this is to explain how vaultwarden is setup with the new updates. so the new updates is that it now supports sso with oidc. by using this, i am able to integrate vaultwarden with keycloak, my public facing idp.

the variables are defined in the latest github wiki, and this version of vaulwarden is maintained by dani-garcia. this is using the “testing” image label, since it is not officially supported on the mainstream image.

i will explain for the purposes of keycloak, since that is what i use. follow the wiki for the idp that you use. first thing is that it requires these variables:
sso_enabled
sso_authority
sso_client_id
sso_client_secret
sso_scopes

these are then referenced to the hidden .env file to mask the values from the compose file. the authority is whatever realm that the oidc client is in, so in this case i created a separate realm for public facing services. the url will be this: https://keycloak.domain.com/realms/realm-name

next is the client id and secret, this is created inside of keycloak. so navigate to the correct realm, click on clients, and then “create client”. the client type is openid connect, and the client id you can name, so in this case, vaultwarden. then add few more descriptors. the capability config, i click client authentication so that i can get a generated client secret. the login settings, paste this according to your setup in the “valid redirect uris”: https://vault.domain.com/identity/connect/oidc-signin.

this is crucial to the redirection of the single sign on, otherwise the app will not know where to go from there. after the client is created, go to the credentials and make sure to copy the client secret.

one thing that you will come across is the offline tokens, and this can be addressed with creating a vaultwarden group inside of the realm. and when you go to role mapping and search for realm roles “offline_access”, check the box. and then assign the members to it.

if you want to enforce sso, you can set the environment variable for sso_only.