2FA via Email or WebAuthn fails on new app #1962

New Issue

Closed

opened 2026-02-05 02:22:05 +03:00 by OVERLORD · 13 comments

OVERLORD commented 2026-02-05 02:22:05 +03:00

Owner

Copy Link

Originally created by @fabicodes on GitHub (Jul 8, 2024).

Subject of the issue

The new native app has problems with the 2FA methods Email and WebAuthn (via Yubikey)

Deployment environment

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.30.5-fda77afc
• Web-vault version: v2024.5.1
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Environment settings overridden: false
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.45.0
• Clients used: New Native Beta on Android 15
• Reverse proxy and version: nginx/1.24.0
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://**********",
  "domain_origin": "*****://**********",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": 524288,
  "org_creation_users": "***",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 500000,
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "**************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 180,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": 524288,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": "50791",
  "yubico_secret_key": "***",
  "yubico_server": null
}

Steps to reproduce

Try to log in using the new native app on Android. First, select WebAuthn where your Yubikey is enrolled. Firefox starts and says it cannot find a passkey for that site, select Security Key via NFC and follow the steps. Then it'll ask you in which app to continue (native or old) - choose native - it'll fail.
Then try the Email 2FA Method, it fails at creating the request to send it

Expected behaviour

2FA works

Actual behaviour

2FA fails

Troubleshooting data

[2024-07-08 20:34:37.025][request][INFO] GET /api/accounts/revision-date
[2024-07-08 20:34:37.040][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK
[2024-07-08 20:34:47.926][vaultwarden::api::notifications][INFO] Closing WS connection from my-ip-address
[2024-07-08 20:35:11.341][request][INFO] GET /api/config
[2024-07-08 20:35:11.349][response][INFO] (config) GET /api/config => 200 OK
[2024-07-08 20:36:17.878][request][INFO] GET /notifications/hub?access_token=access-token-was-here
[2024-07-08 20:36:17.878][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from my-ip-address
[2024-07-08 20:36:17.879][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2024-07-08 20:36:17.980][request][INFO] GET /api/accounts/revision-date
[2024-07-08 20:36:17.989][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK
[2024-07-08 20:36:25.021][request][INFO] GET /api/devices/knowndevice
[2024-07-08 20:36:25.030][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2024-07-08 20:36:44.256][request][INFO] POST /identity/accounts/prelogin
[2024-07-08 20:36:44.271][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2024-07-08 20:36:44.565][request][INFO] POST /identity/connect/token
[2024-07-08 20:36:44.929][error][ERROR] 2FA token not provided
[2024-07-08 20:36:44.930][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-07-08 20:36:50.364][request][INFO] GET /api/config
[2024-07-08 20:36:50.364][response][INFO] (config) GET /api/config => 200 OK
[2024-07-08 20:37:18.907][request][INFO] POST /identity/connect/token
[2024-07-08 20:37:19.320][error][ERROR] Webauthn.
[CAUSE] InvalidRPIDHash
[2024-07-08 20:37:19.321][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-07-08 20:37:47.661][request][INFO] POST /identity/connect/token
[2024-07-08 20:37:48.212][vaultwarden::api::core::two_factor::webauthn][ERROR] Can't recover login challenge
[2024-07-08 20:37:48.213][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-07-08 20:38:04.028][request][INFO] POST /identity/connect/token
[2024-07-08 20:38:04.396][vaultwarden::api::core::two_factor::yubikey][ERROR] Invalid Yubikey OTP length
[2024-07-08 20:38:04.398][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-07-08 20:38:20.667][request][INFO] POST /api/two-factor/send-email-login
[2024-07-08 20:38:20.673][vaultwarden::api::core::two_factor::email::_][WARN] Data guard `Json < SendEmailLoginData >` failed: Parse("{\"DeviceIdentifier\":\"device-uuid-replacement\",\"Email\":\"my.email@address.com\",\"MasterPasswordHash\":\"master-password-hash-replacement"}", Error("missing field `email`", line: 1, column: 154)).
[2024-07-08 20:38:20.675][response][INFO] (send_email_login) POST /api/two-factor/send-email-login => 422 Unprocessable Entity
[2024-07-08 20:38:24.696][request][INFO] POST /api/two-factor/send-email-login
[2024-07-08 20:38:24.697][vaultwarden::api::core::two_factor::email::_][WARN] Data guard `Json < SendEmailLoginData >` failed: Parse("{\"DeviceIdentifier\":\"device-uuid-replacement\",\"Email\":\"my.email@address.com\",\"MasterPasswordHash\":\"master-password-hash-replacement"}", Error("missing field `email`", line: 1, column: 154)).
[2024-07-08 20:38:24.697][response][INFO] (send_email_login) POST /api/two-factor/send-email-login => 422 Unprocessable Entity
[2024-07-08 20:39:44.657][request][INFO] GET /api/config
[2024-07-08 20:39:44.657][response][INFO] (config) GET /api/config => 200 OK
[2024-07-08 20:40:31.589][vaultwarden::api::core::two_factor][INFO] User my.email@address.com did not complete a 2FA login within the configured time limit. IP: 46.223.163.248

