[GH-ISSUE #1803] Webauthn Request Failing #1060

New issue

Closed

opened 2026-03-03 02:05:55 +03:00 by kerem · 6 comments

kerem commented 2026-03-03 02:05:55 +03:00

Owner

Copy link

Originally created by @quexten on GitHub (Jun 28, 2021).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1803

Subject of the issue

On the new v1.22.0 image, registering a new Webauthn key does not work.
I am using a Yubikey, and when registering the put request to /api/two-factor/webauthn fails with a 404 400 error.
{"ErrorModel":{"Message":"Webauthn","Object":"error"},"Message":"","Object":"error","ValidationErrors":{"":["Webauthn"]},"error":"","error_description":""}

Deployment environment

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.22.0
• Web-vault version: v2.20.4b
• Running within Docker: true
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (CF-Connecting-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.35.4
• Install method: Docker vaultwarden/server:1.22.0
• Clients used: For the bug: Web client.
• Reverse proxy and version: Traefik 2.4.8 and Cloudflare.
• MySQL/MariaDB or PostgreSQL version:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: WEBSOCKET_ENABLED

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_ip_header_enabled": true,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*********.*******.***/",
  "domain_origin": "*****://*********.*******.***",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "invitation_org_name": "Quexlabs",
  "invitations_allowed": true,
  "ip_header": "CF-Connecting-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": true,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": true,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "*******.***@*****.***",
  "smtp_from_name": "Bitwarden",
  "smtp_host": "****.**********.***",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "*******.***",
  "templates_folder": "data/templates",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": "54614",
  "yubico_secret_key": "***",
  "yubico_server": null
}

Steps to reproduce

Register a key with Webauthn. This results in a 404 400 error in the network log, and an error popping up in the web vault.

Expected behaviour

The key should be registered.

Actual behaviour

There was an error message.

Troubleshooting data

[2021-06-28 18:36:09.370][response][INFO] GET /api/accounts/revision-date (revision_date) => 200 OK
[2021-06-28 18:36:40.719][request][INFO] POST /api/two-factor/get-webauthn-challenge
[2021-06-28 18:36:40.910][response][INFO] POST /api/two-factor/get-webauthn-challenge (generate_webauthn_challenge) => 200 OK
[2021-06-28 18:36:45.748][request][INFO] PUT /api/two-factor/webauthn
[2021-06-28 18:36:45.833][error][ERROR] Webauthn.
[CAUSE] InvalidRPOrigin
[2021-06-28 18:36:45.833][response][INFO] PUT /api/two-factor/webauthn (activate_webauthn_put) => 400 Bad Request```

Originally created by @quexten on GitHub (Jun 28, 2021). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1803 ### Subject of the issue On the new v1.22.0 image, registering a new Webauthn key does not work. I am using a Yubikey, and when registering the put request to `/api/two-factor/webauthn` fails with a ~~404~~ 400 error. `{"ErrorModel":{"Message":"Webauthn","Object":"error"},"Message":"","Object":"error","ValidationErrors":{"":["Webauthn"]},"error":"","error_description":""}` ### Deployment environment ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.22.0 * Web-vault version: v2.20.4b * Running within Docker: true * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (CF-Connecting-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.35.4 * Install method: Docker vaultwarden/server:1.22.0 * Clients used: For the bug: Web client. * Reverse proxy and version: Traefik 2.4.8 and Cloudflare. * MySQL/MariaDB or PostgreSQL version: <!-- if applicable --> ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** WEBSOCKET_ENABLED ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_ip_header_enabled": true, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_max_conns": 10, "database_url": "****/**.*******", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*********.*******.***/", "domain_origin": "*****://*********.*******.***", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "enable_db_wal": true, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "invitation_org_name": "Quexlabs", "invitations_allowed": true, "ip_header": "CF-Connecting-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "org_attachment_limit": null, "org_creation_users": "", "password_iterations": 100000, "reload_templates": false, "require_device_email": true, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": true, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_explicit_tls": false, "smtp_from": "*******.***@*****.***", "smtp_from_name": "Bitwarden", "smtp_host": "****.**********.***", "smtp_password": "***", "smtp_port": 587, "smtp_ssl": true, "smtp_timeout": 15, "smtp_username": "*******.***", "templates_folder": "data/templates", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": true, "websocket_port": 3012, "yubico_client_id": "54614", "yubico_secret_key": "***", "yubico_server": null } ``` </details> ### Steps to reproduce Register a key with Webauthn. This results in a ~~404~~ 400 error in the network log, and an error popping up in the web vault. ### Expected behaviour The key should be registered. ### Actual behaviour There was an error message. ### Troubleshooting data ```[2021-06-28 18:36:09.370][request][INFO] GET /api/accounts/revision-date [2021-06-28 18:36:09.370][response][INFO] GET /api/accounts/revision-date (revision_date) => 200 OK [2021-06-28 18:36:40.719][request][INFO] POST /api/two-factor/get-webauthn-challenge [2021-06-28 18:36:40.910][response][INFO] POST /api/two-factor/get-webauthn-challenge (generate_webauthn_challenge) => 200 OK [2021-06-28 18:36:45.748][request][INFO] PUT /api/two-factor/webauthn [2021-06-28 18:36:45.833][error][ERROR] Webauthn. [CAUSE] InvalidRPOrigin [2021-06-28 18:36:45.833][response][INFO] PUT /api/two-factor/webauthn (activate_webauthn_put) => 400 Bad Request```

