Request guard Headers failed: "Invalid claim" and session expired directly after login #1527

New Issue

MrUnknownDE · 2026-04-06T01:59:01+02:00

MrUnknownDE commented

2026-04-06 01:59:01 +02:00

Originally created by @Marcel-Lambacher on 7/19/2023

Subject of the issue

When trying to login into the web portal, I see for a split second the management page
and then get redirected to the login page due to HTTP 401.
I also see a notification banner that tells my that my session got expired.

The registration was successful but the login isn't working.

Deployment environment

vaultwarden version: 1.29.0

Install method: Docker image hosted within K8S
Clients used: Web Vault
Reverse proxy and version: Traefik
MySQL/MariaDB or PostgreSQL version: N/A
Other relevant details: hosted under vaultwarden.domain.com

Steps to reproduce

Create a new account
Login
401

Expected behaviour

Once I'm entering my credentials I should see my vault.

Actual behaviour

I don't see me vault and get redirected to the login page again.

Troubleshooting data

Container logs:

[2023-07-19 08:00:29.274][start][INFO] Rocket has launched from http://0.0.0.0:80
[2023-07-19 08:01:01.516][request][INFO] POST /identity/accounts/register
[2023-07-19 08:01:01.516][vaultwarden::api::core::accounts][ERROR] Registration not allowed or user already exists
[2023-07-19 08:01:01.516][response][INFO] (identity_register) POST /identity/accounts/register => 400 Bad Request
[2023-07-19 08:01:11.613][request][INFO] POST /identity/accounts/register
[2023-07-19 08:01:11.873][response][INFO] (identity_register) POST /identity/accounts/register => 200 OK
[2023-07-19 08:01:14.176][request][INFO] GET /api/devices/knowndevice
[2023-07-19 08:01:14.176][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2023-07-19 08:01:17.846][request][INFO] POST /identity/accounts/prelogin
[2023-07-19 08:01:17.847][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2023-07-19 08:01:18.278][request][INFO] POST /identity/connect/token
[2023-07-19 08:01:18.522][vaultwarden::api::identity][INFO] User <mail> logged in successfully. IP: 10.42.0.2
[2023-07-19 08:01:18.522][response][INFO] (login) POST /identity/connect/token => 200 OK
[2023-07-19 08:01:18.667][request][INFO] POST /identity/connect/token
[2023-07-19 08:01:18.669][response][INFO] (login) POST /identity/connect/token => 200 OK
[2023-07-19 08:01:18.724][request][INFO] GET /api/sync?excludeDomains=true
[2023-07-19 08:01:18.724][vaultwarden::auth][ERROR] Error decoding JWT
[2023-07-19 08:01:18.724][auth][ERROR] Unauthorized Error: Invalid claim
[2023-07-19 08:01:18.724][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim".
[2023-07-19 08:01:18.724][response][INFO] (sync) GET /api/sync?<data..> => 401 Unauthorized
[2023-07-19 08:01:18.773][request][INFO] GET /api/config
[2023-07-19 08:01:18.773][response][INFO] (config) GET /api/config => 200 OK
[2023-07-19 08:01:18.789][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2023-07-19 08:01:18.789][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 10.42.0.2
[2023-07-19 08:01:18.789][vaultwarden::auth][ERROR] Error decoding JWT
[2023-07-19 08:01:18.789][vaultwarden::api::notifications][ERROR] Invalid token
[2023-07-19 08:01:18.789][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 401 Unauthorized

JWT token:

{
  "nbf": 1689752439,
  "exp": 1689759639,
  "iss": "http://localhost|login",
  "sub": "f9b22c5c-c018-4550-a979-2f6cf6a6068b",
  "premium": true,
  "name": "<name>",
  "email": "<mail>",
  "email_verified": true,
  "orgowner": [],
  "orgadmin": [],
  "orguser": [],
  "orgmanager": [],
  "sstamp": "f91e9be4-15da-425a-af8c-95becc04870b",
  "device": "9df157ae-9cef-497e-8249-2bbd90ae14bf",
  "scope": [
    "api",
    "offline_access"
  ],
  "amr": [
    "Application"
  ]
}

Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
    app.kubernetes.io/instance: vaultwarden
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: onechart
    helm.sh/chart: onechart-0.50.0
  name: vaultwarden
  namespace: vaultwarden
spec:
  ingressClassName: traefik
  rules:
  - host: vaultwarden.domain.com
    http:
      paths:
      - backend:
          service:
            name: vaultwarden
            port:
              number: 80
        path: /
        pathType: Prefix

