[GH-ISSUE #861] Not prompted for 2FA with duo #611

New issue

Closed

opened 2026-03-03 02:01:19 +03:00 by kerem · 10 comments

kerem commented 2026-03-03 02:01:19 +03:00

Owner

Copy link

Originally created by @deja-geek on GitHub (Feb 13, 2020).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/861

Subject of the issue

Enabled Duo 2FA. Logging in shows a DUO box briefly with "Logging you in..".

Your environment

• Bitwarden_rs version: 1.13.1-8867626d
• Install method: Docker Image
• Clients used: Web
  Other info:
  *DUO is configured to use YubiKey for the token

Steps to reproduce

Configured DUO info in the ADMIN page and in the docker-compose.yml file

Expected behaviour

Be prompted to enter token

Actual behaviour

Not prompted to enter token, logged in successfully

Relevant logs

Snippet of log file when logging in:
[2020-02-13 15:41:22][request][INFO] POST /api/accounts/prelogin
[2020-02-13 15:41:22][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
[2020-02-13 15:41:23][request][INFO] POST /identity/connect/token
[2020-02-13 15:41:23][error][ERROR] 2FA token not provided
[2020-02-13 15:41:23][response][INFO] POST /identity/connect/token (login) => 400 Bad Request
[2020-02-13 15:41:24][request][INFO] POST /identity/connect/token
[2020-02-13 15:41:24][bitwarden_rs::api::identity][INFO] User xxxx@xxxxxxxxx.com logged in successfully. IP: XXX.XXX.XXX.XXX
[2020-02-13 15:41:24][response][INFO] POST /identity/connect/token (login) => 200 OK
[2020-02-13 15:41:24][request][INFO] POST /notifications/hub/negotiate
[2020-02-13 15:41:24][response][INFO] POST /notifications/hub/negotiate (negotiate) => 200 OK
[2020-02-13 15:41:24][request][INFO] GET /api/sync?excludeDomains=true
[2020-02-13 15:41:24][response][INFO] GET /api/sync?<data..> (sync) => 200 OK

Originally created by @deja-geek on GitHub (Feb 13, 2020). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/861 ### Subject of the issue Enabled Duo 2FA. Logging in shows a DUO box briefly with "Logging you in..". ### Your environment * Bitwarden_rs version: 1.13.1-8867626d * Install method: Docker Image * Clients used: Web Other info: *DUO is configured to use YubiKey for the token ### Steps to reproduce Configured DUO info in the ADMIN page and in the docker-compose.yml file ### Expected behaviour Be prompted to enter token ### Actual behaviour Not prompted to enter token, logged in successfully ### Relevant logs Snippet of log file when logging in: [2020-02-13 15:41:22][request][INFO] POST /api/accounts/prelogin [2020-02-13 15:41:22][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK [2020-02-13 15:41:23][request][INFO] POST /identity/connect/token [2020-02-13 15:41:23][error][ERROR] 2FA token not provided [2020-02-13 15:41:23][response][INFO] POST /identity/connect/token (login) => 400 Bad Request [2020-02-13 15:41:24][request][INFO] POST /identity/connect/token [2020-02-13 15:41:24][bitwarden_rs::api::identity][INFO] User xxxx@xxxxxxxxx.com logged in successfully. IP: XXX.XXX.XXX.XXX [2020-02-13 15:41:24][response][INFO] POST /identity/connect/token (login) => 200 OK [2020-02-13 15:41:24][request][INFO] POST /notifications/hub/negotiate [2020-02-13 15:41:24][response][INFO] POST /notifications/hub/negotiate (negotiate) => 200 OK [2020-02-13 15:41:24][request][INFO] GET /api/sync?excludeDomains=true [2020-02-13 15:41:24][response][INFO] GET /api/sync?<data..> (sync) => 200 OK

kerem 2026-03-03 02:01:19 +03:00

• closed this issue
• added the
  enhancement
  documentation
  troubleshooting
  labels

kerem commented 2026-03-03 02:01:21 +03:00

Author

Owner

Copy link

@subhamagr commented on GitHub (Jul 21, 2020):

Any update on this issue? I am facing the same issue. I deployed a bitwarden_rs instance using the latest bitwardenrs/server-postgresql image.

My DUO is configured to use Duo Push and TOTP.

