[GH-ISSUE #560] 2FA - error on login #361

New issue

Closed

opened 2026-03-03 01:28:23 +03:00 by kerem · 23 comments

kerem commented 2026-03-03 01:28:23 +03:00

Owner

Copy link

Originally created by @iurab on GitHub (Aug 7, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/560

With latest release I can not pass the 2FA security check. It just stays on that page.

In the log, the following error is reported:
[2019-08-07 13:06:54][bitwarden_rs::error][ERROR] JsonError. {"TwoFactorProviders":[0],"TwoFactorProviders2":{"0":null},"error":"invalid_grant","error_description":"Two factor required."}

Originally created by @iurab on GitHub (Aug 7, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/560 With latest release I can not pass the 2FA security check. It just stays on that page. In the log, the following error is reported: `[2019-08-07 13:06:54][bitwarden_rs::error][ERROR] JsonError. {"TwoFactorProviders":[0],"TwoFactorProviders2":{"0":null},"error":"invalid_grant","error_description":"Two factor required."}`

kerem closed this issue 2026-03-03 01:28:23 +03:00

kerem commented 2026-03-03 01:28:24 +03:00

Author

Owner

Copy link

@dani-garcia commented on GitHub (Aug 8, 2019):

What two factor provider are you using?, Any error messages on the browsers console?

<!-- gh-comment-id:519720414 --> @dani-garcia commented on GitHub (Aug 8, 2019): What two factor provider are you using?, Any error messages on the browsers console?

kerem commented 2026-03-03 01:28:24 +03:00

Author

Owner

Copy link

@iurab commented on GitHub (Aug 9, 2019):

I use the 2FA with Authenticator App.
When I pass the master password and arrive at /#/2FA url:

• in the docker log the above entry appears
• in the browser:
  POST https://xxx/identity/connect/token 400 zone.js:1152

<!-- gh-comment-id:520034191 --> @iurab commented on GitHub (Aug 9, 2019): I use the 2FA with Authenticator App. When I pass the master password and arrive at /#/2FA url: - in the docker log the above entry appears - in the browser: `POST https://xxx/identity/connect/token 400 zone.js:1152 `

kerem commented 2026-03-03 01:28:24 +03:00

Author

Owner

Copy link

@Ryonez commented on GitHub (Aug 13, 2019):

I'm having the same issue, though I'm getting a 504, Gateway Timeout.

<!-- gh-comment-id:520668413 --> @Ryonez commented on GitHub (Aug 13, 2019): I'm having the same issue, though I'm getting a 504, Gateway Timeout.

kerem commented 2026-03-03 01:28:24 +03:00

Author

Owner

Copy link

@Ryonez commented on GitHub (Aug 15, 2019):

@dani-garcia

Just had a user who's Bitwarden chrome extension got corrupted. They've repaired it, however because of the two factor issue they can't sign back in with it.

Thankfully they have a valid login through the web portal, but I feel this issue needs to be escalated now.

<!-- gh-comment-id:521605386 --> @Ryonez commented on GitHub (Aug 15, 2019): @dani-garcia Just had a user who's Bitwarden chrome extension got corrupted. They've repaired it, however because of the two factor issue they can't sign back in with it. Thankfully they have a valid login through the web portal, but I feel this issue needs to be escalated now.

kerem commented 2026-03-03 01:28:24 +03:00

Author

Owner

Copy link

@dani-garcia commented on GitHub (Aug 15, 2019):

The U2F problems are separate from this issue I think, usually caused by either an invalid DOMAIN configuration or certificates that aren't accepted.

The 504 errors sound more like a proxy issue, as far as I know.

I'd make sure that the time in both the client and the server are in sync when using TOTP Authentication, if that fails as a temporary measure you can remove the 2fa from the account by editing the database directly, but that can be prone to errors.

Sadly I won't be home until the 19 to test and possibly fix this. Is the bug just with the latest version? Can you go back to an old version to test again? (Make a backup before doing that, as going back in versions isn't supported)

<!-- gh-comment-id:521791293 --> @dani-garcia commented on GitHub (Aug 15, 2019): The U2F problems are separate from this issue I think, usually caused by either an invalid `DOMAIN` configuration or certificates that aren't accepted. The 504 errors sound more like a proxy issue, as far as I know. I'd make sure that the time in both the client and the server are in sync when using TOTP Authentication, if that fails as a temporary measure you can remove the 2fa from the account by editing the database directly, but that can be prone to errors. Sadly I won't be home until the 19 to test and possibly fix this. Is the bug just with the latest version? Can you go back to an old version to test again? (Make a backup before doing that, as going back in versions isn't supported)

kerem commented 2026-03-03 01:28:24 +03:00

Author

Owner

Copy link

@Ryonez commented on GitHub (Aug 15, 2019):

Testing on my end:

• 504 Error
  As far as I can make out that's what the reverse proxy is returning (it manages the certs) as the bitwarden_rs container is timing out during the 'https://vault.alteria.xyz/identity/connect/token' POST

• TOTP Time Sync
  Checking the time between the server, the bitwarden_rs container and my computer, the time is completely in sync.

