[GH-ISSUE #861] Not prompted for 2FA with duo #611

Closed
opened 2026-03-03 02:01:19 +03:00 by kerem · 10 comments
Owner

Originally created by @deja-geek on GitHub (Feb 13, 2020).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/861

Subject of the issue

Enabled Duo 2FA. Logging in shows a DUO box briefly with "Logging you in..".

Your environment

  • Bitwarden_rs version: 1.13.1-8867626d
  • Install method: Docker Image
  • Clients used: Web
    Other info:
    *DUO is configured to use YubiKey for the token

Steps to reproduce

Configured DUO info in the ADMIN page and in the docker-compose.yml file

Expected behaviour

Be prompted to enter token

Actual behaviour

Not prompted to enter token, logged in successfully

Relevant logs

Snippet of log file when logging in:
[2020-02-13 15:41:22][request][INFO] POST /api/accounts/prelogin
[2020-02-13 15:41:22][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
[2020-02-13 15:41:23][request][INFO] POST /identity/connect/token
[2020-02-13 15:41:23][error][ERROR] 2FA token not provided
[2020-02-13 15:41:23][response][INFO] POST /identity/connect/token (login) => 400 Bad Request
[2020-02-13 15:41:24][request][INFO] POST /identity/connect/token
[2020-02-13 15:41:24][bitwarden_rs::api::identity][INFO] User xxxx@xxxxxxxxx.com logged in successfully. IP: XXX.XXX.XXX.XXX
[2020-02-13 15:41:24][response][INFO] POST /identity/connect/token (login) => 200 OK
[2020-02-13 15:41:24][request][INFO] POST /notifications/hub/negotiate
[2020-02-13 15:41:24][response][INFO] POST /notifications/hub/negotiate (negotiate) => 200 OK
[2020-02-13 15:41:24][request][INFO] GET /api/sync?excludeDomains=true
[2020-02-13 15:41:24][response][INFO] GET /api/sync?<data..> (sync) => 200 OK

Originally created by @deja-geek on GitHub (Feb 13, 2020). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/861 ### Subject of the issue Enabled Duo 2FA. Logging in shows a DUO box briefly with "Logging you in..". ### Your environment * Bitwarden_rs version: 1.13.1-8867626d * Install method: Docker Image * Clients used: Web Other info: *DUO is configured to use YubiKey for the token ### Steps to reproduce Configured DUO info in the ADMIN page and in the docker-compose.yml file ### Expected behaviour Be prompted to enter token ### Actual behaviour Not prompted to enter token, logged in successfully ### Relevant logs Snippet of log file when logging in: [2020-02-13 15:41:22][request][INFO] POST /api/accounts/prelogin [2020-02-13 15:41:22][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK [2020-02-13 15:41:23][request][INFO] POST /identity/connect/token [2020-02-13 15:41:23][error][ERROR] 2FA token not provided [2020-02-13 15:41:23][response][INFO] POST /identity/connect/token (login) => 400 Bad Request [2020-02-13 15:41:24][request][INFO] POST /identity/connect/token [2020-02-13 15:41:24][bitwarden_rs::api::identity][INFO] User xxxx@xxxxxxxxx.com logged in successfully. IP: XXX.XXX.XXX.XXX [2020-02-13 15:41:24][response][INFO] POST /identity/connect/token (login) => 200 OK [2020-02-13 15:41:24][request][INFO] POST /notifications/hub/negotiate [2020-02-13 15:41:24][response][INFO] POST /notifications/hub/negotiate (negotiate) => 200 OK [2020-02-13 15:41:24][request][INFO] GET /api/sync?excludeDomains=true [2020-02-13 15:41:24][response][INFO] GET /api/sync?<data..> (sync) => 200 OK
Author
Owner

@subhamagr commented on GitHub (Jul 21, 2020):

Any update on this issue? I am facing the same issue. I deployed a bitwarden_rs instance using the latest bitwardenrs/server-postgresql image.

My DUO is configured to use Duo Push and TOTP.

