lets me setup a single and easily tested place for the users to reset passwords from too for when they inevitably forget or lose the post-it note. That, along with me using all the apps and not wanting to have to change 30 passwords for everything when something happens too.

I went a bit more complicated myself with Keycloak instead of Authentik, simply because I knew keycloak a little better but setting up SSO for all the stuff I run has definitely been worth it.

reply
cycomanic
3 days ago
[-]
Yep same for me. I actually had been holding off on Vaultwarden precisely because it didn't have sso support. A single sign on is definitely better than the having the family try to remember a different password for every app.
reply
input_sh
3 days ago
[-]
I administer it at work and now I won't have to invite a user manually, wait for them to accept the invite link via email, manually approve their account, and then assign it to groups (collections).

In other words one less thing to worry about during onboarding / offboarding.

reply
ta1243
3 days ago
[-]
My team self hosts multiple internal services, including vaultwarden.

For most of these we use our standard corporate OIDC provider to provide autentication and accounting, either onto a proxy or direct on the service, that passes the user through, the hosted service is either fine (just logs the user in its local access logs for the accounting part) because it's allowed for all our corporate users, or the service uses its own authorisation logic to allow or reject the users.

Some devices are just generic user/password on the device itself -- the authorisation there is that the group responsible for that device has to keep the credential secure. Any authenticated Corp user can access the login page, and that gets logged, but the authorisation is a simple user/password.

If the credential isn't secure (because people are terrible with security) then at least the attacker is logged, and has had to authorise access.

Some authentication is better. Our guacamole hosts for example are authenticated on proxy with OIDC, then passed through to the guacamole server which does its own authorisation based on its internal database (which itself is managed via a github approach - to add joe.bloggs@corp.com to the "Washington Servers" group you add his identity to the right part of the "groups.conf" file and when the PR is merged it applies across the estate within a minute or two). Then they can access all connections in "Washington", but "davey.jones@corp.com" isn't in that group, so can't.

Likewise our IPAM will create a user in the "readonly" group automatically (our policy is ip records are available to everyone in the company), but they then need moving into an elevated rights using IPAM tooling to allocate IP addresses.

Vaultwarden though we maintain separate user and password, we still have the OIDC front end, but it's completely ignored for another layer of authorisation. I'm about to go on leave so I won't be thinking too much about if this will help, but its good to have the option.

reply
jedahan
3 days ago
[-]
Run a community space that uses its own SSO, and needs to share passwords for socials and the like.
reply
denismi
2 days ago
[-]
Convenient timing!

I've moved my credentials over from pass to Vaultwarden about a month ago (after discovering the pass Android app was abandoned and pulled off app stores), and spent the last two weeks since discovering Pocket ID migrating a few self-hosted services to OIDC.

reply
razighter777
3 days ago
[-]
Fantastic! I really love vaultwarden and was looking forward to this. I have no reason to run SSO in my 3 user homelab but it makes me happygood work.
reply
elashri
3 days ago
[-]
For single user or family supported instances this will not make huge difference because this will still require entering master password (which is good). It would be good for cases when it would make it easier in team or company settings when the manual work to add and setup accounts with access to password collections is annoying.
reply
franga2000
3 days ago
[-]
Depending on how many services you host, this is a huge deal for family and/or friends setups. I run around a dozen things that various family members and friends use, so being able to have one accout that they can log into anything with (including password change and reset) without me having to manually manage accounts makes the whole endeavour much more viable.
reply
tracker1
3 days ago
[-]
Definitely cool functionality to see. I hope this doesn't pull too much from what might otherwise be Enterprise Bitwarden customers. Definitely supportive of the upstream project, while Vaultwarden seems to take less server resources to run, and simpler from what I understand.

Freeing up the SSO tax.

reply
Valodim
3 days ago
[-]
So what is the point of this, if the user still needs a master password?
reply
cephi
3 days ago
[-]
Access control -- can make it easy to add/sync users in Authentik using one username
reply
franga2000
3 days ago
[-]
Creating, deleting, blocking accounts is the main one - you only do it once for a user and they get access to all your services. It also lets you do MFA and security checks on login (like on a new device) which can prevent break-ins even if your users use easily crackable passwords.
reply
ethan_smith
2 days ago
[-]
SSO handles authentication (proving who you are) while the master password is still needed for decryption (as the encryption key is derived from it).
reply
maxvisser
3 days ago
[-]
Maybe if you deactiveer a users entra id that he cant access its vaultwarden vault anymore.
reply
esseph
3 days ago
[-]
Can you expand the question a bit?
reply
sandeepkd
3 days ago
[-]
Interesting to see a PR being merged after good 2 years. Thought about the idea of reviewing the changes for self learning, however the number of files involved made me to give up on that idea soon enough. The number of comments (610) gave an impression that the PR must have been reviewed thoroughly, however a close look tells that the comments are mostly about the topic itself, not about the code changes. Unless the code review is managed internally, the PR gives an impression of mostly happy paths.
reply
xxmarkuski
2 days ago
[-]
How secure is Vaultwarden?
reply
scottydelta
2 days ago
[-]
It's as secure as others promise it to be but actual security is in your own hands. I self-host vaultwarden but I keep it behind a VPN.

The logic is simple, Bitwarden is not there to detect intrusion attempts and safeguard your server so you gotta do it yourself, that's why its free.

reply
import
2 days ago
[-]
You can read the code and see?
reply
pcthrowaway
2 days ago
[-]
I like the spirit of this comment (pointing out that it's OSS). I don't even disagree with discouraging people from asking questions that have readily searchable answers they'd be well served to direct themselves to.

But I think it can be assumed that someone asking such a questions is highly unlikely to be a world-class security researcher equipped to answer it for themselves by auditing the source code, so your response comes across as snarky for the sake of snark.

reply