As to if the bug is just in the latest version, I do not know. I've only recently found it after seeing this post and testing myself to confirm. Unfortunately this was still a problem when my user's chrome extension had issues.

This is also a live service on my end atm, I can't readily revert a version to testing without interrupting the service. Easiest way to check would be to spin up a new container with an older image to test sorry.

<!-- gh-comment-id:521824714 --> @Ryonez commented on GitHub (Aug 15, 2019): Testing on my end: - 504 Error As far as I can make out that's what the reverse proxy is returning (it manages the certs) as the bitwarden_rs container is timing out during the 'https://vault.alteria.xyz/identity/connect/token' POST - TOTP Time Sync Checking the time between the server, the bitwarden_rs container and my computer, the time is completely in sync. As to if the bug is just in the latest version, I do not know. I've only recently found it after seeing this post and testing myself to confirm. Unfortunately this was still a problem when my user's chrome extension had issues. This is also a live service on my end atm, I can't readily revert a version to testing without interrupting the service. Easiest way to check would be to spin up a new container with an older image to test sorry.

kerem commented 2026-03-03 01:28:24 +03:00

Author

Owner

Copy link

@Ryonez commented on GitHub (Aug 15, 2019):

Wow, I found after writing that up that more was added to the logs around 10 mins later, and it looks related to the TOTP issue::