Originally created by @fabicodes on GitHub (Jul 8, 2024). <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue The new native app has problems with the 2FA methods Email and WebAuthn (via Yubikey) ### Deployment environment ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.30.5-fda77afc * Web-vault version: v2024.5.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Environment settings overridden: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.45.0 * Clients used: New Native Beta on Android 15 * Reverse proxy and version: nginx/1.24.0 * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://**********", "domain_origin": "*****://**********", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": 524288, "org_creation_users": "***", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 500000, "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "************************", "smtp_from_name": "Vaultwarden", "smtp_host": "**************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "**************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 180, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": 524288, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": "50791", "yubico_secret_key": "***", "yubico_server": null } ``` </details> ### Steps to reproduce Try to log in using the new native app on Android. First, select WebAuthn where your Yubikey is enrolled. Firefox starts and says it cannot find a passkey for that site, select Security Key via NFC and follow the steps. Then it'll ask you in which app to continue (native or old) - choose native - it'll fail. Then try the Email 2FA Method, it fails at creating the request to send it ### Expected behaviour 2FA works ### Actual behaviour 2FA fails ### Troubleshooting data ``` [2024-07-08 20:34:37.025][request][INFO] GET /api/accounts/revision-date [2024-07-08 20:34:37.040][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK [2024-07-08 20:34:47.926][vaultwarden::api::notifications][INFO] Closing WS connection from my-ip-address [2024-07-08 20:35:11.341][request][INFO] GET /api/config [2024-07-08 20:35:11.349][response][INFO] (config) GET /api/config => 200 OK [2024-07-08 20:36:17.878][request][INFO] GET /notifications/hub?access_token=access-token-was-here [2024-07-08 20:36:17.878][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from my-ip-address [2024-07-08 20:36:17.879][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2024-07-08 20:36:17.980][request][INFO] GET /api/accounts/revision-date [2024-07-08 20:36:17.989][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK [2024-07-08 20:36:25.021][request][INFO] GET /api/devices/knowndevice [2024-07-08 20:36:25.030][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK [2024-07-08 20:36:44.256][request][INFO] POST /identity/accounts/prelogin [2024-07-08 20:36:44.271][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK [2024-07-08 20:36:44.565][request][INFO] POST /identity/connect/token [2024-07-08 20:36:44.929][error][ERROR] 2FA token not provided [2024-07-08 20:36:44.930][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2024-07-08 20:36:50.364][request][INFO] GET /api/config [2024-07-08 20:36:50.364][response][INFO] (config) GET /api/config => 200 OK [2024-07-08 20:37:18.907][request][INFO] POST /identity/connect/token [2024-07-08 20:37:19.320][error][ERROR] Webauthn. [CAUSE] InvalidRPIDHash [2024-07-08 20:37:19.321][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2024-07-08 20:37:47.661][request][INFO] POST /identity/connect/token [2024-07-08 20:37:48.212][vaultwarden::api::core::two_factor::webauthn][ERROR] Can't recover login challenge [2024-07-08 20:37:48.213][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2024-07-08 20:38:04.028][request][INFO] POST /identity/connect/token [2024-07-08 20:38:04.396][vaultwarden::api::core::two_factor::yubikey][ERROR] Invalid Yubikey OTP length [2024-07-08 20:38:04.398][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2024-07-08 20:38:20.667][request][INFO] POST /api/two-factor/send-email-login [2024-07-08 20:38:20.673][vaultwarden::api::core::two_factor::email::_][WARN] Data guard `Json < SendEmailLoginData >` failed: Parse("{\"DeviceIdentifier\":\"device-uuid-replacement\",\"Email\":\"my.email@address.com\",\"MasterPasswordHash\":\"master-password-hash-replacement"}", Error("missing field `email`", line: 1, column: 154)). [2024-07-08 20:38:20.675][response][INFO] (send_email_login) POST /api/two-factor/send-email-login => 422 Unprocessable Entity [2024-07-08 20:38:24.696][request][INFO] POST /api/two-factor/send-email-login [2024-07-08 20:38:24.697][vaultwarden::api::core::two_factor::email::_][WARN] Data guard `Json < SendEmailLoginData >` failed: Parse("{\"DeviceIdentifier\":\"device-uuid-replacement\",\"Email\":\"my.email@address.com\",\"MasterPasswordHash\":\"master-password-hash-replacement"}", Error("missing field `email`", line: 1, column: 154)). [2024-07-08 20:38:24.697][response][INFO] (send_email_login) POST /api/two-factor/send-email-login => 422 Unprocessable Entity [2024-07-08 20:39:44.657][request][INFO] GET /api/config [2024-07-08 20:39:44.657][response][INFO] (config) GET /api/config => 200 OK [2024-07-08 20:40:31.589][vaultwarden::api::core::two_factor][INFO] User my.email@address.com did not complete a 2FA login within the configured time limit. IP: 46.223.163.248 ```

