Admin login page always responds with a 401 #1604

New Issue

MrUnknownDE · 2026-04-06T02:03:26+02:00

MrUnknownDE commented

2026-04-06 02:03:26 +02:00

Originally created by @gabe565 on 5/24/2023

Subject of the issue

Ever since 5a05139efe, the login page consistently returns a 401 status code. I believe this is the intended behavior, but it's causing some login issues for me so I thought I'd see if this warrants changing.

For more context, I protect my admin page behind SSO with Authentik and the nginx auth request module. This module sends each request to an SSO auth endpoint before connecting to the upstream server. If the the SSO endpoint returns a 401 response, the user is redirected to the login page. Otherwise, the user is allowed through. It also seems to handle a 401 response from the app by redirecting to the SSO login URL.

When this module is enabled, Vaultwarden's 401 response results in a redirect loop.

During my troubleshooting, I disabled the SSO auth request. Instead of seeing the Vaultwarden login page, I got a response from the default backend I use since I have it set to replace 401s.

I'm sure I could disable the default 401 backend for Vaultwarden and keep SSO disabled, but all of this troubleshooting made me wonder if there would be a better way to handle this. Would it make more sense for Vaultwarden to return a 200 when the login page is first shown, then return a 401 if the entered code is wrong?

If this behavior shouldn't change, I don't mind closing the issue and finding a workaround.

Deployment environment

vaultwarden version: 1.28.1

Install method: Docker image in Kubernetes
Clients used: Web vault, desktop, Android
Reverse proxy and version: ingress-nginx v1.7.1
MySQL/MariaDB or PostgreSQL version:
Other relevant details: Running Authentik v2023.5.1

Steps to reproduce

Navigate to /admin
Check the response status code

Expected behaviour

The initial login page returns a 200 status code
An invalid token causes the form to be shown again with a 401 status code

Actual behaviour

The initial login page returns a 401 status code
An invalid token causes the form to be shown again with a 401 status code

Troubleshooting data

*Originally created by @gabe565 on 5/24/2023*   ### Subject of the issue  Ever since https://github.com/dani-garcia/vaultwarden/commit/5a05139efe484b37edbc2db6eb618676d26f3723, the login page consistently returns a 401 status code. I believe this is the intended behavior, but it's causing some login issues for me so I thought I'd see if this warrants changing. For more context, I protect my admin page behind SSO with [Authentik](https://goauthentik.io) and the nginx [auth request](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) module. This module sends each request to an SSO auth endpoint before connecting to the upstream server. If the the SSO endpoint returns a 401 response, the user is redirected to the login page. Otherwise, the user is allowed through. It also seems to handle a 401 response from the app by redirecting to the SSO login URL. When this module is enabled, Vaultwarden's 401 response results in a redirect loop. During my troubleshooting, I disabled the SSO auth request. Instead of seeing the Vaultwarden login page, I got a response from the [default backend](https://github.com/tarampampam/error-pages) I use since I have it set to replace 401s. I'm sure I could disable the default 401 backend for Vaultwarden and keep SSO disabled, but all of this troubleshooting made me wonder if there would be a better way to handle this. Would it make more sense for Vaultwarden to return a 200 when the login page is first shown, then return a 401 if the entered code is wrong? If this behavior shouldn't change, I don't mind closing the issue and finding a workaround. ### Deployment environment     * vaultwarden version: 1.28.1  * Install method: Docker image in Kubernetes * Clients used:  Web vault, desktop, Android * Reverse proxy and version:  ingress-nginx v1.7.1 * MySQL/MariaDB or PostgreSQL version:  * Other relevant details: Running Authentik v2023.5.1 ### Steps to reproduce  - Navigate to `/admin` - Check the response status code ### Expected behaviour  - The initial login page returns a 200 status code - An invalid token causes the form to be shown again with a 401 status code ### Actual behaviour  - The initial login page returns a 401 status code - An invalid token causes the form to be shown again with a 401 status code ### Troubleshooting data

MrUnknownDE closed this issue

2026-04-06 02:03:26 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1604