[2019-08-16 10:38:42][rocket::rocket][INFO] GET / text/html:
[2019-08-16 10:38:42][_][INFO] Matched: GET / (web_index)
[2019-08-16 10:38:42][_][INFO] Outcome: Success
[2019-08-16 10:38:42][_][INFO] Response succeeded.
[2019-08-16 10:38:43][rocket::rocket][INFO] GET /app/main.eff9c393dd1fb9ae5504.css text/css:
[2019-08-16 10:38:43][_][INFO] Matched: GET /<p..> [10] (web_files)
[2019-08-16 10:38:43][_][INFO] Outcome: Success
[2019-08-16 10:38:43][_][INFO] Response succeeded.
[2019-08-16 10:38:43][rocket::rocket][INFO] GET /images/logo-dark@2x.png image/webp:
[2019-08-16 10:38:43][rocket::rocket][INFO] GET /app/polyfills.eff9c393dd1fb9ae5504.js:
[2019-08-16 10:38:43][_][INFO] Matched: GET /<p..> [10] (web_files)
[2019-08-16 10:38:43][_][INFO] Matched: GET /<p..> [10] (web_files)
[2019-08-16 10:38:43][_][INFO] Outcome: Success
[2019-08-16 10:38:43][_][INFO] Outcome: Success
[2019-08-16 10:38:43][_][INFO] Response succeeded.
[2019-08-16 10:38:43][_][INFO] Response succeeded.
[2019-08-16 10:38:43][rocket::rocket][INFO] GET /app/vendor.eff9c393dd1fb9ae5504.js:
[2019-08-16 10:38:43][_][INFO] Matched: GET /<p..> [10] (web_files)
[2019-08-16 10:38:43][_][INFO] Outcome: Success
[2019-08-16 10:38:43][_][INFO] Response succeeded.
[2019-08-16 10:38:43][rocket::rocket][INFO] GET /app/main.eff9c393dd1fb9ae5504.js:
[2019-08-16 10:38:43][_][INFO] Matched: GET /<p..> [10] (web_files)
[2019-08-16 10:38:43][_][INFO] Outcome: Success
[2019-08-16 10:38:43][_][INFO] Response succeeded.
[2019-08-16 10:38:44][rocket::rocket][INFO] GET /fonts/Open_Sans-normal-400.woff application/font-woff2; q=1.0:
[2019-08-16 10:38:44][_][INFO] Matched: GET /<p..> [10] (web_files)
[2019-08-16 10:38:44][_][INFO] Outcome: Success
[2019-08-16 10:38:44][_][INFO] Response succeeded.
[2019-08-16 10:38:44][rocket::rocket][INFO] GET /fonts/fontawesome-webfont.woff2 application/font-woff2; q=1.0:
[2019-08-16 10:38:44][_][INFO] Matched: GET /<p..> [10] (web_files)
[2019-08-16 10:38:44][_][INFO] Outcome: Success
[2019-08-16 10:38:44][_][INFO] Response succeeded.
[2019-08-16 10:38:44][rocket::rocket][INFO] GET /fonts/Open_Sans-normal-400.woff application/font-woff2; q=1.0:
[2019-08-16 10:38:44][_][INFO] Matched: GET /<p..> [10] (web_files)
[2019-08-16 10:38:44][_][INFO] Outcome: Success
[2019-08-16 10:38:44][_][INFO] Response succeeded.
[2019-08-16 10:38:44][rocket::rocket][INFO] GET /fonts/fontawesome-webfont.woff2 application/font-woff2; q=1.0:
[2019-08-16 10:38:44][_][INFO] Matched: GET /<p..> [10] (web_files)
[2019-08-16 10:38:44][_][INFO] Outcome: Success
[2019-08-16 10:38:44][_][INFO] Response succeeded.
[2019-08-16 10:38:45][rocket::rocket][INFO] GET /images/icons/apple-touch-icon.png image/webp:
[2019-08-16 10:38:45][_][INFO] Matched: GET /<p..> [10] (web_files)
[2019-08-16 10:38:45][_][INFO] Outcome: Success
[2019-08-16 10:38:45][rocket::rocket][INFO] GET /images/icons/favicon-16x16.png image/webp:
[2019-08-16 10:38:45][_][INFO] Matched: GET /<p..> [10] (web_files)
[2019-08-16 10:38:45][_][INFO] Outcome: Success
[2019-08-16 10:38:45][_][INFO] Response succeeded.
[2019-08-16 10:38:45][_][INFO] Response succeeded.
[2019-08-16 10:38:47][rocket::rocket][INFO] GET /locales/en/messages.json?cache=zh7c6h:
[2019-08-16 10:38:47][_][INFO] Matched: GET /<p..> [10] (web_files)
[2019-08-16 10:38:47][_][INFO] Outcome: Success
[2019-08-16 10:38:47][_][INFO] Response succeeded.
[2019-08-16 10:38:48][rocket::rocket][INFO] GET /fonts/Open_Sans-normal-600.woff application/font-woff2; q=1.0:
[2019-08-16 10:38:48][_][INFO] Matched: GET /<p..> [10] (web_files)
[2019-08-16 10:38:48][_][INFO] Outcome: Success
[2019-08-16 10:38:48][_][INFO] Response succeeded.
[2019-08-16 10:39:01][rocket::rocket][INFO] POST /api/accounts/prelogin application/json; charset=utf-8:
[2019-08-16 10:39:01][_][INFO] Matched: POST /api/accounts/prelogin (prelogin)
[2019-08-16 10:39:01][rocket::rocket][INFO] POST /api/accounts/prelogin application/json; charset=utf-8:
[2019-08-16 10:39:01][_][INFO] Matched: POST /api/accounts/prelogin (prelogin)
[2019-08-16 10:39:01][_][INFO] Outcome: Success
[2019-08-16 10:39:01][_][INFO] Response succeeded.
[2019-08-16 10:39:02][rocket::rocket][INFO] POST /identity/connect/token application/x-www-form-urlencoded; charset=utf-8:
[2019-08-16 10:39:02][_][INFO] Matched: POST /identity/connect/token (login)
[2019-08-16 10:39:02][bitwarden_rs::error][ERROR] JsonError. {"TwoFactorProviders":[0],"TwoFactorProviders2":{"0":null},"error":"invalid_grant","error_description":"Two factor required."}
[2019-08-16 10:39:02][_][INFO] Outcome: Success
[2019-08-16 10:39:02][_][INFO] Response succeeded.
[2019-08-16 10:40:06][rocket::rocket][INFO] POST /identity/connect/token application/x-www-form-urlencoded; charset=utf-8:
[2019-08-16 10:40:06][_][INFO] Matched: POST /identity/connect/token (login)
[2019-08-16 10:41:06][rocket::rocket][INFO] GET /fonts/Open_Sans-normal-700.woff application/font-woff2; q=1.0:
[2019-08-16 10:41:06][_][INFO] Matched: GET /<p..> [10] (web_files)
[2019-08-16 10:41:06][_][INFO] Outcome: Success
[2019-08-16 10:41:06][_][INFO] Response succeeded.
[2019-08-16 10:51:48][rocket::rocket][INFO] GET /identity/connect/token:
[2019-08-16 10:51:48][_][INFO] Matched: GET /<p..> [10] (web_files)
[2019-08-16 10:51:48][_][ERROR] Response was a non-`Responder` `Err`: Os { code: 2, kind: NotFound, message: "No such file or directory" }.
[2019-08-16 10:51:48][_][INFO] Outcome: Failure
[2019-08-16 10:51:48][_][WARN] Responding with 500 Internal Server Error catcher.
[2019-08-16 10:51:48][_][INFO] Response succeeded.
[2019-08-16 10:51:49][rocket::rocket][INFO] GET /identity/connect/token:
[2019-08-16 10:51:49][_][INFO] Matched: GET /<p..> [10] (web_files)
[2019-08-16 10:51:49][_][ERROR] Response was a non-`Responder` `Err`: Os { code: 2, kind: NotFound, message: "No such file or directory" }.
[2019-08-16 10:51:49][_][INFO] Outcome: Failure
[2019-08-16 10:51:49][_][WARN] Responding with 500 Internal Server Error catcher.
[2019-08-16 10:51:49][_][INFO] Response succeeded.

