feat: add SSO env options for compose file

chore: publish 3.0.0+1.35.2 release
increase healthcheck retries
2026-01-24 17:13:00 +00:00 · 2026-01-20 18:02:18 +00:00 · 2025-12-23 14:48:53 +01:00
5 changed files with 59 additions and 7 deletions
--- a/.env.sample
+++ b/.env.sample
@ -31,3 +31,29 @@ TX="Europe/Berlin"
 #SMTP_HOST=mail.example.com
 #SMTP_PORT=587
 #SMTP_SECURITY=starttls
+
+## SSO Setup Start ##
+
+## SSO Required Setup
+#COMPOSE_FILE="$COMPOSE_FILE:compose.sso.yml"
+#SSO_ENABLED=false ## Activate the SSO
+
+## the OpenID Connect Discovery endpoint of your SSO. Should not include the /.well-known/openid-configuration part and no trailing / ${SSO_AUTHORITY}/.well-known/openid-configuration must return a JSON document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse (with an HTTP status code 200 OK!)
+#SSO_AUTHORITY=
+#SSO_CLIENT_ID=             
+#SSO_CLIENT_SECRET= 
+#SSO_ONLY=false ## disable email+Master password authentication
+
+## SSO Optional Setup
+#SSO_SIGNUPS_MATCH_EMAIL=true ##: On SSO Signup if a user with a matching email already exists make the association (default true)
+#SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false ## Allow unknown email verification status (default false). Allowing this with SSO_SIGNUPS_MATCH_EMAIL open potential account takeover.
+#SSO_SCOPES= ##Optional, allow to override scopes if needed (default "email profile")
+#SSO_AUTHORIZE_EXTRA_PARAMS= ## Optional, allow to add extra parameter to the authorize redirection (default "")
+#SSO_PKCE=true ## Activate PKCE for the Auth Code flow (default true).
+#SSO_AUDIENCE_TRUSTED= ##Optional, Regex to trust additional audience for the IdToken (client_id is always trusted). Use single quote when writing the regex: '^$'.
+#SSO_MASTER_PASSWORD_POLICY ## Optional Master password policy (enforceOnLogin is not supported).
+#SSO_AUTH_ONLY_NOT_SESSION ## Enable to use SSO only for authentication not session lifecycle
+#SSO_CLIENT_CACHE_EXPIRATION=0 ## Cache calls to the discovery endpoint, duration in seconds, 0 to disable (default 0);
+#SSO_DEBUG_TOKENS=false ## Log all tokens for easier debugging (default false, LOG_LEVEL=debug or LOG_LEVEL=info,vaultwarden::sso=debug need to be set)
+
+## SSO Setup End ##
--- a/compose.mariadb.yml
+++ b/compose.mariadb.yml
@ -34,9 +34,9 @@ services:
        backupbot.restore.post-hook: 'mysql -u root -p"$$(cat /run/secrets/db_root_password)" $${MYSQL_DATABASE} < /var/lib/mysql/backup.sql'
    healthcheck:
      test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)"  ping']
-      interval: 5s
+      interval: 30s
      timeout: 10s
-      retries: 0
+      retries: 30
      start_period: 1m

 secrets:
--- a/compose.sso.yml
+++ b/compose.sso.yml
@ -0,0 +1,21 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - SSO_ENABLED
+      - SSO_AUTHORITY
+      - SSO_CLIENT_ID
+      - SSO_CLIENT_SECRET
+      - SSO_ONLY
+      - SSO_SIGNUPS_MATCH_EMAIL
+      - SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION
+      - SSO_SCOPES
+      - SSO_AUTHORIZE_EXTRA_PARAMS
+      - SSO_PKCE
+      - SSO_AUDIENCE_TRUSTED
+      - SSO_MASTER_PASSWORD_POLICY
+      - SSO_AUTH_ONLY_NOT_SESSION
+      - SSO_CLIENT_CACHE_EXPIRATION
+      - SSO_DEBUG_TOKENS
--- a/compose.yml
+++ b/compose.yml
@ -3,7 +3,7 @@ version: "3.8"

 services:
  app:
-    image: vaultwarden/server:1.34.3
+    image: vaultwarden/server:1.35.2
    networks:
      - proxy
      - internal
@ -30,9 +30,10 @@ services:
      - vaultwarden_data:/data
    healthcheck:
      test: curl -f http://localhost/alive || exit 1
-      interval: 5s
-      timeout: 3s
-      retries: 10
+      interval: 30s
+      timeout: 10s
+      retries: 30
+      start_period: 1m
    deploy:
      restart_policy:
        condition: on-failure
@ -42,7 +43,7 @@ services:
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=2.1.1+1.34.3"
+        - "coop-cloud.${STACK_NAME}.version=3.0.0+1.35.2"
        - "backupbot.backup=true"
        - "backupbot.backup.path=/data"

--- a/release/3.0.0+1.35.2
+++ b/release/3.0.0+1.35.2
@ -0,0 +1,4 @@
+Allows support for 2026.1+ clients.
+
+This release includes options for SSO. Check out the release notes for
+more infomation.
Author	SHA1	Message	Date
Joe Irving	5056367d20	feat: add SSO env options for compose file	2026-01-24 17:13:00 +00:00
Joe Irving	ecd51386e8	chore: publish 3.0.0+1.35.2 release	2026-01-20 18:02:18 +00:00
Moritz	4bb0a87b33	increase healthcheck retries Some checks failed continuous-integration/drone/push Build is failing Details	2025-12-23 14:48:53 +01:00