OVERLORD closed this issue 2026-02-05 02:22:06 +03:00

OVERLORD commented 2026-02-05 02:22:09 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jul 8, 2024):

He is using the testing tagged version.

@BlackDex commented on GitHub (Jul 8, 2024): He is using the `testing` tagged version.

OVERLORD commented 2026-02-05 02:22:18 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jul 8, 2024):

So, i did some testing my self. And for me it seems to work just fine, except for the Email part.
But Both WebAuthn and Fido work without any issues, tested this with a YubiKey 5c both via NFC and USB.

Email currently breaks, so that is an issue.

Have you tried the latest Bitwarden Beta app?
Here you can see the last build available it this time: https://github.com/bitwarden/android/actions/runs/9842735019

At the bottom there is a com.x8bit.bitwarden.beta.apk artifect which holds the last build android beta version.
You might want to use that and see if that solves the issue regarding the YubiKey.

@BlackDex commented on GitHub (Jul 8, 2024): So, i did some testing my self. And for me it seems to work just fine, except for the Email part. But Both WebAuthn and Fido work without any issues, tested this with a YubiKey 5c both via NFC and USB. Email currently breaks, so that is an issue. Have you tried the latest Bitwarden Beta app? Here you can see the last build available it this time: https://github.com/bitwarden/android/actions/runs/9842735019 At the bottom there is a `com.x8bit.bitwarden.beta.apk` artifect which holds the last build android beta version. You might want to use that and see if that solves the issue regarding the YubiKey.