<!-- gh-comment-id:521825416 --> @Ryonez commented on GitHub (Aug 15, 2019): Wow, I found after writing that up that more was added to the logs around 10 mins later, and it looks related to the TOTP issue:: ``` [2019-08-16 10:38:42][rocket::rocket][INFO] GET / text/html: [2019-08-16 10:38:42][_][INFO] Matched: GET / (web_index) [2019-08-16 10:38:42][_][INFO] Outcome: Success [2019-08-16 10:38:42][_][INFO] Response succeeded. [2019-08-16 10:38:43][rocket::rocket][INFO] GET /app/main.eff9c393dd1fb9ae5504.css text/css: [2019-08-16 10:38:43][_][INFO] Matched: GET /<p..> [10] (web_files) [2019-08-16 10:38:43][_][INFO] Outcome: Success [2019-08-16 10:38:43][_][INFO] Response succeeded. [2019-08-16 10:38:43][rocket::rocket][INFO] GET /images/logo-dark@2x.png image/webp: [2019-08-16 10:38:43][rocket::rocket][INFO] GET /app/polyfills.eff9c393dd1fb9ae5504.js: [2019-08-16 10:38:43][_][INFO] Matched: GET /<p..> [10] (web_files) [2019-08-16 10:38:43][_][INFO] Matched: GET /<p..> [10] (web_files) [2019-08-16 10:38:43][_][INFO] Outcome: Success [2019-08-16 10:38:43][_][INFO] Outcome: Success [2019-08-16 10:38:43][_][INFO] Response succeeded. [2019-08-16 10:38:43][_][INFO] Response succeeded. [2019-08-16 10:38:43][rocket::rocket][INFO] GET /app/vendor.eff9c393dd1fb9ae5504.js: [2019-08-16 10:38:43][_][INFO] Matched: GET /<p..> [10] (web_files) [2019-08-16 10:38:43][_][INFO] Outcome: Success [2019-08-16 10:38:43][_][INFO] Response succeeded. [2019-08-16 10:38:43][rocket::rocket][INFO] GET /app/main.eff9c393dd1fb9ae5504.js: [2019-08-16 10:38:43][_][INFO] Matched: GET /<p..> [10] (web_files) [2019-08-16 10:38:43][_][INFO] Outcome: Success [2019-08-16 10:38:43][_][INFO] Response succeeded. [2019-08-16 10:38:44][rocket::rocket][INFO] GET /fonts/Open_Sans-normal-400.woff application/font-woff2; q=1.0: [2019-08-16 10:38:44][_][INFO] Matched: GET /<p..> [10] (web_files) [2019-08-16 10:38:44][_][INFO] Outcome: Success [2019-08-16 10:38:44][_][INFO] Response succeeded. [2019-08-16 10:38:44][rocket::rocket][INFO] GET /fonts/fontawesome-webfont.woff2 application/font-woff2; q=1.0: [2019-08-16 10:38:44][_][INFO] Matched: GET /<p..> [10] (web_files) [2019-08-16 10:38:44][_][INFO] Outcome: Success [2019-08-16 10:38:44][_][INFO] Response succeeded. [2019-08-16 10:38:44][rocket::rocket][INFO] GET /fonts/Open_Sans-normal-400.woff application/font-woff2; q=1.0: [2019-08-16 10:38:44][_][INFO] Matched: GET /<p..> [10] (web_files) [2019-08-16 10:38:44][_][INFO] Outcome: Success [2019-08-16 10:38:44][_][INFO] Response succeeded. [2019-08-16 10:38:44][rocket::rocket][INFO] GET /fonts/fontawesome-webfont.woff2 application/font-woff2; q=1.0: [2019-08-16 10:38:44][_][INFO] Matched: GET /<p..> [10] (web_files) [2019-08-16 10:38:44][_][INFO] Outcome: Success [2019-08-16 10:38:44][_][INFO] Response succeeded. [2019-08-16 10:38:45][rocket::rocket][INFO] GET /images/icons/apple-touch-icon.png image/webp: [2019-08-16 10:38:45][_][INFO] Matched: GET /<p..> [10] (web_files) [2019-08-16 10:38:45][_][INFO] Outcome: Success [2019-08-16 10:38:45][rocket::rocket][INFO] GET /images/icons/favicon-16x16.png image/webp: [2019-08-16 10:38:45][_][INFO] Matched: GET /<p..> [10] (web_files) [2019-08-16 10:38:45][_][INFO] Outcome: Success [2019-08-16 10:38:45][_][INFO] Response succeeded. [2019-08-16 10:38:45][_][INFO] Response succeeded. [2019-08-16 10:38:47][rocket::rocket][INFO] GET /locales/en/messages.json?cache=zh7c6h: [2019-08-16 10:38:47][_][INFO] Matched: GET /<p..> [10] (web_files) [2019-08-16 10:38:47][_][INFO] Outcome: Success [2019-08-16 10:38:47][_][INFO] Response succeeded. [2019-08-16 10:38:48][rocket::rocket][INFO] GET /fonts/Open_Sans-normal-600.woff application/font-woff2; q=1.0: [2019-08-16 10:38:48][_][INFO] Matched: GET /<p..> [10] (web_files) [2019-08-16 10:38:48][_][INFO] Outcome: Success [2019-08-16 10:38:48][_][INFO] Response succeeded. [2019-08-16 10:39:01][rocket::rocket][INFO] POST /api/accounts/prelogin application/json; charset=utf-8: [2019-08-16 10:39:01][_][INFO] Matched: POST /api/accounts/prelogin (prelogin) [2019-08-16 10:39:01][rocket::rocket][INFO] POST /api/accounts/prelogin application/json; charset=utf-8: [2019-08-16 10:39:01][_][INFO] Matched: POST /api/accounts/prelogin (prelogin) [2019-08-16 10:39:01][_][INFO] Outcome: Success [2019-08-16 10:39:01][_][INFO] Response succeeded. [2019-08-16 10:39:02][rocket::rocket][INFO] POST /identity/connect/token application/x-www-form-urlencoded; charset=utf-8: [2019-08-16 10:39:02][_][INFO] Matched: POST /identity/connect/token (login) [2019-08-16 10:39:02][bitwarden_rs::error][ERROR] JsonError. {"TwoFactorProviders":[0],"TwoFactorProviders2":{"0":null},"error":"invalid_grant","error_description":"Two factor required."} [2019-08-16 10:39:02][_][INFO] Outcome: Success [2019-08-16 10:39:02][_][INFO] Response succeeded. [2019-08-16 10:40:06][rocket::rocket][INFO] POST /identity/connect/token application/x-www-form-urlencoded; charset=utf-8: [2019-08-16 10:40:06][_][INFO] Matched: POST /identity/connect/token (login) [2019-08-16 10:41:06][rocket::rocket][INFO] GET /fonts/Open_Sans-normal-700.woff application/font-woff2; q=1.0: [2019-08-16 10:41:06][_][INFO] Matched: GET /<p..> [10] (web_files) [2019-08-16 10:41:06][_][INFO] Outcome: Success [2019-08-16 10:41:06][_][INFO] Response succeeded. [2019-08-16 10:51:48][rocket::rocket][INFO] GET /identity/connect/token: [2019-08-16 10:51:48][_][INFO] Matched: GET /<p..> [10] (web_files) [2019-08-16 10:51:48][_][ERROR] Response was a non-`Responder` `Err`: Os { code: 2, kind: NotFound, message: "No such file or directory" }. [2019-08-16 10:51:48][_][INFO] Outcome: Failure [2019-08-16 10:51:48][_][WARN] Responding with 500 Internal Server Error catcher. [2019-08-16 10:51:48][_][INFO] Response succeeded. [2019-08-16 10:51:49][rocket::rocket][INFO] GET /identity/connect/token: [2019-08-16 10:51:49][_][INFO] Matched: GET /<p..> [10] (web_files) [2019-08-16 10:51:49][_][ERROR] Response was a non-`Responder` `Err`: Os { code: 2, kind: NotFound, message: "No such file or directory" }. [2019-08-16 10:51:49][_][INFO] Outcome: Failure [2019-08-16 10:51:49][_][WARN] Responding with 500 Internal Server Error catcher. [2019-08-16 10:51:49][_][INFO] Response succeeded. ```

