Request guard Headers failed: "Invalid claim" and session expired directly after login #1646

New Issue

Closed

opened 2026-02-05 01:24:35 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2026-02-05 01:24:35 +03:00

Owner

Copy Link

Originally created by @Marcel-Lambacher on GitHub (Jul 19, 2023).

Subject of the issue

When trying to login into the web portal, I see for a split second the management page
and then get redirected to the login page due to HTTP 401.
I also see a notification banner that tells my that my session got expired.

The registration was successful but the login isn't working.

Deployment environment

• vaultwarden version: 1.29.0

• Install method: Docker image hosted within K8S

• Clients used: Web Vault

• Reverse proxy and version: Traefik

• MySQL/MariaDB or PostgreSQL version: N/A

• Other relevant details: hosted under vaultwarden.domain.com

Steps to reproduce

1. Create a new account
2. Login
3. 401

Expected behaviour

Once I'm entering my credentials I should see my vault.

Actual behaviour

I don't see me vault and get redirected to the login page again.

Troubleshooting data

Container logs:

[2023-07-19 08:00:29.274][start][INFO] Rocket has launched from http://0.0.0.0:80
[2023-07-19 08:01:01.516][request][INFO] POST /identity/accounts/register
[2023-07-19 08:01:01.516][vaultwarden::api::core::accounts][ERROR] Registration not allowed or user already exists
[2023-07-19 08:01:01.516][response][INFO] (identity_register) POST /identity/accounts/register => 400 Bad Request
[2023-07-19 08:01:11.613][request][INFO] POST /identity/accounts/register
[2023-07-19 08:01:11.873][response][INFO] (identity_register) POST /identity/accounts/register => 200 OK
[2023-07-19 08:01:14.176][request][INFO] GET /api/devices/knowndevice
[2023-07-19 08:01:14.176][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2023-07-19 08:01:17.846][request][INFO] POST /identity/accounts/prelogin
[2023-07-19 08:01:17.847][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2023-07-19 08:01:18.278][request][INFO] POST /identity/connect/token
[2023-07-19 08:01:18.522][vaultwarden::api::identity][INFO] User <mail> logged in successfully. IP: 10.42.0.2
[2023-07-19 08:01:18.522][response][INFO] (login) POST /identity/connect/token => 200 OK
[2023-07-19 08:01:18.667][request][INFO] POST /identity/connect/token
[2023-07-19 08:01:18.669][response][INFO] (login) POST /identity/connect/token => 200 OK
[2023-07-19 08:01:18.724][request][INFO] GET /api/sync?excludeDomains=true
[2023-07-19 08:01:18.724][vaultwarden::auth][ERROR] Error decoding JWT
[2023-07-19 08:01:18.724][auth][ERROR] Unauthorized Error: Invalid claim
[2023-07-19 08:01:18.724][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim".
[2023-07-19 08:01:18.724][response][INFO] (sync) GET /api/sync?<data..> => 401 Unauthorized
[2023-07-19 08:01:18.773][request][INFO] GET /api/config
[2023-07-19 08:01:18.773][response][INFO] (config) GET /api/config => 200 OK
[2023-07-19 08:01:18.789][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2023-07-19 08:01:18.789][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 10.42.0.2
[2023-07-19 08:01:18.789][vaultwarden::auth][ERROR] Error decoding JWT
[2023-07-19 08:01:18.789][vaultwarden::api::notifications][ERROR] Invalid token
[2023-07-19 08:01:18.789][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 401 Unauthorized

JWT token:

{
  "nbf": 1689752439,
  "exp": 1689759639,
  "iss": "http://localhost|login",
  "sub": "f9b22c5c-c018-4550-a979-2f6cf6a6068b",
  "premium": true,
  "name": "<name>",
  "email": "<mail>",
  "email_verified": true,
  "orgowner": [],
  "orgadmin": [],
  "orguser": [],
  "orgmanager": [],
  "sstamp": "f91e9be4-15da-425a-af8c-95becc04870b",
  "device": "9df157ae-9cef-497e-8249-2bbd90ae14bf",
  "scope": [
    "api",
    "offline_access"
  ],
  "amr": [
    "Application"
  ]
}

Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
    app.kubernetes.io/instance: vaultwarden
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: onechart
    helm.sh/chart: onechart-0.50.0
  name: vaultwarden
  namespace: vaultwarden
spec:
  ingressClassName: traefik
  rules:
  - host: vaultwarden.domain.com
    http:
      paths:
      - backend:
          service:
            name: vaultwarden
            port:
              number: 80
        path: /
        pathType: Prefix