OVERLORD commented 2026-02-05 02:22:21 +03:00

Author

Owner

Copy Link

@fabicodes commented on GitHub (Jul 9, 2024):

Have you tried the latest Bitwarden Beta app?
Here you can see the last build available it this time: https://github.com/bitwarden/android/actions/runs/9842735019

I've previously just had the PlayStore Version installed! Thanks for this hint, unfortunately it still results in a failure

[2024-07-09 00:13:42.509][request][INFO] POST /identity/accounts/prelogin
[2024-07-09 00:13:42.512][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2024-07-09 00:13:42.744][request][INFO] POST /identity/connect/token
[2024-07-09 00:13:43.130][error][ERROR] 2FA token not provided
[2024-07-09 00:13:43.130][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-07-09 00:13:45.626][request][INFO] GET /webauthn-mobile-connector.html?data=eyJjYWxsYmFja1VyaSI6ImJpd
[2024-07-09 00:13:45.627][response][INFO] (web_files) GET /<p..> [10] => 200 OK
[2024-07-09 00:14:01.497][request][INFO] POST /identity/connect/token
[2024-07-09 00:14:01.960][error][ERROR] Webauthn.
[CAUSE] InvalidRPIDHash
[2024-07-09 00:14:01.961][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

I'll check my YubiKey tomorrow via USB on a computer

@fabicodes commented on GitHub (Jul 9, 2024): > Have you tried the latest Bitwarden Beta app? > Here you can see the last build available it this time: https://github.com/bitwarden/android/actions/runs/9842735019 I've previously just had the PlayStore Version installed! Thanks for this hint, unfortunately it still results in a failure ``` [2024-07-09 00:13:42.509][request][INFO] POST /identity/accounts/prelogin [2024-07-09 00:13:42.512][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK [2024-07-09 00:13:42.744][request][INFO] POST /identity/connect/token [2024-07-09 00:13:43.130][error][ERROR] 2FA token not provided [2024-07-09 00:13:43.130][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2024-07-09 00:13:45.626][request][INFO] GET /webauthn-mobile-connector.html?data=eyJjYWxsYmFja1VyaSI6ImJpd [2024-07-09 00:13:45.627][response][INFO] (web_files) GET /<p..> [10] => 200 OK [2024-07-09 00:14:01.497][request][INFO] POST /identity/connect/token [2024-07-09 00:14:01.960][error][ERROR] Webauthn. [CAUSE] InvalidRPIDHash [2024-07-09 00:14:01.961][response][INFO] (login) POST /identity/connect/token => 400 Bad Request ``` I'll check my YubiKey tomorrow via USB on a computer

OVERLORD commented 2026-02-05 02:22:27 +03:00

Author

Owner

Copy Link

@leo15dev commented on GitHub (Jul 9, 2024):

@BlackDex V.1.31.0 had the similar issue with 2FA via Authenticator app or Email in IOS native app.

[2024-07-09 08:10:54.346][error][ERROR] 2FA token not provided
[2024-07-09 08:10:54.346][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-07-09 08:11:19.594][request][INFO] POST /identity/connect/token
[2024-07-09 08:11:22.389][vaultwarden::api::push][ERROR] An error occurred while proceeding registration of a device: HTTP status client error (405 Method Not Allowed) for url (https://api.bitwarden.eu/push/register)
[2024-07-09 08:11:22.390][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-07-09 08:11:39.137][request][INFO] POST /identity/connect/token
[2024-07-09 08:11:39.592][vaultwarden::api::push][ERROR] An error occurred while proceeding registration of a device: HTTP status client error (405 Method Not Allowed) for url (https://api.bitwarden.eu/push/register)
[2024-07-09 08:11:39.592][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-07-09 08:12:13.036][request][INFO] POST /identity/connect/token
[2024-07-09 08:12:14.076][vaultwarden::api::push][ERROR] An error occurred while proceeding registration of a device: HTTP status client error (405 Method Not Allowed) for url (https://api.bitwarden.eu/push/register)
[2024-07-09 08:12:14.077][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-07-09 08:12:29.227][request][INFO] POST /api/two-factor/send-email-login
[2024-07-09 08:12:31.988][response][INFO] (send_email_login) POST /api/two-factor/send-email-login => 200 OK
[2024-07-09 08:12:50.855][request][INFO] POST /identity/connect/token
[2024-07-09 08:12:51.320][vaultwarden::api::push][ERROR] An error occurred while proceeding registration of a device: HTTP status client error (405 Method Not Allowed) for url (https://api.bitwarden.eu/push/register)
[2024-07-09 08:12:51.321][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-07-09 08:14:15.295][request][INFO] POST /identity/connect/token
[2024-07-09 08:14:15.332][vaultwarden::api::core::two_factor::email][ERROR] No token available
[2024-07-09 08:14:15.333][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-07-09 08:17:25.929][request][INFO] POST /identity/connect/token
[2024-07-09 08:17:25.980][vaultwarden::api::core::two_factor::email][ERROR] No token available
[2024-07-09 08:17:25.981][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

