Unable to add "FIDO2 WebAuthn" for Two-step login #1027

New Issue

MrUnknownDE · 2026-04-06T01:34:10+02:00

MrUnknownDE commented

2026-04-06 01:34:10 +02:00

Originally created by @Doraemonsan on 7/28/2024

Subject of the issue

When trying to add "FIDO2 WebAuthn" as a Two-step login method using the browser, it can be read but not saved. When attempting to save, an error message appears: “An error has occurred. An unexpected error has occurred.” Checking the browser console reveals the following information:

Deployment environment

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.31.0
Web-vault version: v2024.5.1
OS/Arch: linux/x86_64
Running within a container: false (Base: Not applicable)
Environment settings overridden: false
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: false
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: n/a
Domain Configuration Check: true
HTTPS Check: true
Database type: MySQL
Database version: 11.4.2-MariaDB
Clients used:
Reverse proxy and version:
Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 32,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 30,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "/var/lib/vaultwarden/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "/var/lib/vaultwarden",
  "database_conn_init": "",
  "database_max_conns": 16,
  "database_timeout": 30,
  "database_url": "*****://****************************************************************",
  "db_connection_retries": 16,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://******************************",
  "domain_origin": "*****://*********************",
  "domain_path": "*********",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "/var/lib/vaultwarden/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 8,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/var/log/vaultwarden.log",
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": 512000,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "/var/lib/vaultwarden/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "/var/lib/vaultwarden/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "Login",
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***********************",
  "smtp_from_name": "Doraemon",
  "smtp_host": "*********************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 8,
  "smtp_username": "***********************",
  "templates_folder": "/var/lib/vaultwarden/templates",
  "tmp_folder": "/var/lib/vaultwarden/tmp",
  "trash_auto_delete_days": 30,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": 32000,
  "user_send_limit": 8000,
  "web_vault_enabled": true,
  "web_vault_folder": "/usr/share/webapps/vaultwarden-web",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Steps to reproduce

After clicking the "Manage" button for "FIDO2 WebAuthn" under the "Two-Step Login" section in the "Security" tab, then clicking the "Read Key" button and following the prompts to use the browser extension and mobile device to add a Passkey, when the page prompts "Use the 'Save' button below to activate this security key for two-step login," clicking the "Save" button results in an error.

Expected behaviour

Clicking the "Save" button correctly adds "FIDO2 WebAuthn" as a two-step login verification method.

Actual behaviour

After clicking the "Save" button, both the browser and the backend encountered an error and could not add "FIDO2 WebAuthn" as a two-step login method.

Troubleshooting data

vaultwarden.log：

[2024-07-28 13:40:42.663][request][INFO] POST /password/api/two-factor/get-webauthn-challenge
[2024-07-28 13:40:42.926][response][INFO] (generate_webauthn_challenge) POST /password/api/two-factor/get-webauthn-challenge => 200 OK
[2024-07-28 13:40:42.945][request][INFO] GET /password/api/accounts/revision-date
[2024-07-28 13:40:42.947][response][INFO] (revision_date) GET /password/api/accounts/revision-date => 200 OK
[2024-07-28 13:40:42.953][request][INFO] POST /password/identity/connect/token
[2024-07-28 13:40:42.960][response][INFO] (login) POST /password/identity/connect/token => 200 OK
[2024-07-28 13:40:42.971][request][INFO] GET /password/api/sync
[2024-07-28 13:40:43.028][response][INFO] (sync) GET /password/api/sync?<data..> => 200 OK
[2024-07-28 13:40:53.170][request][INFO] PUT /password/api/ciphers/2eec9805-76f8-4d35-9253-8f0cde561870
[2024-07-28 13:40:53.192][request][INFO] GET /password/api/ciphers/2eec9805-76f8-4d35-9253-8f0cde561870/details
[2024-07-28 13:40:53.194][response][INFO] (get_cipher_details) GET /password/api/ciphers//details => 200 OK
[2024-07-28 13:40:53.200][request][INFO] GET /password/api/ciphers/2eec9805-76f8-4d35-9253-8f0cde561870/details
[2024-07-28 13:40:53.201][response][INFO] (get_cipher_details) GET /password/api/ciphers//details => 200 OK
[2024-07-28 13:40:53.210][request][INFO] GET /password/api/ciphers/2eec9805-76f8-4d35-9253-8f0cde561870/details
[2024-07-28 13:40:53.211][response][INFO] (get_cipher_details) GET /password/api/ciphers//details => 200 OK
[2024-07-28 13:40:53.562][response][INFO] (put_cipher) PUT /password/api/ciphers/ => 200 OK
[2024-07-28 13:40:54.939][request][INFO] PUT /password/api/two-factor/webauthn
[2024-07-28 13:40:54.941][vaultwarden::api::core::two_factor::webauthn::_][WARN] Data guard Json < EnableWebauthnData > failed: Parse("{"masterPasswordHash":"xxx=","deviceResponse":{"id":"xxx-xxx","rawId":"xxx==","type":"public-key","extensions":{},"response":{"AttestationObject":"xxx+xxx+xxx+xxx==","clientDataJson":"xxx=="}},"id":1,"name":null}", Error("invalid type: null, expected a string", line: 1, column: 707)).
[2024-07-28 13:40:54.943][response][INFO] (activate_webauthn_put) PUT /password/api/two-factor/webauthn => 422 Unprocessable Entity