Bitwarden_RS Access logs:

bitwarde_rs           | [2020-07-21 12:57:55][ws::io][INFO] Accepted a new tcp connection from 172.25.0.1:40358.
bitwarde_rs           | [2020-07-21 13:00:27][request][INFO] POST /api/accounts/prelogin
bitwarde_rs           | [2020-07-21 13:00:27][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
bitwarde_rs           | [2020-07-21 13:00:28][request][INFO] POST /identity/connect/token
bitwarde_rs           | [2020-07-21 13:00:31][bitwarden_rs::api::identity][INFO] User XXXXX@XXXX.XXX logged in successfully. IP: 1.1.1.1
bitwarde_rs           | [2020-07-21 13:00:31][response][INFO] POST /identity/connect/token (login) => 200 OK
bitwarde_rs           | [2020-07-21 13:00:32][request][INFO] GET /api/sync?excludeDomains=true
bitwarde_rs           | [2020-07-21 13:00:32][response][INFO] GET /api/sync?<data..> (sync) => 200 OK


<!-- gh-comment-id:661847521 --> @subhamagr commented on GitHub (Jul 21, 2020): Any update on this issue? I am facing the same issue. I deployed a bitwarden_rs instance using the latest `bitwardenrs/server-postgresql` image. My DUO is configured to use Duo Push and TOTP. Bitwarden_RS Access logs: ``` bitwarde_rs | [2020-07-21 12:57:55][ws::io][INFO] Accepted a new tcp connection from 172.25.0.1:40358. bitwarde_rs | [2020-07-21 13:00:27][request][INFO] POST /api/accounts/prelogin bitwarde_rs | [2020-07-21 13:00:27][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK bitwarde_rs | [2020-07-21 13:00:28][request][INFO] POST /identity/connect/token bitwarde_rs | [2020-07-21 13:00:31][bitwarden_rs::api::identity][INFO] User XXXXX@XXXX.XXX logged in successfully. IP: 1.1.1.1 bitwarde_rs | [2020-07-21 13:00:31][response][INFO] POST /identity/connect/token (login) => 200 OK bitwarde_rs | [2020-07-21 13:00:32][request][INFO] GET /api/sync?excludeDomains=true bitwarde_rs | [2020-07-21 13:00:32][response][INFO] GET /api/sync?<data..> (sync) => 200 OK ```
Author
Owner

@subhamagr commented on GitHub (Jul 21, 2020):

Found the solution. According to the guide here - The steps to enable DUO globally are:

  • Set the correct environment variables
  • Login with the user credentials (first time without Duo prompt) and then visit https://bitwarden.yourdomain.com/#/settings/two-factor and then enable DUO manually with the DUO config values pre-filled by global settings something like this:
image

Just click "Enable" and your DUO is setup correctly. I guess you would need to do this for each and every user manually.

I really feel that there must be a Wiki page for DUO as well!

<!-- gh-comment-id:661857842 --> @subhamagr commented on GitHub (Jul 21, 2020): Found the solution. According to the guide [here](https://github.com/dani-garcia/bitwarden_rs/blob/master/.env.template#L151) - The steps to enable DUO globally are: - Set the correct environment variables - Login with the user credentials (first time without Duo prompt) and then visit https://bitwarden.yourdomain.com/#/settings/two-factor and then enable DUO manually with the DUO config values pre-filled by global settings something like this: <img width="502" alt="image" src="https://user-images.githubusercontent.com/7915409/88059603-b7ea6400-cb82-11ea-8e17-83841f77d56f.png"> Just click "Enable" and your DUO is setup correctly. I guess you would need to do this for each and every user manually. I really feel that there must be a Wiki page for DUO as well!
Author
Owner

@Malakii commented on GitHub (Sep 11, 2020):

@subhamagr Could you share your docker-compose? I've configured the Integration Key, Secret Key, and API Hostname in my docker-compose and on the admin page, yet I'm not getting a Duo prompt on login.

<!-- gh-comment-id:691264182 --> @Malakii commented on GitHub (Sep 11, 2020): @subhamagr Could you share your docker-compose? I've configured the Integration Key, Secret Key, and API Hostname in my docker-compose and on the admin page, yet I'm not getting a Duo prompt on login.
Author
Owner

@subhamagr commented on GitHub (Sep 12, 2020):

Yup. like I mentioned above:

Login with the user credentials (first time without Duo prompt) and then visit https://bitwarden.yourdomain.com/#/settings/two-factor and then enable DUO manually with the DUO config values pre-filled by global settings.

You need to manually enable DUO for each and every user.
Let me know if you still face the issue.

<!-- gh-comment-id:691369495 --> @subhamagr commented on GitHub (Sep 12, 2020): Yup. like I mentioned above: > Login with the user credentials (first time without Duo prompt) and then visit https://bitwarden.yourdomain.com/#/settings/two-factor and then enable DUO manually with the DUO config values pre-filled by global settings. You need to manually enable DUO for each and every user. Let me know if you still face the issue.
Author
Owner

@misilot commented on GitHub (Oct 14, 2020):

Is there a way to enable Duo for the users globally? Or a way to do it on the back end, so the user does not have to complete this extra step? Since Duo can be setup to bypass users who are not enrolled in user automatically?