edited:
I found the solution in #4609

I think it should mention in the release note or add to the wiki, thanks.

@leo15dev commented on GitHub (Jul 9, 2024): @BlackDex V.1.31.0 had the similar issue with 2FA via Authenticator app or Email in IOS native app. [2024-07-09 08:10:54.346][error][ERROR] 2FA token not provided [2024-07-09 08:10:54.346][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2024-07-09 08:11:19.594][request][INFO] POST /identity/connect/token [2024-07-09 08:11:22.389][vaultwarden::api::push][ERROR] An error occurred while proceeding registration of a device: HTTP status client error (405 Method Not Allowed) for url (https://api.bitwarden.eu/push/register) [2024-07-09 08:11:22.390][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2024-07-09 08:11:39.137][request][INFO] POST /identity/connect/token [2024-07-09 08:11:39.592][vaultwarden::api::push][ERROR] An error occurred while proceeding registration of a device: HTTP status client error (405 Method Not Allowed) for url (https://api.bitwarden.eu/push/register) [2024-07-09 08:11:39.592][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2024-07-09 08:12:13.036][request][INFO] POST /identity/connect/token [2024-07-09 08:12:14.076][vaultwarden::api::push][ERROR] An error occurred while proceeding registration of a device: HTTP status client error (405 Method Not Allowed) for url (https://api.bitwarden.eu/push/register) [2024-07-09 08:12:14.077][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2024-07-09 08:12:29.227][request][INFO] POST /api/two-factor/send-email-login [2024-07-09 08:12:31.988][response][INFO] (send_email_login) POST /api/two-factor/send-email-login => 200 OK [2024-07-09 08:12:50.855][request][INFO] POST /identity/connect/token [2024-07-09 08:12:51.320][vaultwarden::api::push][ERROR] An error occurred while proceeding registration of a device: HTTP status client error (405 Method Not Allowed) for url (https://api.bitwarden.eu/push/register) [2024-07-09 08:12:51.321][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2024-07-09 08:14:15.295][request][INFO] POST /identity/connect/token [2024-07-09 08:14:15.332][vaultwarden::api::core::two_factor::email][ERROR] No token available [2024-07-09 08:14:15.333][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2024-07-09 08:17:25.929][request][INFO] POST /identity/connect/token [2024-07-09 08:17:25.980][vaultwarden::api::core::two_factor::email][ERROR] No token available [2024-07-09 08:17:25.981][response][INFO] (login) POST /identity/connect/token => 400 Bad Request edited: I found the solution in #4609 I think it should mention in the release note or add to the wiki, thanks.

OVERLORD commented 2026-02-05 02:22:29 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jul 9, 2024):

@leo15dev, that mail 2fa doesn't work on the new release via the native app isn't strange, it isn't fixed yet.

Changing the push notifications api shouldn't fix the issue, as those are not related in any way.

But mentioning the push api change in the changelog is probably a good thing to do.

@BlackDex commented on GitHub (Jul 9, 2024): @leo15dev, that mail 2fa doesn't work on the new release via the native app isn't strange, it isn't fixed yet. Changing the push notifications api shouldn't fix the issue, as those are not related in any way. But mentioning the push api change in the changelog is probably a good thing to do.

OVERLORD commented 2026-02-05 02:22:31 +03:00

Author

Owner

Copy Link

@Gerardv514 commented on GitHub (Jul 11, 2024):

FYI I have the iOS beta app, I have Authenticator app, duo, and email setup as 2fa methods on VW v1.31. I am not even being prompted at all for any of those 2fa methods on the beta app, it logs right in. Unsure if this would be client side or server side.