kerem commented 2026-03-03 01:28:24 +03:00

Author

Owner

Copy link

@gstammw commented on GitHub (Aug 16, 2019):

The U2F problems are separate from this issue I think, usually caused by either an invalid DOMAIN configuration or certificates that aren't accepted.

You are absolutely right.
I saw the same problem with bitwarden_rw 2.11.0 on a self-hosted installation:
Within the docker-container, there’s a file /web-vault/app-id.json:

root@89d7996a4efd:/web-vault# cat /web-vault/app-id.json { "trustedFacets": [ { "version": { "major": 1, "minor": 0 }, "ids": [ "https://vault.bitwarden.com", "ios:bundle-id:com.8bit.bitwarden", "android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ] } ] }
Within the docker container (docker exec -it bitwarden.service bash), I had to modify the url in that file and used
sed -i -e ‘s/vault.bitwarden.com/bitwarden.myhost.com/g’ /web-vault/app-id.json
I should have read the instructions better, especially point 9 on modifying app-id.json.

Can you please review my update of the manual on the installation of bitwarden_rs in docker, specifically on enabling U2F: it only mentions to se the DOMAIN-value to a proper url, but additional modification of the app-id.json-file is required.
Maybe this gap derived from the bitwarden source itself, as several users reported it in the bitwarden-forums.

<!-- gh-comment-id:521930327 --> @gstammw commented on GitHub (Aug 16, 2019): > > > The U2F problems are separate from this issue I think, usually caused by either an invalid `DOMAIN` configuration or certificates that aren't accepted. > You are absolutely right. I saw the same problem with bitwarden_rw 2.11.0 on a self-hosted installation: Within the docker-container, there’s a file /web-vault/app-id.json: `root@89d7996a4efd:/web-vault# cat /web-vault/app-id.json { "trustedFacets": [ { "version": { "major": 1, "minor": 0 }, "ids": [ "https://vault.bitwarden.com", "ios:bundle-id:com.8bit.bitwarden", "android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ] } ] } ` Within the docker container (`docker exec -it bitwarden.service bash`), I had to modify the url in that file and used `sed -i -e ‘s/vault.bitwarden.com/bitwarden.myhost.com/g’ /web-vault/app-id.json ` I should have read the instructions better, especially [point 9 on modifying app-id.json](https://help.bitwarden.com/article/install-on-premise/#install-bitwarden). Can you please review my update of the manual on the installation of bitwarden_rs in docker, specifically on [enabling U2F](https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-U2F-authentication): it only mentions to se the DOMAIN-value to a proper url, but additional modification of the app-id.json-file is required. Maybe this gap derived from the bitwarden source itself, as [several users reported it in the bitwarden-forums](https://community.bitwarden.com/t/solved-u2f-in-chrome/4554/4).

