Can Bitwarden access vaultwarden through authentik or security proxy? #4611

SpiderUnderUrBed · 2024-06-03T23:57:33Z

SpiderUnderUrBed
Jun 3, 2024

The title is my question, I am planning to set up authentik to secure my homelab applications, I am using tailscale to access them and I shared my exit node with some of my friends, so for security reasons its important I sort out permissions and what services they can access, but I am worried that if i set up authentik to be the only way to access vaultwarden (I think making another way to access it directly that only I can use is kinda infeasable/I dont know how to do it)

Then bitwarden wont be able to access the vault. How should I set this up?
(This is unrelated to SSO but OIDC or some key given in the vaults url server header to bypass authentiks protection could help)

Answered by crowley69

Jun 21, 2024

I hope this proves useful.

My Vaultwarden is in a docker container behind nginx, and it is setup in authentik as a Forward auth proxy provider.
I am able to protect Vaultwarden web vault as well as the admin page while being able to use the Bitwarden app/extension normally by allowing the API to bypass authentik.

In Authentik > Provider > Advanced protocol settings > Unauthenticated Paths
I simply allowed the API by adding ^/api/.* to the Unauthenticated Paths, I also allowed a few other paths as well:

^/api/.*
^/wl/.*
^/identity/.*
^/images/.*

With this the Bitwarden app will bypass authentik flow, but you won't be able to use the web vault login, admin page or sends without authenticat…

View full answer

crowley69 · 2024-06-21T23:42:59Z

crowley69
Jun 21, 2024

I hope this proves useful.

My Vaultwarden is in a docker container behind nginx, and it is setup in authentik as a Forward auth proxy provider.
I am able to protect Vaultwarden web vault as well as the admin page while being able to use the Bitwarden app/extension normally by allowing the API to bypass authentik.

In Authentik > Provider > Advanced protocol settings > Unauthenticated Paths
I simply allowed the API by adding ^/api/.* to the Unauthenticated Paths, I also allowed a few other paths as well:

^/api/.*
^/wl/.*
^/identity/.*
^/images/.*

With this the Bitwarden app will bypass authentik flow, but you won't be able to use the web vault login, admin page or sends without authentication.

If your only goal is to protect the admin page behind authentik, the following regular expressions are all you need:

^/$
^/.*\.js
^/#/.*
^/#/login
^/#/2fa
^/#/vault
^/api/.*
^/images/.*
^/identity/.*
^/app/.*
^/locales/.*

Results may vary depending on your setup.

1 reply

MrDuartePT Nov 18, 2024

I add that option to the Unauthenticated Paths but the bitwarden app dosent let me login. And sync on my phone gives an error.

BlackDex · 2024-08-20T09:09:46Z

BlackDex
Aug 20, 2024
Collaborator

To make it a bit clear. It will not prevent an attacker if they really want to access your environment.
Since the API endpoints are still accessible, it will only prevent the web-interface from being directly available.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Can Bitwarden access vaultwarden through authentik or security proxy? #4611

{{title}}

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

Can Bitwarden access vaultwarden through authentik or security proxy? #4611

SpiderUnderUrBed Jun 3, 2024

Replies: 2 comments · 1 reply

crowley69 Jun 21, 2024

MrDuartePT Nov 18, 2024

BlackDex Aug 20, 2024 Collaborator

SpiderUnderUrBed
Jun 3, 2024

Replies: 2 comments 1 reply

crowley69
Jun 21, 2024

BlackDex
Aug 20, 2024
Collaborator