<!-- gh-comment-id:708392391 --> @misilot commented on GitHub (Oct 14, 2020): Is there a way to enable Duo for the users globally? Or a way to do it on the back end, so the user does not have to complete this extra step? Since Duo can be setup to bypass users who are not enrolled in user automatically?
Author
Owner

@chielos24 commented on GitHub (Feb 5, 2021):

I tried this too. Running from a docker on a Unraid box.
Added a bitwarden application in duo.
Added a user with the same username/emailadress, and added 2fa.
Enabled DUO and set the settings via variables, and edited them on the /admin page on bitwarden.
Enabled on the use as described above '<global_secret>'

Still no prompt.

In DUO i see that the "Universal Prompt progress" hangs at "Waiting on App Provider". No idea to go forward.

Edit:
Seems to work now! Outside of my network it works, inside it probably skips the 2FA, which is fine!

<!-- gh-comment-id:773958206 --> @chielos24 commented on GitHub (Feb 5, 2021): I tried this too. Running from a docker on a Unraid box. Added a bitwarden application in duo. Added a user with the same username/emailadress, and added 2fa. Enabled DUO and set the settings via variables, and edited them on the /admin page on bitwarden. Enabled on the use as described above '<global_secret>' Still no prompt. In DUO i see that the "Universal Prompt progress" hangs at "Waiting on App Provider". No idea to go forward. Edit: Seems to work now! Outside of my network it works, inside it probably skips the 2FA, which is fine!
Author
Owner

@bryanjhv commented on GitHub (Feb 9, 2021):

I haven't tested it but... wouldn't this work?

# Taken from https://github.com/davidjameshowell/bitwarden_rs_heroku/blob/819e8829a0/bitwarden_rs_heroku.sh#L67-L71
sed -i 's/_enable_duo:            bool,   true,   def,     false;/_enable_duo:            bool,   true,   def,     true;/g' src/config.rs

Of course you would need to rebuild the Docker image instead of using the one on DockerHub, which shouldn't be hard to do so.

<!-- gh-comment-id:776203800 --> @bryanjhv commented on GitHub (Feb 9, 2021): I haven't tested it but... wouldn't this work? ```bash # Taken from https://github.com/davidjameshowell/bitwarden_rs_heroku/blob/819e8829a0/bitwarden_rs_heroku.sh#L67-L71 sed -i 's/_enable_duo: bool, true, def, false;/_enable_duo: bool, true, def, true;/g' src/config.rs ``` Of course you would need to rebuild the Docker image instead of using the one on DockerHub, which shouldn't be hard to do so.
Author
Owner

@BlackDex commented on GitHub (Feb 9, 2021):

If that would/could work. Then you can just add -e _ENABLE_DUO=true instead of doing sed and other magical stuff.

<!-- gh-comment-id:776225183 --> @BlackDex commented on GitHub (Feb 9, 2021): If that would/could work. Then you can just add `-e _ENABLE_DUO=true` instead of doing sed and other magical ✨ stuff.
Author
Owner

@misilot commented on GitHub (Feb 9, 2021):

Well looking at the Admin Panel, _ENABLE_DUO=true is enabled by default, so I am not sure what this would do?
image

I still had to go and enable Duo on the user level, I did add it to my docker-compose file, but it does say that I have to modify that in the Admin panel since it uses a config file and not environmental files.

<!-- gh-comment-id:776233365 --> @misilot commented on GitHub (Feb 9, 2021): Well looking at the Admin Panel, _ENABLE_DUO=true is enabled by default, so I am not sure what this would do? ![image](https://user-images.githubusercontent.com/1446856/107426230-8ff22c00-6ae5-11eb-9572-34412161bbf1.png) I still had to go and enable Duo on the user level, I did add it to my docker-compose file, but it does say that I have to modify that in the Admin panel since it uses a config file and not environmental files.
Author
Owner

@BlackDex commented on GitHub (Jun 21, 2021):

@deja-geek, is this currently still an issue? Are things different with a newer version?
Can we close/convert-2-discussion this item?

<!-- gh-comment-id:865291391 --> @BlackDex commented on GitHub (Jun 21, 2021): @deja-geek, is this currently still an issue? Are things different with a newer version? Can we close/convert-2-discussion this item?
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#611
No description provided.