[GH-ISSUE #4505] Expired Authorization after Duo Push #1904

New issue

Closed

opened 2026-03-03 02:13:15 +03:00 by kerem · 5 comments

kerem commented 2026-03-03 02:13:15 +03:00

Owner

Copy link

Originally created by @khadanja on GitHub (Apr 16, 2024).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/4505

Subject of the issue

Unable to login suddenly. Error shows expired authorization after approving Duo push

Deployment environment

Docker

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.30.5
• Web-vault version: v2024.1.2b
• OS/Arch: linux/aarch64
• Running within a container: true (Base: Debian)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: false
• Server/NTP Time Check: false
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.44.0
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: SIGNUPS_ALLOWED
SIGNUPS_ALLOWED=false

{
  "_duo_akey": "***",
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*****************",
  "domain_origin": "*****://*****************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": "api-*********duosecurity.com",
  "duo_ikey": "************",
  "duo_skey": "***",
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "******************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "******************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

• vaultwarden version:

• Install method:
  Docker
• Clients used:
  Web vault, Firefox extension, iOS
• Reverse proxy and version:
  nginx proxy manager v2.11.1
• MySQL/MariaDB or PostgreSQL version:
  N/A
• Other relevant details:
  Was working fine until few days ago

Steps to reproduce

Log in to vaultwarden using username & password, Send Duo Push, approve Duo push, error. Duo dashboard shows successful authentication.
Docker container

Expected behaviour

Log in successfully after Duo push approval

Actual behaviour

Expired Authorization error

Troubleshooting data

Container log-
[2024-04-16 01:02:40.781][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-04-16 01:02:52.779][request][INFO] POST /identity/connect/token
[2024-04-16 01:02:52.949][vaultwarden::api::core::two_factor::duo][ERROR] Expired authorization
[2024-04-16 01:02:52.949][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
Browser Response-
{"ErrorModel":{"Message":"Expired authorization","Object":"error"},"ExceptionMessage":null,"ExceptionStackTrace":null,"InnerExceptionMessage":null,"Message":"Expired authorization","Object":"error","ValidationErrors":{"":["Expired authorization"]},"error":"","error_description":""}

Originally created by @khadanja on GitHub (Apr 16, 2024). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/4505 <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue Unable to login suddenly. Error shows expired authorization after approving Duo push ### Deployment environment Docker <!-- ========================================================================================= Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. That will auto-generate most of the info requested in this section. ========================================================================================= --> ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.30.5 * Web-vault version: v2024.1.2b * OS/Arch: linux/aarch64 * Running within a container: true (Base: Debian) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: false * Server/NTP Time Check: false * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.44.0 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** SIGNUPS_ALLOWED SIGNUPS_ALLOWED=false ```json { "_duo_akey": "***", "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*****************", "domain_origin": "*****://*****************", "domain_path": "", "domain_set": true, "duo_host": "api-*********duosecurity.com", "duo_ikey": "************", "duo_skey": "***", "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 100000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "******************", "smtp_from_name": "Vaultwarden", "smtp_host": "**************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "******************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> <!-- This is NOT the version number shown on the web vault, which is versioned separately from vaultwarden --> <!-- Remember to check if your issue exists on the latest version first! --> * vaultwarden version: <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: Docker * Clients used: <!-- web vault, desktop, Android, iOS, etc. (if applicable) --> Web vault, Firefox extension, iOS * Reverse proxy and version: <!-- if applicable --> nginx proxy manager v2.11.1 * MySQL/MariaDB or PostgreSQL version: <!-- if applicable --> N/A * Other relevant details: Was working fine until few days ago ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start vaultwarden? --> Log in to vaultwarden using username & password, Send Duo Push, approve Duo push, error. Duo dashboard shows successful authentication. Docker container ### Expected behaviour <!-- Tell us what you expected to happen --> Log in successfully after Duo push approval ### Actual behaviour <!-- Tell us what actually happened --> Expired Authorization error ### Troubleshooting data <!-- Share any log files, screenshots, or other relevant troubleshooting data --> Container log- [2024-04-16 01:02:40.781][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2024-04-16 01:02:52.779][request][INFO] POST /identity/connect/token [2024-04-16 01:02:52.949][vaultwarden::api::core::two_factor::duo][ERROR] Expired authorization [2024-04-16 01:02:52.949][response][INFO] (login) POST /identity/connect/token => 400 Bad Request Browser Response- {"ErrorModel":{"Message":"Expired authorization","Object":"error"},"ExceptionMessage":null,"ExceptionStackTrace":null,"InnerExceptionMessage":null,"Message":"Expired authorization","Object":"error","ValidationErrors":{"":["Expired authorization"]},"error":"","error_description":""}

kerem closed this issue 2026-03-03 02:13:15 +03:00

kerem commented 2026-03-03 02:13:16 +03:00

Author

Owner

Copy link

@spyhunter493 commented on GitHub (Apr 16, 2024):

You clocks are out of sync, " Browser/Server Time Check: false"

sync you server host and your client computer time, and should fix it

<!-- gh-comment-id:2058082647 --> @spyhunter493 commented on GitHub (Apr 16, 2024): You clocks are out of sync, " Browser/Server Time Check: false" sync you server host and your client computer time, and should fix it

kerem commented 2026-03-03 02:13:16 +03:00

Author

Owner

Copy link

@khadanja commented on GitHub (Apr 16, 2024):

time is off by 1 minute, it's always been like that. Not sure how to sync. Host has correct ntp server assigned but still shows 1 minute forward. Host-Tue Apr 16 14:33:22 NZST 2024, Client-The current time is: 14:32:00.97. By the way I can login using other authentication methods only Duo is the issue.

<!-- gh-comment-id:2058123932 --> @khadanja commented on GitHub (Apr 16, 2024): time is off by 1 minute, it's always been like that. Not sure how to sync. Host has correct ntp server assigned but still shows 1 minute forward. Host-Tue Apr 16 14:33:22 NZST 2024, Client-The current time is: 14:32:00.97. By the way I can login using other authentication methods only Duo is the issue.

kerem commented 2026-03-03 02:13:16 +03:00

Author

Owner

Copy link

@Gerardv514 commented on GitHub (Apr 16, 2024):

What’s the ntp server that you’re using?

<!-- gh-comment-id:2058201403 --> @Gerardv514 commented on GitHub (Apr 16, 2024): What’s the ntp server that you’re using?

kerem commented 2026-03-03 02:13:16 +03:00

Author

Owner

Copy link

@khadanja commented on GitHub (Apr 16, 2024):

What’s the ntp server that you’re using?
0.nz.pool.ntp.org Host is RPi running OMV which I believe uses chrony. It was all working fine until few days ago

<!-- gh-comment-id:2058223411 --> @khadanja commented on GitHub (Apr 16, 2024): > What’s the ntp server that you’re using? 0.nz.pool.ntp.org Host is RPi running OMV which I believe uses chrony. It was all working fine until few days ago

kerem commented 2026-03-03 02:13:16 +03:00

Author

Owner

Copy link

@Gerardv514 commented on GitHub (Apr 16, 2024):

Can you try setting to pool.ntp.org to see if the time come offset is corrected.

<!-- gh-comment-id:2058233106 --> @Gerardv514 commented on GitHub (Apr 16, 2024): Can you try setting to pool.ntp.org to see if the time come offset is corrected.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#1904

No description provided.