Admin role for access to admin console not respected

[Deytron]

Kubernetes version: v1.33.3
OIDCWarden version: v2025.8.1-1-alpine

Hello,

When accessing the admin console page with the following config, I am unable to use the mapped group with my SSO user to access the page:

Here's the relevant config:

ORG_GROUPS_ENABLED: "true"
    SSO_SIGNUPS_MATCH_EMAIL: "true"
    SSO_ENABLED: "true"
    SSO_ONLY: "true"
    SSO_AUTHORITY: https://xxx.xxx/application/o/vaultwarden/
    SSO_SCOPES: "openid email profile roles groups offline_access"
    ORGANIZATION_INVITE_AUTO_ACCEPT: "true"
    SSO_ORGANIZATIONS_ENABLED: "true"
    SSO_ORGANIZATIONS_GROUPS_ENABLED: "true"
    SSO_ORGANIZATIONS_TOKEN_PATH: /groups
    SSO_ROLES_ENABLED: "true"
    SSO_ROLES_DEFAULT_TO_USER: "true"
    SSO_ROLES_TOKEN_PATH: /roles
    SSO_ORGANIZATIONS_NAME: "xxx"
    SSO_AUTH_ONLY_NOT_SESSION: "true"
    SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION: "false"
    SSO_DEBUG_TOKENS: "true"
    LOG_LEVEL: "info,oidcwarden::sso=debug"
    # SSO_CLIENT_CACHE_EXPIRATION: "0"
    SSO_CLIENT_ID:
      secretKeyRef:
        name: oidc
        key: client-id
    SSO_CLIENT_SECRET:
      secretKeyRef:
        name: oidc
        key: client-secret

In Authentik, I am using the following property mapping to map the groups according to my Authentik config:

if any(g.name == "authentik Admins" for g in user.ak_groups.all()):
    return {"groups": ["Admins"], "roles": ["OrgAdmin", "admin"]}
elif... # other org group mappings

When logging in, this returns the following info:

vaultwarden-8f4647cdc-fbqgr vaultwarden [2025-09-17 21:39:14.094][oidcwarden::sso][DEBUG] Authenticated user OIDCAuthenticatedUser { refresh_token: Some("xxx", expires_in: Some(1800s), identifier: OIDCIdentifier("https://xxx.xxx/application/o/vaultwarden//user"), email: "xxx@xxx", email_verified
: Some(true), user_name: Some("user"), role: Some(Admin), org_role: Some(OrgAdmin), groups: Some(["Admins", "authentik Admins", "Other-group"]) }                                                                                                                                                                
vaultwarden-8f4647cdc-fbqgr vaultwarden [2025-09-17 21:39:14.109][oidcwarden::sso][DEBUG] Organization and groups sync for user xxx@xxx with ["Admins", "authentik Admins", "Other-group"]                                                                                                                  
vaultwarden-8f4647cdc-fbqgr vaultwarden [2025-09-17 21:39:14.110][oidcwarden::sso][WARN] Failed to correctly match user groups, revoking will be disabled                                                                                                                                                                    
vaultwarden-8f4647cdc-fbqgr vaultwarden [2025-09-17 21:39:14.110][oidcwarden::sso][WARN] Identifier (Other-group - None)  returned no match                                                                                                                                                                                    
vaultwarden-8f4647cdc-fbqgr vaultwarden [2025-09-17 21:39:14.110][oidcwarden::sso][WARN] Identifier (authentik Admins - None)  returned no match                                                                                                                                                                             
vaultwarden-8f4647cdc-fbqgr vaultwarden [2025-09-17 21:39:14.111][oidcwarden::sso][DEBUG] Matched organizations [("Org", {GroupId("d0129674-2499-4571-a644-d9e798a4f6a5")})]                                                                                                                                           
vaultwarden-8f4647cdc-fbqgr vaultwarden [2025-09-17 21:39:14.118][oidcwarden::api::identity][INFO] User user logged in successfully. IP: XXX.XXX.XXX.XXX                                                                                                                                                        
vaultwarden-8f4647cdc-fbqgr vaultwarden [2025-09-17 21:39:14.119][response][INFO] (login) POST /identity/connect/token => 200 OK 

I see that there's some group and org matching, but I don't get the admin cookie.

