starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-09 09:13:02 +03:00
Code Issues 429 Packages Projects Releases 10 Wiki Activity

Bitwarden CLI Client Token has expired #455

New Issue
Closed
opened 2025-10-09 16:31:43 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2025-10-09 16:31:43 +03:00
Owner
Copy Link

Originally created by @DonSYS91 on GitHub.

Subject of the issue

I just started having random auth issues on Bitwarden CLI that runs in a docker on Azure app service and serves an HTTP endpoint.

Deployment environment

  • Support String:
{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "**********://************************************************************************************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*************************",
  "domain_origin": "*****://*************************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Client-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/bitwarden.log",
  "log_level": "warn",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*********************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "*************************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "*************************************************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}
  • vaultwarden version: 1.30.5

  • Install method: Vaultwarden runs on Azure App Service using the image from docker hub with the tag "vaultwarden/server:latest" and data folder mapped.

  • Clients used: CLI 2024.6.0 even downgrading wouldn't solve the issue running on Azure app service as a docker without mapping.

  • Reverse proxy and version: None

  • MySQL/MariaDB or PostgreSQL version: PostgreSQL 14.11

  • Other relevant details:

Steps to reproduce

I can't seem to find a proper way to reproduce the issue but last thing I did when it started acting like that was upgrading Bitwarden CLI client from 2024.4.1 to 2024.6.0 I also increased KDF to the recommended size on Vaultwarden user settings.

Expected behaviour

Bitwarden CLI will lock the vault only.

Actual behaviour

Bitwarden CLI is losing the authentication.

Troubleshooting data

Bitwarden CLI becomes unauthenticated returning:

{
    "success": true,
    "data": {
        "object": "template",
        "template": {
            "serverUrl": "https://******",
            "lastSync": null,
            "userEmail": "",
            "userId": "aca0fca5-0944-4b6e-a873-2c7e259c5efc",
            "status": "unauthenticated"
        }
    }
}

On Vaultwarden Logs i have:

[2024-07-02 14:30:10.482][vaultwarden::auth][ERROR] Token has expired
[2024-07-02 14:30:10.577][auth][ERROR] Unauthorized Error: Invalid claim
[2024-07-02 14:30:10.644][vaultwarden::api::core::sends::_][WARN] Request guard `Headers` failed: "Invalid claim".

Bitwarden CLI Dockerfile:

FROM --platform=linux/amd64 debian:latest
ENV DEBIAN_FRONTEND=noninteractive

WORKDIR /usr/local/bin
RUN apt update && apt install -y curl unzip libsecret-1-0 jq
COPY entrypoint.sh .
RUN chmod +x /usr/local/bin/entrypoint.sh
RUN export VER=$(curl -H "Accept: application/vnd.github+json" https://api.github.com/repos/bitwarden/clients/releases | jq  -r 'sort_by(.published_at) | reverse | .[].name | select( index("CLI") )' | sed 's:.*CLI v::' | head -n 1) && \
  curl -LO "https://github.com/bitwarden/clients/releases/download/cli-v{$VER}/bw-linux-{$VER}.zip" \
  && unzip *.zip && chmod +x ./bw
ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ]

entrypoint.sh

#!/usr/bin/env bash

# to enable interactive CLI usage
if [[ $# -gt 0 ]]; then
  bw "$@"
  exit $?
fi

STATUS="$(bw status | jq -r '.status')"

if [[ -n "$MFA_CODE" ]]; then
  # shellcheck disable=SC2034
  export MFA_LOGIN="--method 0 --code $MFA_CODE"
fi

if [[ -n "$BW_CLIENTSECRET" ]]; then
  export API_LOGIN="--apikey"
fi

if [[ "$STATUS" == "unauthenticated" ]]; then
  bw config server "$SERVER_HOST_URL" && echo
  # shellcheck disable=SC2086
  bw login "$VAULT_EMAIL" "$VAULT_PASSWORD" $API_LOGIN $MFA_LOGIN && echo
fi

bw serve --hostname all --port "${SERVE_PORT:-8087}" &
BW_SERVE_PID=$!
echo "\`bw serve\` pid: $BW_SERVE_PID"

if [[ "$UNLOCK_VAULT" == "true" ]]; then
  while ! curl -sX POST -H "Content-Type: application/json" -d "{\"password\": \"$VAULT_PASSWORD\"}" "http://localhost:${SERVE_PORT:-8087}/unlock" >/dev/null; do
    sleep 1
  done
  echo "Vault unlocked!"
fi

echo "Server can be reached at: http://localhost:${SERVE_PORT:-8087}/status"
sleep infinity

I tried to remove the rsa* files and they regenerated but the issue still persists until i restarted the CLI docker.

Any hint?