@Gerardv514 commented on GitHub (Jul 11, 2024): FYI I have the iOS beta app, I have Authenticator app, duo, and email setup as 2fa methods on VW v1.31. I am not even being prompted at all for any of those 2fa methods on the beta app, it logs right in. Unsure if this would be client side or server side.

OVERLORD commented 2026-02-05 02:22:33 +03:00

Author

Owner

Copy Link

@glmdev commented on GitHub (Oct 27, 2024):

Hi :) Long-time user here; appreciate all the hard work.

I'm still having this issue on the latest build (1.32.3) -- I cannot login with either TOTP MFA or FIDO2 WebAuthn in Firefox directly or in the Firefox extension (on Linux).

I'm able to do so in Chromium. After downgrading (back) to build 1.30.5 I'm able to login in Firefox, but obv this isn't a long-term fix.

The error I was getting was the same 400 error against /identity/connect/token ("Can't recover login challenge"). I did try fully clearing my browser cache on 1.32.3 to no avail.

I'm running the vaultwarden/server Docker container in K8s. Are there any logs or additional info I could provide that might be helpful?

@glmdev commented on GitHub (Oct 27, 2024): Hi :) Long-time user here; appreciate all the hard work. I'm still having this issue on the latest build (1.32.3) -- I cannot login with either TOTP MFA or FIDO2 WebAuthn in Firefox directly or in the Firefox extension (on Linux). I'm able to do so in Chromium. After downgrading (back) to build 1.30.5 I'm able to login in Firefox, but obv this isn't a long-term fix. The error I was getting was the same 400 error against `/identity/connect/token` ("Can't recover login challenge"). I did try fully clearing my browser cache on 1.32.3 to no avail. I'm running the `vaultwarden/server` Docker container in K8s. Are there any logs or additional info I could provide that might be helpful?

OVERLORD commented 2026-02-05 02:22:36 +03:00

Author

Owner

Copy Link

@glmdev commented on GitHub (Oct 27, 2024):

Well this might have been user error. I realized that on neither 1.32.3 OR 1.30.5 would my vault data load even if I was able to log in (something about a "bad refresh token" error on the same endpoint). I suspect this was my fault for trying to downgrade.

I decided to just start fresh and re-import my vault data, so no harm done. I suppose I learned my lesson about tracking vaultwarden/server:latest instead of manually validating the upgrade.

@glmdev commented on GitHub (Oct 27, 2024): Well this might have been user error. I realized that on neither 1.32.3 OR 1.30.5 would my vault data load even if I was able to log in (something about a "bad refresh token" error on the same endpoint). I suspect this was my fault for trying to downgrade. I decided to just start fresh and re-import my vault data, so no harm done. I suppose I learned my lesson about tracking `vaultwarden/server:latest` instead of manually validating the upgrade.

OVERLORD commented 2026-02-05 02:22:39 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Oct 27, 2024):

Not sure if that is the case. And without any debugging data like what the server send, and what the browser reported, there is no way to know what was the issue or how we could fix it if something is wrong.

@BlackDex commented on GitHub (Oct 27, 2024): Not sure if that is the case. And without any debugging data like what the server send, and what the browser reported, there is no way to know what was the issue or how we could fix it if something is wrong.

OVERLORD commented 2026-02-05 02:22:45 +03:00

Author

Owner

Copy Link

@glmdev commented on GitHub (Oct 27, 2024):

Here are redacted server logs with LOG_LEVEL=trace and EXTENDED_LOGGING=true. I've also attached redacted info from the HTTP requests to the token endpoint both before and after I provide my MFA code.

This is on the latest build against the broken vault -- I'm able to log in, but the vault data is empty. Like I mentioned, I got up and running again by restoring a clean backup.

websocket-request.txt
vaultwarden-failed-token-post-login.txt.txt
vaultwarden-failed-token-pre-login.txt
logs-from-vaultwarden-in-vaultwarden-7765fdc64b-k4z5h.log

One thing that stood out to me -- the refresh token being sent along is flagged as invalid by the server. Not sure how this is encoded, but I tried running it through base64 --decode which said it was malformed.