kerem closed this issue 2026-03-03 02:05:55 +03:00

kerem commented 2026-03-03 02:05:56 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Jun 28, 2021):

I don't see a 404 in the logs.
Cloud you clear/invalidate the Cloudflare cache and try again?
Also maybe try with an Incognito/Private browser/tab

<!-- gh-comment-id:869941460 --> @BlackDex commented on GitHub (Jun 28, 2021): I don't see a 404 in the logs. Cloud you clear/invalidate the Cloudflare cache and try again? Also maybe try with an Incognito/Private browser/tab

kerem commented 2026-03-03 02:05:56 +03:00

Author

Owner

Copy link

@quexten commented on GitHub (Jun 28, 2021):

I disabled Cloudflare and made sure my browser isn't connecting through Cloudflare. The issue still occurs. As shown in the troubleshooting data the cause seems to be an "InvalidRPOrigin", but I couldn't find a setting in the admin panel to set the RPOrigin. The rpid sent in the webauthn challenge is the domain that I'm accessing the web vault through though. And I had a typo in the issue above, it should be error 400, not 404.

<!-- gh-comment-id:869949083 --> @quexten commented on GitHub (Jun 28, 2021): I disabled Cloudflare and made sure my browser isn't connecting through Cloudflare. The issue still occurs. As shown in the troubleshooting data the cause seems to be an "InvalidRPOrigin", but I couldn't find a setting in the admin panel to set the RPOrigin. The rpid sent in the webauthn challenge is the domain that I'm accessing the web vault through though. And I had a typo in the issue above, it should be error 400, not 404.

kerem commented 2026-03-03 02:05:56 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Jun 28, 2021):

Well that config is linked to the DOMAIN variable.
But it seems that when generating the support string that does seem to be correct.

Could you try to turn on log_level=debug? And check the logs there?

<!-- gh-comment-id:870002490 --> @BlackDex commented on GitHub (Jun 28, 2021): Well that config is linked to the DOMAIN variable. But it seems that when generating the support string that does seem to be correct. Could you try to turn on log_level=debug? And check the logs there?

kerem commented 2026-03-03 02:05:56 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Jun 28, 2021):

Just to be sure.
You do access the site via the browser on the exact same URL, including port, https:// etc... as configured via the DOMAIN config right?

<!-- gh-comment-id:870012322 --> @BlackDex commented on GitHub (Jun 28, 2021): Just to be sure. You do access the site via the browser on the exact same URL, including port, https:// etc... as configured via the DOMAIN config right?

kerem commented 2026-03-03 02:05:56 +03:00

Author

Owner

Copy link

@quexten commented on GitHub (Jun 28, 2021):

Okay, enabling the debug logging helped track down the issue.
The domain URL I had configured was: https://bitwarden.MY_HOST.com/ while it should have been https://bitwarden.MY_HOST.com (without the trailing slash). Before Webauthn this didn't seem to cause an issue, but the debug log stated that this was the cause for the failure, and changing it fixed it.

Thanks for the help!

<!-- gh-comment-id:870020409 --> @quexten commented on GitHub (Jun 28, 2021): Okay, enabling the debug logging helped track down the issue. The domain URL I had configured was: `https://bitwarden.MY_HOST.com/` while it should have been `https://bitwarden.MY_HOST.com` (without the trailing slash). Before Webauthn this didn't seem to cause an issue, but the debug log stated that this was the cause for the failure, and changing it fixed it. Thanks for the help!

kerem commented 2026-03-03 02:05:56 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Jun 28, 2021):

Ok, good to know, we may need to add some filtering there, or some validation.

<!-- gh-comment-id:870036274 --> @BlackDex commented on GitHub (Jun 28, 2021): Ok, good to know, we may need to add some filtering there, or some validation.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#1060

No description provided.