kerem commented 2026-03-03 01:28:24 +03:00

Author

Owner

Copy link

@Ryonez commented on GitHub (Aug 21, 2019):

Any progress? This is kinda urgent, the user having issues is one I finally convinced to shift away from keypass.

<!-- gh-comment-id:523277893 --> @Ryonez commented on GitHub (Aug 21, 2019): Any progress? This is kinda urgent, the user having issues is one I finally convinced to shift away from keypass.

kerem commented 2026-03-03 01:28:24 +03:00

Author

Owner

Copy link

@dani-garcia commented on GitHub (Aug 21, 2019):

@gstammw There's no need to modify that file, we serve the correct contents from here, instead of modifying the file: github.com/dani-garcia/bitwarden_rs@d23d4f2c1d/src/api/web.rs (L31-L47).

@Ryonez @iurab I've tried to debug this and it seems to work fine for me so I'm not sure where the failure comes from.

Two things:

• The error [ERROR] JsonError. {"TwoFactorProviders":[0],"TwoFactorProvide ... is expected, that's how the server communicates to the clients that user and pass is not enough and the clients need a second factor. Try to see if there's any error after this one, or in the browsers console.

• I've added in github.com/dani-garcia/bitwarden_rs@026f9da035 a button to the admin panel to remove the second factors from a specific user, if everything else fails, the admin can remove them to let the user log in.

I'll try to look into this more.

<!-- gh-comment-id:523504861 --> @dani-garcia commented on GitHub (Aug 21, 2019): @gstammw There's no need to modify that file, we serve the correct contents from here, instead of modifying the file: https://github.com/dani-garcia/bitwarden_rs/blob/d23d4f2c1dc0a1c41e91adfa69cfa30a7211126f/src/api/web.rs#L31-L47. @Ryonez @iurab I've tried to debug this and it seems to work fine for me so I'm not sure where the failure comes from. Two things: - The error `[ERROR] JsonError. {"TwoFactorProviders":[0],"TwoFactorProvide ...` is expected, that's how the server communicates to the clients that user and pass is not enough and the clients need a second factor. Try to see if there's any error after this one, or in the browsers console. - I've added in https://github.com/dani-garcia/bitwarden_rs/commit/026f9da035dcbf5ff12387600162841f94b47154 a button to the admin panel to remove the second factors from a specific user, if everything else fails, the admin can remove them to let the user log in. I'll try to look into this more.

kerem commented 2026-03-03 01:28:24 +03:00

Author

Owner

Copy link

@Ryonez commented on GitHub (Aug 21, 2019):

Thank you.

Later on today I'll clone my instance's database and spin up another bitwardenrs container to step back through the versions to see if I can find a spot it isn't an issue.

Regarding disabling a users 2FA, will there be any adverse side affects?

About later errors, I did find some, they were posted above.

<!-- gh-comment-id:523533514 --> @Ryonez commented on GitHub (Aug 21, 2019): Thank you. Later on today I'll clone my instance's database and spin up another bitwardenrs container to step back through the versions to see if I can find a spot it isn't an issue. Regarding disabling a users 2FA, will there be any adverse side affects? About later errors, I did find some, they were posted above.

kerem commented 2026-03-03 01:28:25 +03:00

Author

Owner

Copy link

@dani-garcia commented on GitHub (Aug 21, 2019):

Yeah, it's basically the equivalent of logging in as a user and removing them one by one.

Hmm, I just saw the latest errors, and they don't make much sense, they are making a GET request to the login endpoint, when it should be a POST request:

[2019-08-16 10:51:48][rocket::rocket][INFO] GET /identity/connect/token:
[2019-08-16 10:51:48][_][INFO] Matched: GET /<p..> [10] (web_files)

In fact I just checked the web vault code, and they only make POST requests to that endpoint, so no idea what could be causing that ¯\_(ツ)_/¯

<!-- gh-comment-id:523539413 --> @dani-garcia commented on GitHub (Aug 21, 2019): Yeah, it's basically the equivalent of logging in as a user and removing them one by one. Hmm, I just saw the latest errors, and they don't make much sense, they are making a GET request to the login endpoint, when it should be a POST request: ``` [2019-08-16 10:51:48][rocket::rocket][INFO] GET /identity/connect/token: [2019-08-16 10:51:48][_][INFO] Matched: GET /<p..> [10] (web_files) ``` In fact I just checked the web vault code, and they only make POST requests to that endpoint, so no idea what could be causing that ¯\\\_(ツ)\_/¯

kerem commented 2026-03-03 01:28:25 +03:00

Author

Owner

Copy link

@Ryonez commented on GitHub (Aug 21, 2019):

Alrighty. I'll disable this user's 2fa for now, then clone, do some testing later and get back you you with the results.

