starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-11 09:13:02 +03:00
Code Issues 429 Packages Projects Releases 10 Wiki Activity

U2F not working on Chrome 75 #2122

New Issue
Closed
opened 2025-10-09 17:46:27 +03:00 by OVERLORD · 10 comments
OVERLORD commented 2025-10-09 17:46:27 +03:00
Owner
Copy Link

Originally created by @n1am on GitHub.

Hi,
I'm running bitwarden_rs on docker behind an nginx proxy, using the same nginx configuration posted in the wiki.

I'm having trouble registering my U2F keys on Chrome (version 74 and 75-dev). During che registration process I get this error:
listening for key... Fetch finished loading: POST "https://mydomain.ltd/api/two-factor/get-u2f-challenge". u2f.js:628 Extension JS API Version: 1.1 two-factor-u2f.component.ts:138 error: 2

Using Firefox (with u2f support enabled) the registration and login process works fine. I used Firefox 66.0.4 and Firefox ESR 60.6.2.

Best regards
Andrea

Originally created by @n1am on GitHub. Hi, I'm running bitwarden_rs on docker behind an nginx proxy, using the same nginx configuration posted in the wiki. I'm having trouble registering my U2F keys on Chrome (version 74 and 75-dev). During che registration process I get this error: `listening for key... Fetch finished loading: POST "https://mydomain.ltd/api/two-factor/get-u2f-challenge". u2f.js:628 Extension JS API Version: 1.1 two-factor-u2f.component.ts:138 error: 2` Using Firefox (with u2f support enabled) the registration and login process works fine. I used Firefox 66.0.4 and Firefox ESR 60.6.2. Best regards Andrea
OVERLORD commented 2025-10-09 17:46:31 +03:00
Author
Owner
Copy Link

@kuruptedfiend commented on GitHub:

I am also seeing this issue with Chrome 74. Keys work fine in Firefox, previously worked in Chrome.

@kuruptedfiend commented on GitHub: I am also seeing this issue with Chrome 74. Keys work fine in Firefox, previously worked in Chrome.
OVERLORD commented 2025-10-09 17:46:31 +03:00
Author
Owner
Copy Link

@algernon commented on GitHub:

I'm seeing the same issue with Chrome 74 on Linux. My keys work fine under Firefox, but for some odd reason, it fails in Chrome.

FWIW, the Yubikey in question used to work at other places in Chrome, but even those fail now, while Firefox works. I guess this is a Chrome issue...

@algernon commented on GitHub: I'm seeing the same issue with Chrome 74 on Linux. My keys work fine under Firefox, but for some odd reason, it fails in Chrome. FWIW, the Yubikey in question used to work at other places in Chrome, but even those fail now, while Firefox works. I guess this is a Chrome issue...
OVERLORD commented 2025-10-09 17:46:32 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub:

Did you configure the DOMAIN env variable to be equal to the URL used to access the service? Like https://mydomain.ltd.

Error 2 is usually a mismatched URL.

@dani-garcia commented on GitHub: Did you configure the DOMAIN env variable to be equal to the URL used to access the service? Like `https://mydomain.ltd`. Error 2 is usually a mismatched URL.
OVERLORD commented 2025-10-09 17:46:32 +03:00
Author
Owner
Copy Link

@n1am commented on GitHub:

Hi,
thanks for the quick reply.
The DOMAIN env variable is equal to the URL and the app-id.json presents the right URL.

I've encountered the problem only on Chrome. Using Firefox the auth process using U2F does not result in any error. I tried on different PC, with the latest Chrome stable and Dev version, unfortunately the issue persist. So I'm thinking that the problem is Chrome since it works fine on Firefox.

When I'm asked to insert the U2F security key, in the Chrome console I'm getting this error 400 in this request url: https://vault.mydomain.ltd/identity/connect/token

@n1am commented on GitHub: Hi, thanks for the quick reply. The DOMAIN env variable is equal to the URL and the app-id.json presents the right URL. I've encountered the problem only on Chrome. Using Firefox the auth process using U2F does not result in any error. I tried on different PC, with the latest Chrome stable and Dev version, unfortunately the issue persist. So I'm thinking that the problem is Chrome since it works fine on Firefox. When I'm asked to insert the U2F security key, in the Chrome console I'm getting this error 400 in this request url: https://vault.mydomain.ltd/identity/connect/token
OVERLORD commented 2025-10-09 17:46:33 +03:00
Author
Owner
Copy Link

@allgoewer commented on GitHub:

I am having the same problem with chrome 74 (Windows 10).
Console output is the same as @n1am is getting.