Bitwarden_RS Access logs:

bitwarde_rs           | [2020-07-21 12:57:55][ws::io][INFO] Accepted a new tcp connection from 172.25.0.1:40358.
bitwarde_rs           | [2020-07-21 13:00:27][request][INFO] POST /api/accounts/prelogin
bitwarde_rs           | [2020-07-21 13:00:27][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
bitwarde_rs           | [2020-07-21 13:00:28][request][INFO] POST /identity/connect/token
bitwarde_rs           | [2020-07-21 13:00:31][bitwarden_rs::api::identity][INFO] User XXXXX@XXXX.XXX logged in successfully. IP: 1.1.1.1
bitwarde_rs           | [2020-07-21 13:00:31][response][INFO] POST /identity/connect/token (login) => 200 OK
bitwarde_rs           | [2020-07-21 13:00:32][request][INFO] GET /api/sync?excludeDomains=true
bitwarde_rs           | [2020-07-21 13:00:32][response][INFO] GET /api/sync?<data..> (sync) => 200 OK

<!-- gh-comment-id:661847521 --> @subhamagr commented on GitHub (Jul 21, 2020): Any update on this issue? I am facing the same issue. I deployed a bitwarden_rs instance using the latest `bitwardenrs/server-postgresql` image. My DUO is configured to use Duo Push and TOTP. Bitwarden_RS Access logs: ``` bitwarde_rs | [2020-07-21 12:57:55][ws::io][INFO] Accepted a new tcp connection from 172.25.0.1:40358. bitwarde_rs | [2020-07-21 13:00:27][request][INFO] POST /api/accounts/prelogin bitwarde_rs | [2020-07-21 13:00:27][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK bitwarde_rs | [2020-07-21 13:00:28][request][INFO] POST /identity/connect/token bitwarde_rs | [2020-07-21 13:00:31][bitwarden_rs::api::identity][INFO] User XXXXX@XXXX.XXX logged in successfully. IP: 1.1.1.1 bitwarde_rs | [2020-07-21 13:00:31][response][INFO] POST /identity/connect/token (login) => 200 OK bitwarde_rs | [2020-07-21 13:00:32][request][INFO] GET /api/sync?excludeDomains=true bitwarde_rs | [2020-07-21 13:00:32][response][INFO] GET /api/sync?<data..> (sync) => 200 OK ```

kerem commented 2026-03-03 02:01:21 +03:00

Author

Owner

Copy link

@subhamagr commented on GitHub (Jul 21, 2020):

Found the solution. According to the guide here - The steps to enable DUO globally are:

• Set the correct environment variables
• Login with the user credentials (first time without Duo prompt) and then visit https://bitwarden.yourdomain.com/#/settings/two-factor and then enable DUO manually with the DUO config values pre-filled by global settings something like this:

Just click "Enable" and your DUO is setup correctly. I guess you would need to do this for each and every user manually.

I really feel that there must be a Wiki page for DUO as well!

<!-- gh-comment-id:661857842 --> @subhamagr commented on GitHub (Jul 21, 2020): Found the solution. According to the guide [here](https://github.com/dani-garcia/bitwarden_rs/blob/master/.env.template#L151) - The steps to enable DUO globally are: - Set the correct environment variables - Login with the user credentials (first time without Duo prompt) and then visit https://bitwarden.yourdomain.com/#/settings/two-factor and then enable DUO manually with the DUO config values pre-filled by global settings something like this: <img width="502" alt="image" src="https://user-images.githubusercontent.com/7915409/88059603-b7ea6400-cb82-11ea-8e17-83841f77d56f.png"> Just click "Enable" and your DUO is setup correctly. I guess you would need to do this for each and every user manually. I really feel that there must be a Wiki page for DUO as well!

kerem commented 2026-03-03 02:01:21 +03:00

Author

Owner

Copy link

@Malakii commented on GitHub (Sep 11, 2020):

@subhamagr Could you share your docker-compose? I've configured the Integration Key, Secret Key, and API Hostname in my docker-compose and on the admin page, yet I'm not getting a Duo prompt on login.

<!-- gh-comment-id:691264182 --> @Malakii commented on GitHub (Sep 11, 2020): @subhamagr Could you share your docker-compose? I've configured the Integration Key, Secret Key, and API Hostname in my docker-compose and on the admin page, yet I'm not getting a Duo prompt on login.

kerem commented 2026-03-03 02:01:21 +03:00

Author

Owner

Copy link

@subhamagr commented on GitHub (Sep 12, 2020):

Yup. like I mentioned above:

Login with the user credentials (first time without Duo prompt) and then visit https://bitwarden.yourdomain.com/#/settings/two-factor and then enable DUO manually with the DUO config values pre-filled by global settings.

You need to manually enable DUO for each and every user.
Let me know if you still face the issue.

<!-- gh-comment-id:691369495 --> @subhamagr commented on GitHub (Sep 12, 2020): Yup. like I mentioned above: > Login with the user credentials (first time without Duo prompt) and then visit https://bitwarden.yourdomain.com/#/settings/two-factor and then enable DUO manually with the DUO config values pre-filled by global settings. You need to manually enable DUO for each and every user. Let me know if you still face the issue.

kerem commented 2026-03-03 02:01:21 +03:00

Author

Owner

Copy link

@misilot commented on GitHub (Oct 14, 2020):

Is there a way to enable Duo for the users globally? Or a way to do it on the back end, so the user does not have to complete this extra step? Since Duo can be setup to bypass users who are not enrolled in user automatically?

