[GH-ISSUE #2014] WebAuthn implementation bitwarden app #1124

New issue

Closed

opened 2026-03-03 02:06:27 +03:00 by kerem · 2 comments

kerem commented 2026-03-03 02:06:27 +03:00

Owner

Copy link

Originally created by @kaasszje on GitHub (Oct 1, 2021).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/2014

The new bitwarden android app (version 2.13.0)
Has an update on authentication:
Added WebAuthn/FIDO2/U2F as supported 2FA option for app login

However when the app tries to make use of this it calls to:
/webauthn-mobile-connector.html on the webserver.

Which is generate a http 404 because it's not available.
(Html file is not there)

Support string:

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.22.2
• Web-vault version: v2.21.1
• Running within Docker: true
• Environment settings overridden: false
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.35.4
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": false,
  "_ip_header_enabled": true,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*****.***-*********.**",
  "domain_origin": "*****://*****.***-*********.**",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": true,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "*********@***-*********.**",
  "smtp_from_name": "Bitwarden_RS",
  "smtp_host": "****.*****.**",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "*.*.*********@*****.**",
  "templates_folder": "data/templates",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
}

Originally created by @kaasszje on GitHub (Oct 1, 2021). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/2014 The new bitwarden android app (version 2.13.0) Has an update on authentication: Added WebAuthn/FIDO2/U2F as supported 2FA option for app login However when the app tries to make use of this it calls to: /webauthn-mobile-connector.html on the webserver. Which is generate a http 404 because it's not available. (Html file is not there) Support string: ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.22.2 * Web-vault version: v2.21.1 * Running within Docker: true * Environment settings overridden: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.35.4 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": false, "_ip_header_enabled": true, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_max_conns": 10, "database_url": "****/**.*******", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*****.***-*********.**", "domain_origin": "*****://*****.***-*********.**", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "enable_db_wal": true, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "org_attachment_limit": null, "org_creation_users": "", "password_iterations": 100000, "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": true, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_explicit_tls": false, "smtp_from": "*********@***-*********.**", "smtp_from_name": "Bitwarden_RS", "smtp_host": "****.*****.**", "smtp_password": "***", "smtp_port": 587, "smtp_ssl": true, "smtp_timeout": 15, "smtp_username": "*.*.*********@*****.**", "templates_folder": "data/templates", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": true, "websocket_port": 3012, } ``` </details>

kerem closed this issue 2026-03-03 02:06:27 +03:00

kerem commented 2026-03-03 02:06:28 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Oct 1, 2021):

Already solved in the current testing image on docker hub by using the web-vault v2.23.0.

<!-- gh-comment-id:932085633 --> @BlackDex commented on GitHub (Oct 1, 2021): Already solved in the current `testing` image on docker hub by using the web-vault v2.23.0.

kerem commented 2026-03-03 02:06:28 +03:00

Author

Owner

Copy link

@d4mation commented on GitHub (Oct 12, 2021):

This seems like it may still be at least partially broken in testing. The page exists now so the 404 does not happen, but the app gets a Can't recover login challenge error returned to it.

Here's the relevant portion I found in the Logs:

[2021-10-12 14:23:32.152][request][INFO] POST /identity/connect/token
[2021-10-12 14:23:32.203][vaultwarden::api::core::two_factor::webauthn][ERROR] Can't recover login challenge
[2021-10-12 14:23:32.203][response][INFO] POST /identity/connect/token (login) => 400 Bad Request

Edit: Strangely it works now? Nothing is different with my setup that I'm aware of. I guess ignore this ¯\_(ツ)_/¯

<!-- gh-comment-id:941267178 --> @d4mation commented on GitHub (Oct 12, 2021): This seems like it may still be at least partially broken in `testing`. The page exists now so the 404 does not happen, but the app gets a `Can't recover login challenge` error returned to it. Here's the relevant portion I found in the Logs: ``` [2021-10-12 14:23:32.152][request][INFO] POST /identity/connect/token [2021-10-12 14:23:32.203][vaultwarden::api::core::two_factor::webauthn][ERROR] Can't recover login challenge [2021-10-12 14:23:32.203][response][INFO] POST /identity/connect/token (login) => 400 Bad Request ``` Edit: Strangely it works now? Nothing is different with my setup that I'm aware of. I guess ignore this ¯\\_(ツ)\_/¯

kerem referenced this issue 2026-03-03 09:08:49 +03:00

[PR #1124] [MERGED] Fixing MsgPack headers type and support mobile SignalR #2889

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#1124

No description provided.