Thank you!

Originally created by @DonSYS91 on GitHub. <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue <!-- Describe your issue here. --> I just started having random auth issues on Bitwarden CLI that runs in a docker on Azure app service and serves an HTTP endpoint. ### Deployment environment <!-- ========================================================================================= Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. That will auto-generate most of the info requested in this section. ========================================================================================= --> * Support String: ``` { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "**********://************************************************************************************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*************************", "domain_origin": "*****://*************************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Client-IP", "job_poll_interval_ms": 30000, "log_file": "/data/bitwarden.log", "log_level": "warn", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*********************************", "smtp_from_name": "Vaultwarden", "smtp_host": "*************************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "*************************************************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": true, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> <!-- This is NOT the version number shown on the web vault, which is versioned separately from vaultwarden --> <!-- Remember to check if your issue exists on the latest version first! --> * vaultwarden version: 1.30.5 <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: Vaultwarden runs on Azure App Service using the image from docker hub with the tag "vaultwarden/server:latest" and data folder mapped. * Clients used: CLI 2024.6.0 even downgrading wouldn't solve the issue running on Azure app service as a docker without mapping. * Reverse proxy and version: None * MySQL/MariaDB or PostgreSQL version: PostgreSQL 14.11 * Other relevant details: ### Steps to reproduce I can't seem to find a proper way to reproduce the issue but last thing I did when it started acting like that was upgrading Bitwarden CLI client from 2024.4.1 to 2024.6.0 I also increased KDF to the recommended size on Vaultwarden user settings. ### Expected behaviour Bitwarden CLI will lock the vault only. ### Actual behaviour Bitwarden CLI is losing the authentication. ### Troubleshooting data Bitwarden CLI becomes unauthenticated returning: ``` { "success": true, "data": { "object": "template", "template": { "serverUrl": "https://******", "lastSync": null, "userEmail": "", "userId": "aca0fca5-0944-4b6e-a873-2c7e259c5efc", "status": "unauthenticated" } } } ``` On Vaultwarden Logs i have: ``` [2024-07-02 14:30:10.482][vaultwarden::auth][ERROR] Token has expired [2024-07-02 14:30:10.577][auth][ERROR] Unauthorized Error: Invalid claim [2024-07-02 14:30:10.644][vaultwarden::api::core::sends::_][WARN] Request guard `Headers` failed: "Invalid claim". ``` Bitwarden CLI Dockerfile: ``` FROM --platform=linux/amd64 debian:latest ENV DEBIAN_FRONTEND=noninteractive WORKDIR /usr/local/bin RUN apt update && apt install -y curl unzip libsecret-1-0 jq COPY entrypoint.sh . RUN chmod +x /usr/local/bin/entrypoint.sh RUN export VER=$(curl -H "Accept: application/vnd.github+json" https://api.github.com/repos/bitwarden/clients/releases | jq -r 'sort_by(.published_at) | reverse | .[].name | select( index("CLI") )' | sed 's:.*CLI v::' | head -n 1) && \ curl -LO "https://github.com/bitwarden/clients/releases/download/cli-v{$VER}/bw-linux-{$VER}.zip" \ && unzip *.zip && chmod +x ./bw ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ] ``` entrypoint.sh ``` #!/usr/bin/env bash # to enable interactive CLI usage if [[ $# -gt 0 ]]; then bw "$@" exit $? fi STATUS="$(bw status | jq -r '.status')" if [[ -n "$MFA_CODE" ]]; then # shellcheck disable=SC2034 export MFA_LOGIN="--method 0 --code $MFA_CODE" fi if [[ -n "$BW_CLIENTSECRET" ]]; then export API_LOGIN="--apikey" fi if [[ "$STATUS" == "unauthenticated" ]]; then bw config server "$SERVER_HOST_URL" && echo # shellcheck disable=SC2086 bw login "$VAULT_EMAIL" "$VAULT_PASSWORD" $API_LOGIN $MFA_LOGIN && echo fi bw serve --hostname all --port "${SERVE_PORT:-8087}" & BW_SERVE_PID=$! echo "\`bw serve\` pid: $BW_SERVE_PID" if [[ "$UNLOCK_VAULT" == "true" ]]; then while ! curl -sX POST -H "Content-Type: application/json" -d "{\"password\": \"$VAULT_PASSWORD\"}" "http://localhost:${SERVE_PORT:-8087}/unlock" >/dev/null; do sleep 1 done echo "Vault unlocked!" fi echo "Server can be reached at: http://localhost:${SERVE_PORT:-8087}/status" sleep infinity ``` I tried to remove the rsa* files and they regenerated but the issue still persists until i restarted the CLI docker. Any hint? Thank you!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
bug
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#455
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?