What app is this about, and its version: Vaultwarden + DEX
What YunoHost version are you running: 12.1.39
What type of hardware are you using: Old laptop or computer
Describe your issue
Vaultwarden SSO with YunoHost Dex — Fix for “invalid_client” error
If you get Failed to contact token endpoint: invalid_client when trying to use SSO in Vaultwarden with YunoHost’s Dex, the cause is SSOwat stripping the Basic Auth header before it reaches Dex. This is an anti-spoofing protection built into YunoHost’s SSO layer.
Fix:
bash:
sudo yunohost app setting dex protect_against_basic_auth_spoofing -v “false”
sudo yunohost app setting dex auth_header -v “basic-without-password”
sudo yunohost app ssowatconf
Other gotchas encountered along the way:
-
Vaultwarden reads config.json, not .env — set SSO values via the admin panel at /vaultwarden/admin or edit /home/yunohost.app/vaultwarden/config.json directly. Changes to .env seem to be silently ignored for any setting that exists in config.json.
-
Dex config is auto-generated — never edit /var/www/dex/config.yaml directly. Add static clients in /var/www/dex/config.yaml.d/ as separate files, e.g. /var/www/dex/config.yaml.d/vaultwarden:
yaml:
- id: vaultwarden
secret: your-secret-here
name: vaultwarden
redirectURIs:
- Vaultwarden .env settings that must match:
env:
SSO_ENABLED=true
SSO_AUTHORITY=https://yourdomain.tld/dex
SSO_CLIENT_ID=vaultwarden
SSO_CLIENT_SECRET=your-secret-here
SSO_SCOPES=openid profile email offline_access
SSO_PKCE=true
SSO_SIGNUPS_MATCH_EMAIL=true
SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=true
But remember these are overridden by config.json — set them via the admin panel instead.
-
The SSO button appears on the login page.
-
Master password is stil required.
Hope this helps other YunoHost users!