<!-- gh-comment-id:523541795 --> @Ryonez commented on GitHub (Aug 21, 2019): Alrighty. I'll disable this user's 2fa for now, then clone, do some testing later and get back you you with the results.

kerem commented 2026-03-03 01:28:25 +03:00

Author

Owner

Copy link

@Ryonez commented on GitHub (Aug 21, 2019):

Okay.

To start with, the issue isn't with TOTP itself, it's somewhere else in the code.

Dropping back to version 1.9.0 breaks login completely. It'll say I have an incorrect username/password, doesn't even get to the TOTP stage.

Going back to my main instance, I disabled TOTP, then re-enabled it. This hasn't helped.
Interesting notes:

• Giving the wrong TOTP code does make the page say you have an invalid code.
• NEW ISSUE, DISABLING TOTP JUST MAKES THE PROBLEM HAPPEN AFTER CLICKING LOGIN (after entering your username and password)
• I tested a copy without the reverse proxy. A direct connection to the container results with the Continue button spinning forever. Of course the reverse proxy won't take this and returns a timeout so a client can continue on. Refreshing the page causes a network error message to pop up briefly.
• Giving the right results in the page saying an unexpected error occurred. The post result is below (This is with the reverse proxy enabled):

05:23:40.712 XHRPOSThttps://vault.alteria.xyz/identity/connect/token
[HTTP/2.0 504 Gateway Timeout 60008ms]

Request URL:https://vault.alteria.xyz/identity/connect/token
Request method:POST
Remote address:XXX.XXX.XXX.XXX:443
Status code:
504
Version:HTTP/2.0
	
Response headers (230 B)	
Raw headers
content-length	
167
content-type	
text/html
date	
Wed, 21 Aug 2019 17:24:39 GMT
server	
nginx/1.16.1
strict-transport-security	
max-age=63072000; includeSubDomains; preload
X-Firefox-Spdy	
h2
Request headers (451 B)	
Raw headers
Accept	
application/json
Accept-Encoding	
gzip, deflate, br
Accept-Language	
en-US,en;q=0.5
Connection	
keep-alive
Content-Length	
304
Content-Type	
application/x-www-form-urlencoded; charset=utf-8
Device-Type	
10
Host	
vault.alteria.xyz
Origin	
https://vault.alteria.xyz
Referer	
https://vault.alteria.xyz/
TE	
Trailers
User-Agent	
Mozilla/5.0 (Windows NT 10.0; …) Gecko/20100101 Firefox/68.0

<!-- gh-comment-id:523574215 --> @Ryonez commented on GitHub (Aug 21, 2019): Okay. To start with, the issue isn't with TOTP itself, it's somewhere else in the code. Dropping back to version 1.9.0 breaks login completely. It'll say I have an incorrect username/password, doesn't even get to the TOTP stage. Going back to my main instance, I disabled TOTP, then re-enabled it. This hasn't helped. Interesting notes: * Giving the wrong TOTP code does make the page say you have an invalid code. * NEW ISSUE, DISABLING TOTP JUST MAKES THE PROBLEM HAPPEN AFTER CLICKING LOGIN (after entering your username and password) * I tested a copy without the reverse proxy. A direct connection to the container results with the Continue button spinning forever. Of course the reverse proxy won't take this and returns a timeout so a client can continue on. Refreshing the page causes a network error message to pop up briefly. * Giving the right results in the page saying an unexpected error occurred. The post result is below (This is with the reverse proxy enabled): ``` 05:23:40.712 XHRPOSThttps://vault.alteria.xyz/identity/connect/token [HTTP/2.0 504 Gateway Timeout 60008ms] Request URL:https://vault.alteria.xyz/identity/connect/token Request method:POST Remote address:XXX.XXX.XXX.XXX:443 Status code: 504 Version:HTTP/2.0 Response headers (230 B) Raw headers content-length 167 content-type text/html date Wed, 21 Aug 2019 17:24:39 GMT server nginx/1.16.1 strict-transport-security max-age=63072000; includeSubDomains; preload X-Firefox-Spdy h2 Request headers (451 B) Raw headers Accept application/json Accept-Encoding gzip, deflate, br Accept-Language en-US,en;q=0.5 Connection keep-alive Content-Length 304 Content-Type application/x-www-form-urlencoded; charset=utf-8 Device-Type 10 Host vault.alteria.xyz Origin https://vault.alteria.xyz Referer https://vault.alteria.xyz/ TE Trailers User-Agent Mozilla/5.0 (Windows NT 10.0; …) Gecko/20100101 Firefox/68.0 ```

kerem commented 2026-03-03 01:28:25 +03:00

Author

Owner

Copy link

@Ryonez commented on GitHub (Aug 31, 2019):

Figured it out on my end:

Postmortem

Fault:
> At some point users became unable to login.

