I selfhost vaultwarden for my use only. Can someone please explain it like I am 5 what's the use case of this new feature? Is it to log in to vaultwarden using an OpenID?
I love this product have used it for a long time now but more recently started getting worried about security. I hope the maintainers are doing their due diligence around securing their docker hub account (many of us run VW in docker) and are careful about libraries the project depends on. Some questionable coding practices were made that I'm not sure I agree with (calling a 3rd party sites in some scenarios). As more of us switch to self hosting VW it will become a juicer target for bad actors. Really hoping we don't wake up one day to find out that our database was uploaded by a BA
For single user or family supported instances this will not make huge difference because this will still require entering master password (which is good). It would be good for cases when it would make it easier in team or company settings when the manual work to add and setup accounts with access to password collections is annoying.
Most of the comments seem to confirm (all but one at time of writing) that this feature is more intended for corporate/business environments. Does anyone know if Vaultwarden has commercial users? By no means am I arguing against the inclusion of this feature, I'm just curious. Everywhere I've worked that was big enough to use SSO was also wary of selfhosting FOSS tools. I should clarify I don't consider myself working in tech, fwiw.
Interesting to see a PR being merged after good 2 years. Thought about the idea of reviewing the changes for self learning, however the number of files involved made me to give up on that idea soon enough. The number of comments (610) gave an impression that the PR must have been reviewed thoroughly, however a close look tells that the comments are mostly about the topic itself, not about the code changes. Unless the code review is managed internally, the PR gives an impression of mostly happy paths.
Definitely cool functionality to see. I hope this doesn't pull too much from what might otherwise be Enterprise Bitwarden customers. Definitely supportive of the upstream project, while Vaultwarden seems to take less server resources to run, and simpler from what I understand.
Mostly unrelated. Does anyone know of an alternative open source extension to the Bitwarden extension? I don't mind paying for the Bitwarden service to sync etc. but the new React-based extension is incredibly slow on my M1 Max.
I've moved my credentials over from pass to Vaultwarden about a month ago (after discovering the pass Android app was abandoned and pulled off app stores), and spent the last two weeks since discovering Pocket ID migrating a few self-hosted services to OIDC.
18 comments
[ 4.4 ms ] story [ 45.1 ms ] threadhttps://www.heise.de/en/news/Password-manager-BSI-reports-cr...
Yes, it does.
Freeing up the SSO tax.
The logic is simple, Bitwarden is not there to detect intrusion attempts and safeguard your server so you gotta do it yourself, that's why its free.
I've moved my credentials over from pass to Vaultwarden about a month ago (after discovering the pass Android app was abandoned and pulled off app stores), and spent the last two weeks since discovering Pocket ID migrating a few self-hosted services to OIDC.