From 1fec4cb2808663eab0d67ab54e412026a16b380e Mon Sep 17 00:00:00 2001 From: Patrick Pimentel Date: Fri, 9 Jan 2026 15:14:21 -0500 Subject: [PATCH] fix(redirect): [PM-26578] Https Redirection for Cloud Users - Added deeplink scheme to duo redirect uri. --- .../DuoUniversalTokenService.cs | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/src/Core/Auth/Identity/TokenProviders/DuoUniversalTokenService.cs b/src/Core/Auth/Identity/TokenProviders/DuoUniversalTokenService.cs index a59a76de0a..2a299cbcd9 100644 --- a/src/Core/Auth/Identity/TokenProviders/DuoUniversalTokenService.cs +++ b/src/Core/Auth/Identity/TokenProviders/DuoUniversalTokenService.cs @@ -157,13 +157,28 @@ public class DuoUniversalTokenService( return false; } + private static bool IsBitwardenCloudHost(string host) + { + if (string.IsNullOrWhiteSpace(host)) + { + return false; + } + + var normalizedHost = host.ToLowerInvariant(); + return normalizedHost.EndsWith("bitwarden.com") || + normalizedHost.EndsWith("bitwarden.eu") || + normalizedHost.EndsWith("bitwarden.pw"); + } + public async Task BuildDuoTwoFactorClientAsync(TwoFactorProvider provider) { // Fetch Client name from header value since duo auth can be initiated from multiple clients and we want // to redirect back to the initiating client _currentContext.HttpContext.Request.Headers.TryGetValue("Bitwarden-Client-Name", out var bitwardenClientName); - var redirectUri = string.Format("{0}/duo-redirect-connector.html?client={1}", - _globalSettings.BaseServiceUri.Vault, bitwardenClientName.FirstOrDefault() ?? "web"); + var requestHost = _currentContext.HttpContext?.Request?.Host.Host; + var deeplinkScheme = IsBitwardenCloudHost(requestHost) ? "https" : "bitwarden"; + var redirectUri = string.Format("{0}/duo-redirect-connector.html?client={1}&deeplinkScheme={2}", + _globalSettings.BaseServiceUri.Vault, bitwardenClientName.FirstOrDefault() ?? "web", deeplinkScheme); var client = new Duo.ClientBuilder( (string)provider.MetaData["ClientId"],