SSO: error with Authentik

[tugdualenligne]

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.34.3-7161f612
• Web-vault version: v2025.7.2
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: SQLite
• Database version: 3.50.2
• Uses config.json: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• TZ environment: Europe/Paris
• Browser/Server Time Check: false
• Server/NTP Time Check: false
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: false

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: SIGNUPS_ALLOWED, ADMIN_TOKEN

Failed HTTP Checks:

2FA Connector calls:
Header: 'x-frame-options' is present while it should not

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*****************",
  "domain_origin": "*****://*****************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "********************",
  "smtp_from_name": "Vaultwarden du-plessis.fr",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "********************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://*********************************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://**********************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "****************************************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "openid email profile offline_access",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

testing

Deployment method

Official Container Image

Custom deployment method

I get the following error while lauching the TEsting docker image and coupling it with an Authentik instance:

Failed to contact token endpoint: Parse(Error { path: Path { segments: [] }, original: Error("Invalid JSON web token: found 5 parts (expected 3)", line: 1, column: 6990) }, [123, 34, 97, 99, 99, 101, 115, 115, 95, 116, 111, 107, 101, 110, 34, 58, 32, 34, 101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, 116, 84, 48, 70, 70, 85, 67, 48, 121, 78, 84, 89, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66, 77, 106, 85, 50, 81, 48, 74, 68, 76, 85, 104, 84, 78, 84, 69, 121, 73, 105, 119, 105, 97, 50, 108, 107, 73, 106, 111, 105, 78, 122, 73, 48, 78, 87, 81, 52, 78, 106, 99, 48, 77, 50, 81, 51, 77, 68, 73, 52, 90, 68, 82, 107, 79, 87, 85, 121, 77, 68, 81, 50, 78, 84, 85, 119, 79, 87, 70, 104, 90, 71, 77, 105, 76, 67, 74, 48, 101, 88, 65, 105, 79, 105, 74, 75, 86, 48, 85, 105, 102, 81, 46, 104, 86, 103, 66, 120, 51, 86, 101, 50, 53, 68, 118, 71, 101, 103, 85, 76, 51, 77, 107, 65, 120, 56, 98, 88, 78, 73, 49, 55, 74, 104, 95, 82, 83, 68, 106, 102, 118, 122, 66, 115, 100, 57, 80, 83, 48, 50, 51, 97, 112, 54, 112, 105, 115, 99, 90, 77, 117,

Reverse Proxy

traefik latest version (3.5 if my memory's good)

Host/Server Operating System

Linux

Operating System Version

Debian Trixie is a VM where the Docker daemon is running

Clients

Web Vault

Client Version

No response

Steps To Reproduce

I follow this guide: https://integrations.goauthentik.io/security/vaultwarden/
and set up like this within the docker-compose:
## SSO with Authentik
SSO_ENABLED: 'true'
SSO_AUTHORITY: https://auth.domain.fr/application/o/vaultwarden/
SSO_CLIENT_ID: XXXX
SSO_CLIENT_SECRET: XXXXX
SSO_SCOPES: "openid email profile offline_access"
SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION: 'false'
SSO_CLIENT_CACHE_EXPIRATION: 0
SSO_ONLY: 'false'
SSO_SIGNUPS_MATCH_EMAIL: 'true'

Expected Result

I should login using Authentik SSO

Actual Result

Error msg:
Failed to contact token endpoint: Parse(Error { path: Path { segments: [] }, original: Error("Invalid JSON web token: found 5 parts (expected 3)", line: 1, column: 6990) }, [123, 34, 97, 99, 99, 101, 115, 115, 95, 116, 111, 107, 101, 110, 34, 58, 32, 34, 101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69, 116, 84, 48, 70, 70, 85, 67, 48, 121, 78, 84, 89, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66, 77, 106, 85, 50, 81, 48, 74, 68, 76, 85, 104, 84, 78, 84, 69, 121, 73, 105, 119, 105, 97, 50, 108, 107, 73, 106, 111, 105, 78, 122, 73, 48, 78, 87, 81, 52, 78, 106, 99, 48, 77, 50, 81, 51, 77, 68, 73, 52, 90, 68, 82, 107, 79, 87, 85, 121, 77, 68, 81, 50, 78, 84, 85, 119, 79, 87, 70, 104, 90, 71, 77, 105, 76, 67, 74, 48, 101, 88, 65, 105, 79, 105, 74, 75, 86, 48, 85, 105, 102, 81, 46, 104, 86, 103, 66, 120, 51, 86, 101, 50, 53, 68, 118, 71, 101, 103, 85, 76, 51, 77, 107, 65, 120, 56, 98, 88, 78, 73, 49, 55, 74, 104, 95, 82, 83, 68, 106, 102, 118, 122, 66, 115, 100, 57, 80, 83, 48, 50, 51, 97, 112, 54, 112, 105, 115, 99, 90, 77, 117,

Logs

Screenshots or Videos

No response

Additional Context

No response

[AdriSchmi]

Authentik works i have it running but when i change the username in Vaultwarden and have the toggle SSO_SIGNUPS_MATCH_EMAIL on false the user is after the change no longer a sso user. @tugdualenligne did you set this in authentik?

[tugdualenligne]

Thx for your msg
Yes, sir, I do have this setting in my Authentik provider for Vaultwarden
Not sure though of your 1st part of comment: I never changed from true to false, it is and has always been set at true
Would you mind sharing screen shots of your Authentik config for Vaultwarden? (Obfuscating the ID and secret of course)

[Timshel]

Hey,
Can you check that you can access the https://auth.domain.fr/application/o/vaultwarden/.well-known/openid-configuration from inside the container ?

Other issue which was encountered is that in the configuration the id_token_signing_alg_values_supported return only HS256 (RS256 is mandatory per the spec). If that's the case you can edit the signing key and save it again: Timshel#107 (comment)

[tugdualenligne]

Thanks for your message
I get an HTTP 200 so it works within the container
I have already a signing key affected, I tried with another one, doesn't change anything
Any other idea welcome! Many thanks

[jankirsten]

I got stuck at the exact same error message. It can be also fixed by changing the provider config in Authentik:

1. Open Authentik admin panel > Providers > Open your Vaultwarden provider
2. Click Edit > Make sure Encryption Key is empty.
3. If not empty: Select -------- in the dropdown.
4. Make sure not to touch the Signing Key, a valid certificate has to be selected
5. Click Update
6. Retry

Explanation:
Vaultwarden/the underlying library seems to expect a 3 part JSON Web Token. The error message contains the token Vaultwarden obtains from Authentik. When you decode the complete token (decimal -> ASCII) you can see the access token provided by Authentik consists of five parts (delimited by .). This format format is used for encrypted tokens (JWE). When you deselect the Encryption Key in Authenik, JWTs are only signed (JWS) and can be processed by Vaultwarden.

[tugdualenligne]

U're the man! It works. I can now authenticate through Authentik and then open my vault, many thanks. We'll need to update the Vaultwarden and Authentik configurations documentation about that specificity (I'll try contact the Authentik team)

…

Message ID: ***@***.***>

[Timshel]

Sorry for the previous message I had missed that the parse error was not on the discovery but on the parsing of the token itself 😅.

I have updated the wiki with both troubleshooting tips: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect#troubleshooting