*Originally created by @Marcel-Lambacher on 7/19/2023*   ### Subject of the issue  When trying to login into the web portal, I see for a split second the management page and then get redirected to the login page due to HTTP 401. I also see a notification banner that tells my that my session got expired. The registration was successful but the login isn't working. ### Deployment environment     * vaultwarden version: 1.29.0  * Install method: Docker image hosted within K8S * Clients used: Web Vault * Reverse proxy and version: Traefik * MySQL/MariaDB or PostgreSQL version: N/A * Other relevant details: hosted under vaultwarden.domain.com ### Steps to reproduce 1. Create a new account 2. Login 3. 401 ### Expected behaviour Once I'm entering my credentials I should see my vault. ### Actual behaviour I don't see me vault and get redirected to the login page again. ### Troubleshooting data #### Container logs: ``` [2023-07-19 08:00:29.274][start][INFO] Rocket has launched from http://0.0.0.0:80 [2023-07-19 08:01:01.516][request][INFO] POST /identity/accounts/register [2023-07-19 08:01:01.516][vaultwarden::api::core::accounts][ERROR] Registration not allowed or user already exists [2023-07-19 08:01:01.516][response][INFO] (identity_register) POST /identity/accounts/register => 400 Bad Request [2023-07-19 08:01:11.613][request][INFO] POST /identity/accounts/register [2023-07-19 08:01:11.873][response][INFO] (identity_register) POST /identity/accounts/register => 200 OK [2023-07-19 08:01:14.176][request][INFO] GET /api/devices/knowndevice [2023-07-19 08:01:14.176][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK [2023-07-19 08:01:17.846][request][INFO] POST /identity/accounts/prelogin [2023-07-19 08:01:17.847][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK [2023-07-19 08:01:18.278][request][INFO] POST /identity/connect/token [2023-07-19 08:01:18.522][vaultwarden::api::identity][INFO] User <mail> logged in successfully. IP: 10.42.0.2 [2023-07-19 08:01:18.522][response][INFO] (login) POST /identity/connect/token => 200 OK [2023-07-19 08:01:18.667][request][INFO] POST /identity/connect/token [2023-07-19 08:01:18.669][response][INFO] (login) POST /identity/connect/token => 200 OK [2023-07-19 08:01:18.724][request][INFO] GET /api/sync?excludeDomains=true [2023-07-19 08:01:18.724][vaultwarden::auth][ERROR] Error decoding JWT [2023-07-19 08:01:18.724][auth][ERROR] Unauthorized Error: Invalid claim [2023-07-19 08:01:18.724][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim". [2023-07-19 08:01:18.724][response][INFO] (sync) GET /api/sync?<data..> => 401 Unauthorized [2023-07-19 08:01:18.773][request][INFO] GET /api/config [2023-07-19 08:01:18.773][response][INFO] (config) GET /api/config => 200 OK [2023-07-19 08:01:18.789][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL [2023-07-19 08:01:18.789][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 10.42.0.2 [2023-07-19 08:01:18.789][vaultwarden::auth][ERROR] Error decoding JWT [2023-07-19 08:01:18.789][vaultwarden::api::notifications][ERROR] Invalid token [2023-07-19 08:01:18.789][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 401 Unauthorized ``` #### JWT token: ``` { "nbf": 1689752439, "exp": 1689759639, "iss": "http://localhost|login", "sub": "f9b22c5c-c018-4550-a979-2f6cf6a6068b", "premium": true, "name": "<name>", "email": "<mail>", "email_verified": true, "orgowner": [], "orgadmin": [], "orguser": [], "orgmanager": [], "sstamp": "f91e9be4-15da-425a-af8c-95becc04870b", "device": "9df157ae-9cef-497e-8249-2bbd90ae14bf", "scope": [ "api", "offline_access" ], "amr": [ "Application" ] } ``` #### Ingress ``` apiVersion: networking.k8s.io/v1 kind: Ingress metadata: labels: app.kubernetes.io/instance: vaultwarden app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: onechart helm.sh/chart: onechart-0.50.0 name: vaultwarden namespace: vaultwarden spec: ingressClassName: traefik rules: - host: vaultwarden.domain.com http: paths: - backend: service: name: vaultwarden port: number: 80 path: / pathType: Prefix ```

MrUnknownDE closed this issue

2026-04-06 01:59:01 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1527

Request guard Headers failed: "Invalid claim" and session expired directly after login #1527