@glmdev commented on GitHub (Oct 27, 2024): Here are redacted server logs with `LOG_LEVEL=trace` and `EXTENDED_LOGGING=true`. I've also attached redacted info from the HTTP requests to the `token` endpoint both before and after I provide my MFA code. This is on the latest build against the broken vault -- I'm able to log in, but the vault data is empty. Like I mentioned, I got up and running again by restoring a clean backup. [websocket-request.txt](https://github.com/user-attachments/files/17534943/websocket-request.txt) [vaultwarden-failed-token-post-login.txt.txt](https://github.com/user-attachments/files/17534945/vaultwarden-failed-token-post-login.txt.txt) [vaultwarden-failed-token-pre-login.txt](https://github.com/user-attachments/files/17534946/vaultwarden-failed-token-pre-login.txt) [logs-from-vaultwarden-in-vaultwarden-7765fdc64b-k4z5h.log](https://github.com/user-attachments/files/17534947/logs-from-vaultwarden-in-vaultwarden-7765fdc64b-k4z5h.log) One thing that stood out to me -- the refresh token being sent along is flagged as invalid by the server. Not sure how this is encoded, but I tried running it through `base64 --decode` which said it was malformed.

OVERLORD commented 2026-02-05 02:22:48 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Oct 27, 2024):

The refresh token can be decoded via https://jwt.io.

Further, i would suggest to validate the date/time on your system. It might be out-of-sync.
There have been some Daylight Savings adjustments done last night, so it might be your server is still an hour off.

Check the https://your.domain.tld/admin/diagnostics if the date/time are still correct.

@BlackDex commented on GitHub (Oct 27, 2024): The refresh token can be decoded via https://jwt.io. Further, i would suggest to validate the date/time on your system. It might be out-of-sync. There have been some Daylight Savings adjustments done last night, so it might be your server is still an hour off. Check the `https://your.domain.tld`**`/admin/diagnostics`** if the date/time are still correct.

OVERLORD commented 2026-02-05 02:22:55 +03:00

Author

Owner

Copy Link

@glmdev commented on GitHub (Oct 27, 2024):

Thanks for the suggestions. I put the refresh token in jwt.io, and tried every algorithm but it said the token was not encoded correctly.

For context, I've been doing this process in a new private browsing session each time. /admin/diagnostics gave me a 404 error, but exec-ing into the pod and running date manually showed that the TZ is UTC and the time is correct.

@glmdev commented on GitHub (Oct 27, 2024): Thanks for the suggestions. I put the refresh token in `jwt.io`, and tried every algorithm but it said the token was not encoded correctly. For context, I've been doing this process in a new private browsing session each time. `/admin/diagnostics` gave me a 404 error, but `exec`-ing into the pod and running `date` manually showed that the TZ is UTC and the time is correct.

OVERLORD commented 2026-02-05 02:22:58 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Oct 27, 2024):

You shouldn't have to select any algorithm. If it doesn't decode it right away, something has mangled the JWT very badly. Be sure to not base64 decode it your self btw.

It should start with ey and somewhere down the line it should do that again. If not, then I wonder what you have as a token.

You could try to stop Vaultwarden, delete the rsa files in the data directory, start Vaultwarden again and see what happens if you login again.

Also, if the diagnostic page gave a 404, then you probably have not yet enabled the admin interface.

@BlackDex commented on GitHub (Oct 27, 2024): You shouldn't have to select any algorithm. If it doesn't decode it right away, something has mangled the JWT very badly. Be sure to not base64 decode it your self btw. It should start with `ey` and somewhere down the line it should do that again. If not, then I wonder what you have as a token. You could try to stop Vaultwarden, delete the rsa files in the data directory, start Vaultwarden again and see what happens if you login again. Also, if the diagnostic page gave a 404, then you probably have not yet enabled the admin interface.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1962