Edit: The u2f-key is a Yubikey 4. Contrary to @algernon's observation, the key works with other sites, such as gmail or github.

My app-id.json looks like this:

$ curl https://bw.llgoewer.de/app-id.json | jq '.'
{
  "trustedFacets": [
    {
      "ids": [
        "https://bw.llgoewer.de",
        "ios:bundle-id:com.8bit.bitwarden",
        "android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI"
      ],
      "version": {
        "major": 1,
        "minor": 0
      }
    }
  ]
}
@allgoewer commented on GitHub: I am having the same problem with chrome 74 (Windows 10). Console output is the same as @n1am is getting. **Edit**: The u2f-key is a Yubikey 4. Contrary to @algernon's observation, the key works with other sites, such as gmail or github. My app-id.json looks like this: ``` $ curl https://bw.llgoewer.de/app-id.json | jq '.' { "trustedFacets": [ { "ids": [ "https://bw.llgoewer.de", "ios:bundle-id:com.8bit.bitwarden", "android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ], "version": { "major": 1, "minor": 0 } } ] } ```
OVERLORD commented 2025-10-09 17:46:34 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub:

So I tried registering a key just now and the errorCode 2 seems to be caused by an encoding issue:
image
Chrome expects base64url while we send normal base64, I think.

Also not sure if related, as I couldn't look into it, but gitea is also having problems with U2F and Chrome 74, which makes me think there was a recent change in Chrome breaking this:
https://github.com/go-gitea/gitea/issues/6748

@dani-garcia commented on GitHub: So I tried registering a key just now and the errorCode 2 seems to be caused by an encoding issue: ![image](https://user-images.githubusercontent.com/725423/57644403-53b23480-75bc-11e9-9596-1a509459a525.png) Chrome expects base64url while we send normal base64, I think. Also not sure if related, as I couldn't look into it, but gitea is also having problems with U2F and Chrome 74, which makes me think there was a recent change in Chrome breaking this: https://github.com/go-gitea/gitea/issues/6748
OVERLORD commented 2025-10-09 17:46:34 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub:

I've updated the u2f crate to use base64url with no padding in all cases, and switched it in a commit right now, and that seems to solve the issue for me.

For anyone wanting to test it, you can compile the master branch of the project yourselves or wait a couple of hours until the docker images are built.

After some more users confirm the fix works I'll send a PR to the official u2f repo, instead of using the fork.

@dani-garcia commented on GitHub: I've updated the u2f crate to use base64url with no padding in all cases, and switched it in a commit right now, and that seems to solve the issue for me. For anyone wanting to test it, you can compile the master branch of the project yourselves or wait a couple of hours until the docker images are built. After some more users confirm the fix works I'll send a PR to the official u2f repo, instead of using the fork.
OVERLORD commented 2025-10-09 17:46:35 +03:00
Author
Owner
Copy Link

@allgoewer commented on GitHub:

It seems to also be working for me, Chrome and Firefox.

@allgoewer commented on GitHub: It seems to also be working for me, Chrome and Firefox.
OVERLORD commented 2025-10-09 17:46:35 +03:00
Author
Owner
Copy Link

@allgoewer commented on GitHub:

This is the corresponding chromium-commit which forces challenges to be base64-url encoded (according to spec).

u2f-rs encodes the challenge as base64, see this line

@allgoewer commented on GitHub: This is the corresponding [chromium-commit](https://github.com/chromium/chromium/commit/ceb92979d1f3a77146ed68f8484636ce63073625) which forces challenges to be base64-url encoded (according to spec). u2f-rs encodes the challenge as base64, [see this line](https://github.com/wisespace-io/u2f-rs/blob/50626547653da4a2e3fe7b4b4e7703d4fc5267ec/src/protocol.rs#L49)
OVERLORD commented 2025-10-09 17:46:35 +03:00
Author
Owner
Copy Link

@n1am commented on GitHub:

Hi,
just tested the latest build. Problem solved.

Thanks

@n1am commented on GitHub: Hi, just tested the latest build. Problem solved. Thanks
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
bug
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#2122
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?