[GH-ISSUE #4129] Error decoding JWT immediately after login #1795

New issue

Closed

opened 2026-03-03 02:12:15 +03:00 by kerem · 6 comments

kerem commented 2026-03-03 02:12:15 +03:00

Owner

Copy link

Originally created by @hzliu on GitHub (Dec 5, 2023).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/4129

• vaultwarden version: 1.30.1

• Install method: docker image

• Clients used: web vault / android client

• Reverse proxy and version: nginx 1.14.1

use sqlite

the server log followed:

/--------------------------------------------------------------------
| Starting Vaultwarden |

Version 1.30.1
This is an unofficial Bitwarden implementation, DO NOT use the
official channels to report bugs/features, regardless of client.
Send usage/configuration questions or feature requests to:
https://github.com/dani-garcia/vaultwarden/discussions or
https://vaultwarden.discourse.group/
Report suspected bugs/issues in the software itself at:
https://github.com/dani-garcia/vaultwarden/issues/new
--------------------------------------------------------------------/

[2023-12-05 01:30:34.734][start][INFO] Rocket has launched from http://0.0.0.0:80
[2023-12-05 01:31:49.424][request][INFO] GET /api/devices/knowndevice
[2023-12-05 01:31:49.748][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2023-12-05 01:31:54.103][request][INFO] POST /identity/accounts/prelogin
[2023-12-05 01:31:54.112][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2023-12-05 01:31:54.313][request][INFO] POST /identity/connect/token
[2023-12-05 01:31:54.663][error][ERROR] 2FA token not provided
[2023-12-05 01:31:54.664][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2023-12-05 01:32:12.186][request][INFO] POST /identity/connect/token
[2023-12-05 01:32:12.670][vaultwarden::api::identity][INFO] User xxxxx logged in successfully. IP: xxx.xxx.xxx.xxx
[2023-12-05 01:32:12.670][response][INFO] (login) POST /identity/connect/token => 200 OK
[2023-12-05 01:32:12.859][request][INFO] GET /api/config
[2023-12-05 01:32:12.859][response][INFO] (config) GET /api/config => 200 OK
[2023-12-05 01:32:13.023][request][INFO] POST /identity/connect/token
[2023-12-05 01:32:13.054][response][INFO] (login) POST /identity/connect/token => 200 OK
[2023-12-05 01:32:13.231][request][INFO] GET /api/config
[2023-12-05 01:32:13.249][response][INFO] (config) GET /api/config => 200 OK
[2023-12-05 01:32:13.327][request][INFO] GET /api/sync?excludeDomains=true
[2023-12-05 01:32:13.328][vaultwarden::auth][ERROR] Error decoding JWT
[2023-12-05 01:32:13.328][auth][ERROR] Unauthorized Error: Invalid claim
[2023-12-05 01:32:13.328][vaultwarden::api::core::ciphers::_][WARN] Request guard Headers failed: "Invalid claim".
[2023-12-05 01:32:13.328][response][INFO] (sync) GET /api/sync?<data..> => 401 Unauthorized
[2023-12-05 01:32:13.527][request][INFO] GET /api/config
[2023-12-05 01:32:13.527][response][INFO] (config) GET /api/config => 200 OK
[2023-12-05 01:32:13.528][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2023-12-05 01:32:13.528][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from xxx.xxx.xxx.xxx
[2023-12-05 01:32:13.528][vaultwarden::auth][ERROR] Error decoding JWT
[2023-12-05 01:32:13.528][vaultwarden::api::notifications][ERROR] Invalid token
[2023-12-05 01:32:13.528][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 401 Unauthorized
[2023-12-05 01:32:13.725][request][INFO] GET /api/config
[2023-12-05 01:32:13.725][response][INFO] (config) GET /api/config => 200 OK

• Other relevant details:

Steps to reproduce

just login with the web vault

Originally created by @hzliu on GitHub (Dec 5, 2023). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/4129 * vaultwarden version: 1.30.1 * Install method: docker image * Clients used: web vault / android client * Reverse proxy and version: nginx 1.14.1 use sqlite the server log followed: > /--------------------------------------------------------------------\ > | Starting Vaultwarden | > | Version 1.30.1 | > |--------------------------------------------------------------------| > | This is an *unofficial* Bitwarden implementation, DO NOT use the | > | official channels to report bugs/features, regardless of client. | > | Send usage/configuration questions or feature requests to: | > | https://github.com/dani-garcia/vaultwarden/discussions or | > | https://vaultwarden.discourse.group/ | > | Report suspected bugs/issues in the software itself at: | > | https://github.com/dani-garcia/vaultwarden/issues/new | > \--------------------------------------------------------------------/ > > [2023-12-05 01:30:34.734][start][INFO] Rocket has launched from http://0.0.0.0:80 > [2023-12-05 01:31:49.424][request][INFO] GET /api/devices/knowndevice > [2023-12-05 01:31:49.748][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK > [2023-12-05 01:31:54.103][request][INFO] POST /identity/accounts/prelogin > [2023-12-05 01:31:54.112][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK > [2023-12-05 01:31:54.313][request][INFO] POST /identity/connect/token > [2023-12-05 01:31:54.663][error][ERROR] 2FA token not provided > [2023-12-05 01:31:54.664][response][INFO] (login) POST /identity/connect/token => 400 Bad Request > [2023-12-05 01:32:12.186][request][INFO] POST /identity/connect/token > [2023-12-05 01:32:12.670][vaultwarden::api::identity][INFO] User xxxxx logged in successfully. IP: xxx.xxx.xxx.xxx > [2023-12-05 01:32:12.670][response][INFO] (login) POST /identity/connect/token => 200 OK > [2023-12-05 01:32:12.859][request][INFO] GET /api/config > [2023-12-05 01:32:12.859][response][INFO] (config) GET /api/config => 200 OK > [2023-12-05 01:32:13.023][request][INFO] POST /identity/connect/token > [2023-12-05 01:32:13.054][response][INFO] (login) POST /identity/connect/token => 200 OK > [2023-12-05 01:32:13.231][request][INFO] GET /api/config > [2023-12-05 01:32:13.249][response][INFO] (config) GET /api/config => 200 OK > **[2023-12-05 01:32:13.327][request][INFO] GET /api/sync?excludeDomains=true > [2023-12-05 01:32:13.328][vaultwarden::auth][ERROR] Error decoding JWT > [2023-12-05 01:32:13.328][auth][ERROR] Unauthorized Error: Invalid claim** > [2023-12-05 01:32:13.328][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim". > [2023-12-05 01:32:13.328][response][INFO] (sync) GET /api/sync?<data..> => 401 Unauthorized > [2023-12-05 01:32:13.527][request][INFO] GET /api/config > [2023-12-05 01:32:13.527][response][INFO] (config) GET /api/config => 200 OK > [2023-12-05 01:32:13.528][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL > [2023-12-05 01:32:13.528][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from xxx.xxx.xxx.xxx > [2023-12-05 01:32:13.528][vaultwarden::auth][ERROR] Error decoding JWT > [2023-12-05 01:32:13.528][vaultwarden::api::notifications][ERROR] Invalid token > [2023-12-05 01:32:13.528][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 401 Unauthorized > [2023-12-05 01:32:13.725][request][INFO] GET /api/config > [2023-12-05 01:32:13.725][response][INFO] (config) GET /api/config => 200 OK * Other relevant details: ### Steps to reproduce just login with the web vault

kerem closed this issue 2026-03-03 02:12:15 +03:00

kerem commented 2026-03-03 02:12:16 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Dec 5, 2023):

Please provide the support string and in this case also your nginx reverse proxy config.

<!-- gh-comment-id:1839893168 --> @BlackDex commented on GitHub (Dec 5, 2023): Please provide the support string and in this case also your nginx reverse proxy config.

kerem commented 2026-03-03 02:12:16 +03:00

Author

Owner

Copy link

@hzliu commented on GitHub (Dec 5, 2023):

I can't get the support string since the same "Error decoding JWT" problem also affect the admin page:

[2023-12-05 03:23:13.570][request][INFO] GET /admin
[2023-12-05 03:23:13.585][response][INFO] (admin_page_login) GET /admin/ [2] => 200 OK
[2023-12-05 03:23:29.082][request][INFO] POST /admin
[2023-12-05 03:23:29.092][response][INFO] (post_admin_login) POST /admin/ => 200 OK
[2023-12-05 03:23:58.255][request][INFO] GET /admin/diagnostics
[2023-12-05 03:23:58.258][vaultwarden::auth][ERROR] Error decoding JWT
[2023-12-05 03:23:58.258][vaultwarden::api::admin][ERROR] Invalid or expired admin JWT. IP: xxx.xxx.xxx.xxx.