Reverse Proxy Configuration：

upstream vaultwarden-default {
zone vaultwarden-default 64k;
server 127.0.0.1:8001;
keepalive 2;
}

map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}

server {
listen 80;
listen [::]:80;
listen [::]:8192 ssl;
http2 on;
server_name name.domain.com;

ssl_certificate /opt/ssl/fullchain.pem;
ssl_certificate_key /opt/ssl/privkey.pem;
ssl_trusted_certificate /opt/ssl/fullchain.pem;

client_max_body_size 512M;

if ($server_port = "80") {
    return 301 https://$server_name:8192$request_uri;
}

error_page 497 https://$server_name:8192$request_uri;

location / {
    alias /usr/share/webapps/vaultwarden-web/;
}

location /password {
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $connection_upgrade;

  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;

  proxy_pass http://vaultwarden-default;
}

}

*Originally created by @Doraemonsan on 7/28/2024* ### Subject of the issue When trying to add "FIDO2 WebAuthn" as a Two-step login method using the browser, it can be read but not saved. When attempting to save, an error message appears: “An error has occurred. An unexpected error has occurred.” Checking the browser console reveals the following information: ![image](https://github.com/user-attachments/assets/ddd958b9-4704-4a5e-8527-0ab13edda19c) ### Deployment environment ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.31.0 * Web-vault version: v2024.5.1 * OS/Arch: linux/x86_64 * Running within a container: false (Base: Not applicable) * Environment settings overridden: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: false * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: n/a * Domain Configuration Check: true * HTTPS Check: true * Database type: MySQL * Database version: 11.4.2-MariaDB * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 32, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 30, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "/var/lib/vaultwarden/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "/var/lib/vaultwarden", "database_conn_init": "", "database_max_conns": 16, "database_timeout": 30, "database_url": "*****://****************************************************************", "db_connection_retries": 16, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://******************************", "domain_origin": "*****://*********************", "domain_path": "*********", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "/var/lib/vaultwarden/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 8, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/var/log/vaultwarden.log", "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": 512000, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "/var/lib/vaultwarden/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "/var/lib/vaultwarden/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": "Login", "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***********************", "smtp_from_name": "Doraemon", "smtp_host": "*********************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 8, "smtp_username": "***********************", "templates_folder": "/var/lib/vaultwarden/templates", "tmp_folder": "/var/lib/vaultwarden/tmp", "trash_auto_delete_days": 30, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": 32000, "user_send_limit": 8000, "web_vault_enabled": true, "web_vault_folder": "/usr/share/webapps/vaultwarden-web", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Steps to reproduce After clicking the "Manage" button for "FIDO2 WebAuthn" under the "Two-Step Login" section in the "Security" tab, then clicking the "Read Key" button and following the prompts to use the browser extension and mobile device to add a