[GH-ISSUE #6341] Cannot login on Android with Duo 2FA activated #2409

New issue

Closed

opened 2026-03-03 02:18:03 +03:00 by kerem · 7 comments

kerem commented 2026-03-03 02:18:03 +03:00

Owner

Copy link

Originally created by @esackbauer on GitHub (Oct 5, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6341

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.34.3
• Web-vault version: v2025.7.0
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: SQLite
• Database version: 3.50.2
• Uses config.json: false
• Uses a reverse proxy: true
• IP Header check: true (X-Forwarded-For)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": "***",
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*******************",
  "domain_origin": "*****://*******************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Forwarded-For",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*******************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "***************",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.34.3

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Sophos Firewall

Host/Server Operating System

Linux

Operating System Version

Debian 12

Clients

Android

Client Version

2025.9.0

Steps To Reproduce

1. Install app
2. Enter homeserver and email address
3. Enter master password
4. Duo will be displayed, after "continue" Duo will be invoked and you need to confirm in Duo the login.
5. The pop up window in the browser still shows "Bitwarden" and a dotted circle which spins forever.

Expected Result

Pop up browser window will disappear (or message that window can be closed) and Bitwarden will open the vault

Actual Result

browser window showing spinning dots forever

Logs

/--------------------------------------------------------------------\

|                        Starting Vaultwarden                        |

|                           Version 1.34.3                           |

|--------------------------------------------------------------------|

| This is an *unofficial* Bitwarden implementation, DO NOT use the   |

| official channels to report bugs/features, regardless of client.   |

| Send usage/configuration questions or feature requests to:         |

|   https://github.com/dani-garcia/vaultwarden/discussions or        |

|   https://vaultwarden.discourse.group/                             |

| Report suspected bugs/issues in the software itself at:            |

|   https://github.com/dani-garcia/vaultwarden/issues/new            |

\--------------------------------------------------------------------/

[INFO] Using saved config from `data/config.json` for configuration.

[2025-10-05 10:26:06.077][start][INFO] Rocket has launched from http://0.0.0.0:80

[2025-10-05 10:27:57.843][request][INFO] POST /identity/accounts/prelogin

[2025-10-05 10:27:57.845][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK

[2025-10-05 10:27:58.367][request][INFO] POST /identity/connect/token

[2025-10-05 10:27:59.239][error][ERROR] 2FA token not provided

[2025-10-05 10:27:59.239][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

Screenshots or Videos

No response

Additional Context

It seems from the logs, that immediately after Duo 2FA is invoked, it is assumed that an invalid token was presented. I had the chance to allow the login in Duo app after a couple of seconds, so that error must have happened before that:

[2025-10-05 10:27:58.367][request][INFO] POST /identity/connect/token
[2025-10-05 10:27:59.239][error][ERROR] 2FA token not provided

No errors on the reverse proxy log from Sophos Firewall.
Tested with Brave Browser and Chrome on Android device.
Nothing was changed on Duo or reverse proxy side, it was working with a former Bitwarden/Vaultwarden version. Did not login for a long time.

Originally created by @esackbauer on GitHub (Oct 5, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6341 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3 * Web-vault version: v2025.7.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: false * Uses a reverse proxy: true * IP Header check: true (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": "***", "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*******************", "domain_origin": "*****://*******************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Forwarded-For", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*******************", "smtp_from_name": "Vaultwarden", "smtp_host": "***************", "smtp_password": null, "smtp_port": 25, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.34.3 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy Sophos Firewall ### Host/Server Operating System Linux ### Operating System Version Debian 12 ### Clients Android ### Client Version 2025.9.0 ### Steps To Reproduce 1. Install app 2. Enter homeserver and email address 3. Enter master password 4. Duo will be displayed, after "continue" Duo will be invoked and you need to confirm in Duo the login. 5. The pop up window in the browser still shows "Bitwarden" and a dotted circle which spins forever. ### Expected Result Pop up browser window will disappear (or message that window can be closed) and Bitwarden will open the vault ### Actual Result browser window showing spinning dots forever ### Logs ```text /--------------------------------------------------------------------\ | Starting Vaultwarden | | Version 1.34.3 | |--------------------------------------------------------------------| | This is an *unofficial* Bitwarden implementation, DO NOT use the | | official channels to report bugs/features, regardless of client. | | Send usage/configuration questions or feature requests to: | | https://github.com/dani-garcia/vaultwarden/discussions or | | https://vaultwarden.discourse.group/ | | Report suspected bugs/issues in the software itself at: | | https://github.com/dani-garcia/vaultwarden/issues/new | \--------------------------------------------------------------------/ [INFO] Using saved config from `data/config.json` for configuration. [2025-10-05 10:26:06.077][start][INFO] Rocket has launched from http://0.0.0.0:80 [2025-10-05 10:27:57.843][request][INFO] POST /identity/accounts/prelogin [2025-10-05 10:27:57.845][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK [2025-10-05 10:27:58.367][request][INFO] POST /identity/connect/token [2025-10-05 10:27:59.239][error][ERROR] 2FA token not provided [2025-10-05 10:27:59.239][response][INFO] (login) POST /identity/connect/token => 400 Bad Request ``` ### Screenshots or Videos _No response_ ### Additional Context It seems from the logs, that immediately after Duo 2FA is invoked, it is assumed that an invalid token was presented. I had the chance to allow the login in Duo app after a couple of seconds, so that error must have happened before that: ``` [2025-10-05 10:27:58.367][request][INFO] POST /identity/connect/token [2025-10-05 10:27:59.239][error][ERROR] 2FA token not provided ``` No errors on the reverse proxy log from Sophos Firewall. Tested with Brave Browser and Chrome on Android device. Nothing was changed on Duo or reverse proxy side, it was working with a former Bitwarden/Vaultwarden version. Did not login for a long time.