Is there somerthing I'm missing?

[Timshel]

Hey,

I'm not sure what's happening here, we can see that the OIDCAuthenticatedUser contains role: Some(Admin) so no issue reading the role from Authentik token.
But if it was working correctly we should see a log User {} logged with admin cookie before the logged in successfully.

I can't reproduce with Keycloak and looking at the code can't see anything.

The org sync warn should have no impact, but will do more tests.

[Timshel]

I played a bit with the Authentik docker compose, since I'm not familiar with it, I just created a group named admin and assigned it to the user.

And with the additional config of i was able to test the mapping (using /groups for role is a bit ugly but wanted to test without having to search how to add and map a scope in Authentik).

SSO_ROLES_ENABLED=true
SSO_ROLES_DEFAULT_TO_USER=true
SSO_ROLES_TOKEN_PATH="/groups"

SSO_ORGANIZATIONS_ENABLED=true
SSO_ORGANIZATIONS_TOKEN_PATH="/groups"

This way I had logs similar to yours:

[2025-10-02 15:27:39.877][oidcwarden::sso][DEBUG] Authenticated user OIDCAuthenticatedUser { refresh_token: ... email: "test@yopmail.com", email_verified: Some(true), user_name: Some("test"), role: Some(Admin), org_role: None, groups: Some(["admin"]) }
[2025-10-02 15:27:39.879][oidcwarden::sso][DEBUG] Organization and groups sync for user test@yopmail.com with ["admin"]
[2025-10-02 15:27:39.879][oidcwarden::sso][WARN] Failed to correctly match user groups, revoking will be disabled
[2025-10-02 15:27:39.879][oidcwarden::sso][WARN] Identifier (admin - None)  returned no match
[2025-10-02 15:27:39.879][oidcwarden::sso][DEBUG] Matched organizations []

And was able to access the admin console. So I don't think the issue is with the mapping.

So it's probably with the cookie itself, are you using the same url as the one set in DOMAIN to access the admin console ?
The url itself should not be important but if a different protocol is used (http vs https) it will cause issue since the secure attribute is set depending on the protocol present in DOMAIN (I have a fix to backport to improve this).

[Deytron]

I just tried to do it like you did, but I just could not manage to make it work. The domain is set to the same URL as the admin page, with https.

Here are the cookies I get when on the admin page (unfortunately could not copy the raw data):

I don't know if it can be any useful unfortunately.
What I would like to be able to do, if everything else fails, is just to be able to have the variable SSO_ROLES_TOKEN_PATH set and just be able to use the admin token, as it looks like enabling the variable disables the admin token, and I need to be able to access the org admin panel

[Timshel]

I don't see the admin token in your list, it should be named VW_ADMIN.

It should be set with the response to the initial call to the token endpoint (/identity/connect/token) when logging (Unless SSO_SYNC_ON_REFRESH=true is activated then all token calls will return it).

[alainstucki]

Hi
I have exactly the same problem.

i not get any cookie from the /identity/connect/token endpoint.
the only cookie i ever get is the "ssoHandOffMessage".
any idea what is happening here?

[Timshel]

Hey,
Had a look again still can't really understand what's happening.
There is a scenario where the cookie is removed, but I can't understand why it would not be set initially.

Could you share the full server log when running with SSO_DEBUG_TOKENS=true, from

[2025-10-22 15:14:02.930][oidcwarden::sso][DEBUG] Authenticated user OIDCAuthenticatedUser ...
....
[2025-10-22 15:16:35.469][request][INFO] GET /admin/