<!-- gh-comment-id:708392391 --> @misilot commented on GitHub (Oct 14, 2020): Is there a way to enable Duo for the users globally? Or a way to do it on the back end, so the user does not have to complete this extra step? Since Duo can be setup to bypass users who are not enrolled in user automatically?

kerem commented 2026-03-03 02:01:21 +03:00

Author

Owner

Copy link

@chielos24 commented on GitHub (Feb 5, 2021):

I tried this too. Running from a docker on a Unraid box.
Added a bitwarden application in duo.
Added a user with the same username/emailadress, and added 2fa.
Enabled DUO and set the settings via variables, and edited them on the /admin page on bitwarden.
Enabled on the use as described above '<global_secret>'

Still no prompt.

In DUO i see that the "Universal Prompt progress" hangs at "Waiting on App Provider". No idea to go forward.

Edit:
Seems to work now! Outside of my network it works, inside it probably skips the 2FA, which is fine!

<!-- gh-comment-id:773958206 --> @chielos24 commented on GitHub (Feb 5, 2021): I tried this too. Running from a docker on a Unraid box. Added a bitwarden application in duo. Added a user with the same username/emailadress, and added 2fa. Enabled DUO and set the settings via variables, and edited them on the /admin page on bitwarden. Enabled on the use as described above '<global_secret>' Still no prompt. In DUO i see that the "Universal Prompt progress" hangs at "Waiting on App Provider". No idea to go forward. Edit: Seems to work now! Outside of my network it works, inside it probably skips the 2FA, which is fine!

kerem commented 2026-03-03 02:01:21 +03:00

Author

Owner

Copy link

@bryanjhv commented on GitHub (Feb 9, 2021):

I haven't tested it but... wouldn't this work?

# Taken from https://github.com/davidjameshowell/bitwarden_rs_heroku/blob/819e8829a0/bitwarden_rs_heroku.sh#L67-L71
sed -i 's/_enable_duo:            bool,   true,   def,     false;/_enable_duo:            bool,   true,   def,     true;/g' src/config.rs

Of course you would need to rebuild the Docker image instead of using the one on DockerHub, which shouldn't be hard to do so.

<!-- gh-comment-id:776203800 --> @bryanjhv commented on GitHub (Feb 9, 2021): I haven't tested it but... wouldn't this work? ```bash # Taken from https://github.com/davidjameshowell/bitwarden_rs_heroku/blob/819e8829a0/bitwarden_rs_heroku.sh#L67-L71 sed -i 's/_enable_duo: bool, true, def, false;/_enable_duo: bool, true, def, true;/g' src/config.rs ``` Of course you would need to rebuild the Docker image instead of using the one on DockerHub, which shouldn't be hard to do so.

kerem commented 2026-03-03 02:01:21 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Feb 9, 2021):

If that would/could work. Then you can just add -e _ENABLE_DUO=true instead of doing sed and other magical ✨ stuff.

<!-- gh-comment-id:776225183 --> @BlackDex commented on GitHub (Feb 9, 2021): If that would/could work. Then you can just add `-e _ENABLE_DUO=true` instead of doing sed and other magical ✨ stuff.

kerem commented 2026-03-03 02:01:21 +03:00

Author

Owner

Copy link

@misilot commented on GitHub (Feb 9, 2021):

Well looking at the Admin Panel, _ENABLE_DUO=true is enabled by default, so I am not sure what this would do?

I still had to go and enable Duo on the user level, I did add it to my docker-compose file, but it does say that I have to modify that in the Admin panel since it uses a config file and not environmental files.

<!-- gh-comment-id:776233365 --> @misilot commented on GitHub (Feb 9, 2021): Well looking at the Admin Panel, _ENABLE_DUO=true is enabled by default, so I am not sure what this would do?  I still had to go and enable Duo on the user level, I did add it to my docker-compose file, but it does say that I have to modify that in the Admin panel since it uses a config file and not environmental files.

kerem commented 2026-03-03 02:01:21 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Jun 21, 2021):

@deja-geek, is this currently still an issue? Are things different with a newer version?
Can we close/convert-2-discussion this item?

<!-- gh-comment-id:865291391 --> @BlackDex commented on GitHub (Jun 21, 2021): @deja-geek, is this currently still an issue? Are things different with a newer version? Can we close/convert-2-discussion this item?

kerem referenced this issue 2026-03-03 08:53:01 +03:00

[PR #666] [MERGED] Fix 2FA email not sending #2774

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#611

No description provided.