kerem 2026-03-03 02:18:03 +03:00

• closed this issue
• added the
  bug
  Third party
  labels

kerem commented 2026-03-03 02:18:04 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Oct 5, 2025):

I'm not sure if this is an issue with Vaultwarden it self. Bitwarden Hosted seems to have the exact same issue. After successful authentication via DUO it redirects you to a page on the host, and that tries to open something like bitwarden://duo-callback but that seems to be blocked for some reason.

<!-- gh-comment-id:3369164887 --> @BlackDex commented on GitHub (Oct 5, 2025): I'm not sure if this is an issue with Vaultwarden it self. Bitwarden Hosted seems to have the exact same issue. After successful authentication via DUO it redirects you to a page on the host, and that tries to open something like `bitwarden://duo-callback` but that seems to be blocked for some reason.

kerem commented 2026-03-03 02:18:04 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Oct 5, 2025):

Looking at this, it seems like it is a Chrome (or Chromium based browsers) issue.
They block these kind of auto redirects. Bitwarden probably needs to create a button for a user to click on.

<!-- gh-comment-id:3369170449 --> @BlackDex commented on GitHub (Oct 5, 2025): Looking at this, it seems like it is a Chrome (or Chromium based browsers) issue. They block these kind of auto redirects. Bitwarden probably needs to create a button for a user to click on.

kerem commented 2026-03-03 02:18:04 +03:00

Author

Owner

Copy link

@alexschomb commented on GitHub (Oct 7, 2025):

The issue suddenly happens in one Vaultwarden installations of me as well - without any changes to the installation. I can't login to Vaultwarden via Firefox, Chrome and Edge. The login with the browser extensions is not working as well.

The server log shows:

POST /identity/connect/token => 400 Bad Request

The error popup in the browser or browser extensions (and browser console) says:

Duo health check failed, got OK-like body with stat FAIL

What really confuses me is that in a very similar Vaultwarden instance (same version, same settings concerning Duo) the Duo login (to a different Duo organization) just works without error. Is there any way I can help to debug the issue?

<!-- gh-comment-id:3376473007 --> @alexschomb commented on GitHub (Oct 7, 2025): The issue suddenly happens in one Vaultwarden installations of me as well - without any changes to the installation. I can't login to Vaultwarden via Firefox, Chrome and Edge. The login with the browser extensions is not working as well. The server log shows: ``` POST /identity/connect/token => 400 Bad Request ``` The error popup in the browser or browser extensions (and browser console) says: ``` Duo health check failed, got OK-like body with stat FAIL ``` What really confuses me is that in a very similar Vaultwarden instance (same version, same settings concerning Duo) the Duo login (to a different Duo organization) just works without error. Is there any way I can help to debug the issue?

kerem commented 2026-03-03 02:18:04 +03:00

Author

Owner

Copy link

@alexschomb commented on GitHub (Oct 8, 2025):

Sorry, Please disregard my comment. Turns out that the time of the server was not in sync.

<!-- gh-comment-id:3380395080 --> @alexschomb commented on GitHub (Oct 8, 2025): Sorry, Please disregard my comment. Turns out that the time of the server was not in sync.

kerem commented 2026-03-03 02:18:04 +03:00

Author

Owner

Copy link

@danktankk commented on GitHub (Nov 6, 2025):

I am having the same issue on edge browser and I am not having any time sync issues between server and client.

<!-- gh-comment-id:3499053693 --> @danktankk commented on GitHub (Nov 6, 2025): I am having the same issue on edge browser and I am not having any time sync issues between server and client.

kerem commented 2026-03-03 02:18:04 +03:00

Author

Owner

Copy link

@esackbauer commented on GitHub (Nov 7, 2025):

I am having the same issue on edge browser and I am not having any time sync issues between server and client.

Edge is also a Chromium based browser. They all have that issue.

<!-- gh-comment-id:3502306311 --> @esackbauer commented on GitHub (Nov 7, 2025): > I am having the same issue on edge browser and I am not having any time sync issues between server and client. Edge is also a Chromium based browser. They all have that issue.

kerem commented 2026-03-03 02:18:04 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Dec 20, 2025):

I'm not able to reproduce this anymore using testing with the v2025.12.0 web-vault.
It might be a fix in the web-vault, or in the browser/OS level in some way.

The v2025.12.0 isn't yet in the testing container, so if that is the fix you need to wait.
Though, for me it also works on v2025.10.1.

Since this isn't something this project can change anyway, and it seems to be fixed for me (While being broken first), I'm going to close this as solved.

<!-- gh-comment-id:3678046723 --> @BlackDex commented on GitHub (Dec 20, 2025): I'm not able to reproduce this anymore using `testing` with the v2025.12.0 web-vault. It might be a fix in the web-vault, or in the browser/OS level in some way. The v2025.12.0 isn't yet in the `testing` container, so if that is the fix you need to wait. Though, for me it also works on v2025.10.1. Since this isn't something this project can change anyway, and it seems to be fixed for me (While being broken first), I'm going to close this as solved.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#2409

No description provided.