Originally created by @Marcel-Lambacher on GitHub (Jul 19, 2023). <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue <!-- Describe your issue here. --> When trying to login into the web portal, I see for a split second the management page and then get redirected to the login page due to HTTP 401. I also see a notification banner that tells my that my session got expired. The registration was successful but the login isn't working. ### Deployment environment <!-- ========================================================================================= Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. That will auto-generate most of the info requested in this section. ========================================================================================= --> <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> <!-- This is NOT the version number shown on the web vault, which is versioned separately from vaultwarden --> <!-- Remember to check if your issue exists on the latest version first! --> * vaultwarden version: 1.29.0 <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: Docker image hosted within K8S * Clients used: Web Vault<!-- web vault, desktop, Android, iOS, etc. (if applicable) --> * Reverse proxy and version: Traefik * MySQL/MariaDB or PostgreSQL version: N/A<!-- if applicable --> * Other relevant details: hosted under vaultwarden.domain.com ### Steps to reproduce 1. Create a new account 2. Login 3. 401 ### Expected behaviour Once I'm entering my credentials I should see my vault. ### Actual behaviour I don't see me vault and get redirected to the login page again. ### Troubleshooting data #### Container logs: ``` [2023-07-19 08:00:29.274][start][INFO] Rocket has launched from http://0.0.0.0:80 [2023-07-19 08:01:01.516][request][INFO] POST /identity/accounts/register [2023-07-19 08:01:01.516][vaultwarden::api::core::accounts][ERROR] Registration not allowed or user already exists [2023-07-19 08:01:01.516][response][INFO] (identity_register) POST /identity/accounts/register => 400 Bad Request [2023-07-19 08:01:11.613][request][INFO] POST /identity/accounts/register [2023-07-19 08:01:11.873][response][INFO] (identity_register) POST /identity/accounts/register => 200 OK [2023-07-19 08:01:14.176][request][INFO] GET /api/devices/knowndevice [2023-07-19 08:01:14.176][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK [2023-07-19 08:01:17.846][request][INFO] POST /identity/accounts/prelogin [2023-07-19 08:01:17.847][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK [2023-07-19 08:01:18.278][request][INFO] POST /identity/connect/token [2023-07-19 08:01:18.522][vaultwarden::api::identity][INFO] User <mail> logged in successfully. IP: 10.42.0.2 [2023-07-19 08:01:18.522][response][INFO] (login) POST /identity/connect/token => 200 OK [2023-07-19 08:01:18.667][request][INFO] POST /identity/connect/token [2023-07-19 08:01:18.669][response][INFO] (login) POST /identity/connect/token => 200 OK [2023-07-19 08:01:18.724][request][INFO] GET /api/sync?excludeDomains=true [2023-07-19 08:01:18.724][vaultwarden::auth][ERROR] Error decoding JWT [2023-07-19 08:01:18.724][auth][ERROR] Unauthorized Error: Invalid claim [2023-07-19 08:01:18.724][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim". [2023-07-19 08:01:18.724][response][INFO] (sync) GET /api/sync?<data..> => 401 Unauthorized [2023-07-19 08:01:18.773][request][INFO] GET /api/config [2023-07-19 08:01:18.773][response][INFO] (config) GET /api/config => 200 OK [2023-07-19 08:01:18.789][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL [2023-07-19 08:01:18.789][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 10.42.0.2 [2023-07-19 08:01:18.789][vaultwarden::auth][ERROR] Error decoding JWT [2023-07-19 08:01:18.789][vaultwarden::api::notifications][ERROR] Invalid token [2023-07-19 08:01:18.789][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 401 Unauthorized ``` #### JWT token: ``` { "nbf": 1689752439, "exp": 1689759639, "iss": "http://localhost|login", "sub": "f9b22c5c-c018-4550-a979-2f6cf6a6068b", "premium": true, "name": "<name>", "email": "<mail>", "email_verified": true, "orgowner": [], "orgadmin": [], "orguser": [], "orgmanager": [], "sstamp": "f91e9be4-15da-425a-af8c-95becc04870b", "device": "9df157ae-9cef-497e-8249-2bbd90ae14bf", "scope": [ "api", "offline_access" ], "amr": [ "Application" ] } ``` #### Ingress ``` apiVersion: networking.k8s.io/v1 kind: Ingress metadata: labels: app.kubernetes.io/instance: vaultwarden app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: onechart helm.sh/chart: onechart-0.50.0 name: vaultwarden namespace: vaultwarden spec: ingressClassName: traefik rules: - host: vaultwarden.domain.com http: paths: - backend: service: name: vaultwarden port: number: 80 path: / pathType: Prefix ```

OVERLORD closed this issue 2026-02-05 01:24:38 +03:00

OVERLORD commented 2026-02-05 01:24:40 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jul 19, 2023):

You are probably running Vaultwarden with more then one pod. If that is the case, that isn't fully supported.
I think the reason is that you have two (or more) pods running, and both pods now have different RSA keys.
This key is used to generate and validate the JWT.

So, to solve this, you need to create a configmap or something which stores those key files and makes sure they are the same on all the pods.

Also, attachments and send files could end up on different PV's when uploaded and could cause issues during downloading them.
So, you need to somehow create a shared storage for at least the attachments if you didn't do that already.

@BlackDex commented on GitHub (Jul 19, 2023): You are probably running Vaultwarden with more then one pod. If that is the case, that isn't fully supported. I think the reason is that you have two (or more) pods running, and both pods now have different RSA keys. This key is used to generate and validate the JWT. So, to solve this, you need to create a configmap or something which stores those key files and makes sure they are the same on all the pods. Also, attachments and send files could end up on different PV's when uploaded and could cause issues during downloading them. So, you need to somehow create a shared storage for at least the attachments if you didn't do that already.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1646