Cause:
> An email varible was incorect and caused the email componant to silently error. This caused the logins and anything that's related to having an email sent to timeout or fail. Sometime ago I changed the email config to use SLL instead of startTLS. I was unawear the changes failed, and by the time the consequences became apparent I'd forgotten about the change.

There doesn't seem to be many checks if the email system fails. It'll either timeout or return unknown errors. And it's present all the way back to version 1.8.0
There also isn't any error posted to the logs, which made diagnosing this much harder. I'd recommend popping something in so it goes into the log at least.
@dani-garcia

For @iurab, check your email settings are valid!

<!-- gh-comment-id:526787205 --> @Ryonez commented on GitHub (Aug 31, 2019): Figured it out on my end: ``` Postmortem Fault: > At some point users became unable to login. Cause: > An email varible was incorect and caused the email componant to silently error. This caused the logins and anything that's related to having an email sent to timeout or fail. Sometime ago I changed the email config to use SLL instead of startTLS. I was unawear the changes failed, and by the time the consequences became apparent I'd forgotten about the change. ``` There doesn't seem to be many checks if the email system fails. It'll either timeout or return unknown errors. And it's present all the way back to version 1.8.0 There also isn't any error posted to the logs, which made diagnosing this much harder. I'd recommend popping something in so it goes into the log at least. @dani-garcia For @iurab, check your email settings are valid!

kerem commented 2026-03-03 01:28:25 +03:00

Author

Owner

Copy link

@Ryonez commented on GitHub (Aug 31, 2019):

Looks like this may have been the cause. New setting for me, but wasn't disabled by default.

In fact that whole section of the admin page only started working once I fixed the email settings.

<!-- gh-comment-id:526788771 --> @Ryonez commented on GitHub (Aug 31, 2019):  Looks like this may have been the cause. New setting for me, but wasn't disabled by default. In fact that whole section of the admin page only started working once I fixed the email settings.

kerem commented 2026-03-03 01:28:25 +03:00

Author

Owner

Copy link

@sgabe commented on GitHub (Sep 24, 2019):

I just ran into this issue as well. I was able to login again after I removed the e-mail configuration.

<!-- gh-comment-id:534727734 --> @sgabe commented on GitHub (Sep 24, 2019): I just ran into this issue as well. I was able to login again after I removed the e-mail configuration.

kerem commented 2026-03-03 01:28:25 +03:00

Author

Owner

Copy link

@Ryonez commented on GitHub (Sep 25, 2019):

@dani-garcia We may have found the cause.

<!-- gh-comment-id:534830521 --> @Ryonez commented on GitHub (Sep 25, 2019): @dani-garcia We may have found the cause.

kerem commented 2026-03-03 01:28:25 +03:00

Author

Owner

Copy link

@Ryonez commented on GitHub (Oct 5, 2020):

Was this looked at for solutions to prevent this in the future?

<!-- gh-comment-id:703864144 --> @Ryonez commented on GitHub (Oct 5, 2020): Was this looked at for solutions to prevent this in the future?

kerem commented 2026-03-03 01:28:25 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Oct 5, 2020):

Well, it should already be false by default, so don't know how we can improve this any further.
Since it does state if the e-mail fails, to login fails, so that will be the consequences of having that checkbox enabled.

<!-- gh-comment-id:703866522 --> @BlackDex commented on GitHub (Oct 5, 2020): Well, it should already be `false` by default, so don't know how we can improve this any further. Since it does state if the e-mail fails, to login fails, so that will be the consequences of having that checkbox enabled.

kerem commented 2026-03-03 01:28:25 +03:00

Author

Owner

Copy link

@Ryonez commented on GitHub (Oct 5, 2020):

Looking up above one of the problems was that the email component was silently failing.
Having that would be an improvement for those who wish to enable email configuration.
If that has been changed all good, just there's not commit or comment about that change here if it's happened.

<!-- gh-comment-id:703868892 --> @Ryonez commented on GitHub (Oct 5, 2020): Looking up above one of the problems was that the email component was silently failing. Having that would be an improvement for those who wish to enable email configuration. If that has been changed all good, just there's not commit or comment about that change here if it's happened.

kerem commented 2026-03-03 01:28:25 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Oct 5, 2020):

Well a lot has been changed regarding email handling.
So, if sending fails you should receive an error, or at least in the bitwarden.log file. If you still have a specific scenario where this isn't the case we can try to fix them of course.

If you have some cases we can reopen this of course.

<!-- gh-comment-id:703881224 --> @BlackDex commented on GitHub (Oct 5, 2020): Well a lot has been changed regarding email handling. So, if sending fails you should receive an error, or at least in the bitwarden.log file. If you still have a specific scenario where this isn't the case we can try to fix them of course. If you have some cases we can reopen this of course.

kerem commented 2026-03-03 01:28:25 +03:00

Author

Owner

Copy link

@Ryonez commented on GitHub (Oct 5, 2020):

Sweet as, thank you for responding.

<!-- gh-comment-id:703881953 --> @Ryonez commented on GitHub (Oct 5, 2020): Sweet as, thank you for responding.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#361

No description provided.