the reverse proxy config:

    upstream vaultwarden-default {
      zone vaultwarden-default 64k;
      server 127.0.0.1:8080;
      keepalive 2;
    }

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      "";
    }

    server {
        server_name  xxx.xxx.xxx;

        client_max_body_size 128M;

        location / {
          proxy_http_version 1.1;

          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $connection_upgrade;

          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header Forwarded $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;

          proxy_pass http://vaultwarden-default;
        }

ps: no config.json, the only env specified is DOMAIN=https://xxx.xxx.xxx, where xxx.xxx.xxx matches the server_name in ngx config

<!-- gh-comment-id:1839947469 --> @hzliu commented on GitHub (Dec 5, 2023): I can't get the support string since the same "Error decoding JWT" problem also affect the admin page: > [2023-12-05 03:23:13.570][request][INFO] GET /admin > [2023-12-05 03:23:13.585][response][INFO] (admin_page_login) GET /admin/ [2] => 200 OK > [2023-12-05 03:23:29.082][request][INFO] POST /admin > [2023-12-05 03:23:29.092][response][INFO] (post_admin_login) POST /admin/ => 200 OK > [2023-12-05 03:23:58.255][request][INFO] GET /admin/diagnostics > [2023-12-05 03:23:58.258][vaultwarden::auth][ERROR] Error decoding JWT > [2023-12-05 03:23:58.258][vaultwarden::api::admin][ERROR] Invalid or expired admin JWT. IP: xxx.xxx.xxx.xxx. the reverse proxy config: ``` upstream vaultwarden-default { zone vaultwarden-default 64k; server 127.0.0.1:8080; keepalive 2; } map $http_upgrade $connection_upgrade { default upgrade; '' ""; } server { server_name xxx.xxx.xxx; client_max_body_size 128M; location / { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Forwarded $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://vaultwarden-default; } ``` ps: no config.json, the only env specified is DOMAIN=https://xxx.xxx.xxx, where xxx.xxx.xxx matches the server_name in ngx config

kerem commented 2026-03-03 02:12:16 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Dec 5, 2023):

Try to remove the rsa_key.* files from your Vaultwarden data directory, restart Vaultwarden and see if that helps.

<!-- gh-comment-id:1840190585 --> @BlackDex commented on GitHub (Dec 5, 2023): Try to remove the `rsa_key.*` files from your Vaultwarden data directory, restart Vaultwarden and see if that helps.

kerem commented 2026-03-03 02:12:16 +03:00

Author

Owner

Copy link

@hzliu commented on GitHub (Dec 6, 2023):

rsa_key.* removed and vaultwarden restarted, same error

<!-- gh-comment-id:1841931708 --> @hzliu commented on GitHub (Dec 6, 2023): rsa_key.* removed and vaultwarden restarted, same error

kerem commented 2026-03-03 02:12:16 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Dec 6, 2023):

Try to disable the admin token to login into the admin interface, that way you can just use the admin interface and the jwt decode should not be an issue. And then check the diagnostics page.

It could be date/time issues. It could be host issues in some way.

Else something maybe changed with your reverse proxy which does something with the JWT token maybe.

<!-- gh-comment-id:1842190786 --> @BlackDex commented on GitHub (Dec 6, 2023): Try to disable the admin token to login into the admin interface, that way you can just use the admin interface and the jwt decode should not be an issue. And then check the diagnostics page. It could be date/time issues. It could be host issues in some way. Else something maybe changed with your reverse proxy which does something with the JWT token maybe.

kerem commented 2026-03-03 02:12:16 +03:00

Author

Owner

Copy link

@hzliu commented on GitHub (Dec 6, 2023):

thx, removing the rsa key pair fixed the problem.

<!-- gh-comment-id:1842204480 --> @hzliu commented on GitHub (Dec 6, 2023): thx, removing the rsa key pair fixed the problem.

kerem referenced this issue 2026-03-03 09:09:20 +03:00

[PR #1795] [MERGED] Adding a SECURITY.md #3007

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#1795

No description provided.