OpenID Connect SSO in Bitwarden Is the Best Feature You’ll Never Use
Hello everyone. Let’s talk about identity. Not your fragile little online persona on social media, not your pixelated ego in Call of Duty where you insist you’re “the best sniper in the lobby” while hiding behind a box – I mean identity in the software sense. Authentication. Single Sign-On. OpenID Connect. That delightful bureaucratic mess disguised as a convenience feature. Today I’ve been looking at the latest PR (#3899) that introduces OpenID Connect-based SSO support. And oh boy, does this thing bring a mix of optimism and frustration in equal parts.
The Good News: More Options for Authentication
The addition of OpenID Connect for SSO brings in another way to control access without leaning on archaic invitations and the ever-clunky LDAP. It’s flexible too, supporting anything that waves around a discovery endpoint, from Keycloak to probably your neighbor’s Raspberry Pi running half-baked identity software. On the surface, that’s not bad. Flexibility is usually good. After all, nobody likes getting locked into a single identity provider like it’s the DRM dungeon of Diablo III at launch.
But-and yes, there’s always a but-the master password? Still required. Still outside SSO. Depending on your worldview, that’s either “a feature” as the author wordsmiths it, or just one more hoop between you and your vault. For me, it’s like going to a doctor, getting the right diagnosis, but then being told you still need to rub snake oil on your wounds “just in case.” Necessary? Sure. Elegant? Not even close.
The Licensing Elephant in the Room
Bitwarden itself is hiding behind a license that might as well say “You can try, but not really.” The PR clearly distinguishes that commercial Bitwarden isn’t ever going to be buddy-buddy with this kind of SSO integration without legal acrobatics. So this work exists in that awkward no man’s land between community contribution and corporate shrugging. You know, like when a dev dangles a beta branch in front of you but whispers, “Don’t expect support if it burns down your house.”
Broken Pieces and Browser Shenanigans
Problems still abound. Organizational invitations don’t play nice when you chuck SSO in the mix, desktop apps fail on Chrome (seriously, in 2024?), and URLs face potential truncation because apparently some browsers decided that URLs should never exceed the length of a mediocre haiku. So the devs wrapped data in JWT tokens like it’s bubble wrap for fragile heirlooms. Practical? Maybe. Future-proof? We’ll see when WebKit decides to break it all again for fun.
The Maintainers’ Dilemma
Here’s where things get entertaining: multiple competing PRs for SSO are floating around. The maintainers, stuck like indecisive raid leaders, don’t want to commit because they’ve got too many pulls on the same boss and no one can agree on a strat. The contributor recommends just merging it with a feature flag (SSO_ENABLED) and letting the community bang on it, but apparently, that’s too simple. Instead, we’re stuck in this endless “maybe later” loop while diffs grow like unchecked tumors in a patient who skipped their checkup.
“Let’s stall until we forget what the original code even looked like.” – The unspoken motto of open-source maintainers everywhere.
Community Voices: Merge It Already
The community is screaming in unison: “Just merge a beta already!” Testers and sponsors are volunteering like it’s the final boss fight of a Kickstarter project, yet the hesitation remains. Everyone realizes that the longer this sits, the uglier the merge becomes. Yet here we are. At this rate, you’ll get working SSO support right after Star Citizen releases a finished campaign-which is to say, never in your lifetime.
Final Thoughts: A Band-Aid on a Fracture
This PR is a solid foundation. The work deserves praise, the contributor deserves credit, and the community deserves the ability to test it without waiting another half-decade. However, let’s not pretend it’s flawless. Between broken Chrome integration, licensing limitations, and maintainers treating this like radioactive waste, the path forward is anything but clean.
It’s like finishing a dungeon run with half your party dead, a bag full of loot you can’t equip, and the exit door bugged shut. You know victory is in sight, but the game just won’t let you have it.
Overall impression? The PR is good, it deserves to be merged, but the dithering and the messy reality of maintenance turn it into yet another shining feature buried in GitHub purgatory.
And that, ladies and gentlemen, is entirely my opinion.
Article source: Vaultwarden commit introduces SSO using OpenID Connect