Passkey, when the page prompts "Use the 'Save' button below to activate this security key for two-step login," clicking the "Save" button results in an error. ### Expected behaviour Clicking the "Save" button correctly adds "FIDO2 WebAuthn" as a two-step login verification method. ### Actual behaviour After clicking the "Save" button, both the browser and the backend encountered an error and could not add "FIDO2 WebAuthn" as a two-step login method. ### Troubleshooting data ![image](https://github.com/user-attachments/assets/04c59d75-3385-4ba7-9ba1-6d13ec030dda) #### vaultwarden.log： [2024-07-28 13:40:42.663][request][INFO] POST /password/api/two-factor/get-webauthn-challenge [2024-07-28 13:40:42.926][response][INFO] (generate_webauthn_challenge) POST /password/api/two-factor/get-webauthn-challenge => 200 OK [2024-07-28 13:40:42.945][request][INFO] GET /password/api/accounts/revision-date [2024-07-28 13:40:42.947][response][INFO] (revision_date) GET /password/api/accounts/revision-date => 200 OK [2024-07-28 13:40:42.953][request][INFO] POST /password/identity/connect/token [2024-07-28 13:40:42.960][response][INFO] (login) POST /password/identity/connect/token => 200 OK [2024-07-28 13:40:42.971][request][INFO] GET /password/api/sync [2024-07-28 13:40:43.028][response][INFO] (sync) GET /password/api/sync?<data..> => 200 OK [2024-07-28 13:40:53.170][request][INFO] PUT /password/api/ciphers/2eec9805-76f8-4d35-9253-8f0cde561870 [2024-07-28 13:40:53.192][request][INFO] GET /password/api/ciphers/2eec9805-76f8-4d35-9253-8f0cde561870/details [2024-07-28 13:40:53.194][response][INFO] (get_cipher_details) GET /password/api/ciphers/<uuid>/details => 200 OK [2024-07-28 13:40:53.200][request][INFO] GET /password/api/ciphers/2eec9805-76f8-4d35-9253-8f0cde561870/details [2024-07-28 13:40:53.201][response][INFO] (get_cipher_details) GET /password/api/ciphers/<uuid>/details => 200 OK [2024-07-28 13:40:53.210][request][INFO] GET /password/api/ciphers/2eec9805-76f8-4d35-9253-8f0cde561870/details [2024-07-28 13:40:53.211][response][INFO] (get_cipher_details) GET /password/api/ciphers/<uuid>/details => 200 OK [2024-07-28 13:40:53.562][response][INFO] (put_cipher) PUT /password/api/ciphers/<uuid> => 200 OK [2024-07-28 13:40:54.939][request][INFO] PUT /password/api/two-factor/webauthn [2024-07-28 13:40:54.941][vaultwarden::api::core::two_factor::webauthn::_][WARN] Data guard `Json < EnableWebauthnData >` failed: Parse("{\"masterPasswordHash\":\"xxx=\",\"deviceResponse\":{\"id\":\"xxx-xxx\",\"rawId\":\"xxx==\",\"type\":\"public-key\",\"extensions\":{},\"response\":{\"AttestationObject\":\"xxx+xxx+xxx+xxx==\",\"clientDataJson\":\"xxx==\"}},\"id\":1,\"name\":null}", Error("invalid type: null, expected a string", line: 1, column: 707)). [2024-07-28 13:40:54.943][response][INFO] (activate_webauthn_put) PUT /password/api/two-factor/webauthn => 422 Unprocessable Entity #### Reverse Proxy Configuration： upstream vaultwarden-default { zone vaultwarden-default 64k; server 127.0.0.1:8001; keepalive 2; } map $http_upgrade $connection_upgrade { default upgrade; '' ""; } server { listen 80; listen [::]:80; listen [::]:8192 ssl; http2 on; server_name name.domain.com; ssl_certificate /opt/ssl/fullchain.pem; ssl_certificate_key /opt/ssl/privkey.pem; ssl_trusted_certificate /opt/ssl/fullchain.pem; client_max_body_size 512M; if ($server_port = "80") { return 301 https://$server_name:8192$request_uri; } error_page 497 https://$server_name:8192$request_uri; location / { alias /usr/share/webapps/vaultwarden-web/; } location /password { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://vaultwarden-default; } }

MrUnknownDE closed this issue

2026-04-06 01:34:10 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1027