Bitwarden Android client: error decoding FIDO2 credential from vaultwarden server #461

New Issue

MrUnknownDE · 2026-04-05T21:22:29+02:00

MrUnknownDE commented

2026-04-05 21:22:29 +02:00

Originally created by @handsomexdd1024 on 7/22/2025

Prerequisites

I have searched the existing issues and discussions
I have read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.34.1
Web-vault version: v2025.5.0
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Database type: SQLite
Database version: 3.49.1
Uses config.json: true
Uses a reverse proxy: true
IP Header check: true (X-Forwarded-For)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: false
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN

Config:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": true,
  "domain": "*****://********************",
  "domain_origin": "*****://********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 12,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "BYRIO",
  "invitations_allowed": true,
  "ip_header": "X-Forwarded-For",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "***************,**************************,******************",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": true,
  "signups_allowed": true,
  "signups_domains_whitelist": "***********,*******,**********,*******,********",
  "signups_verify": true,
  "signups_verify_resend_limit": 3,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": true,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*******************",
  "smtp_from_name": "BYRIO Vaultwarden",
  "smtp_host": "*******************************************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "*******************************************************************************************************************************************************************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": "61841",
  "yubico_secret_key": "***",
  "yubico_server": null
}

Vaultwarden Build Version

v1.34.1

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

nginx 1.18.0

Host/Server Operating System

Linux

Operating System Version

Ubuntu 22.04. LTS

Clients

Android

Client Version

Bitwarden Android 2025.07-rc24 (dev version), 2025.06.01

Steps To Reproduce

Configure WebAuthn and TOTP 2FA method for vaultwarden account.
Connect to Vaultwarden server, login with password.
When prompted for WebAuthn verification, open in browser, return (cancel) and use TOTP.
Log in with TOTP.
Enter vault page and error produced.

Expected Result

The vault can load successfully.

Actual Result

Vault and Send failed to load, even though login was succesful.

Logs

kotlinx.serialization.json.internal.JsonDecodingException: Unexpected JSON token at offset 675198: Expected string literal but 'null' literal was found at path: $.ciphers[257].login.fido2Credentials[0].credentialId

Screenshots or Videos

No response

Additional Context

Since app logs from debug client contain sensitive information, I hat to post only the log line producing error. Apologies if partial info does not help debugging.

In case full log is required, provide a valid OpenPGP public key and I'll send log file through mail.

By searching previous content for "credentialId":null", I extracted this object from server response:

{
    "attachments": null,
    "card": null,
    "collectionIds": [],
    "creationDate": "2024-08-31T12:56:40.977696Z",
    "data": {
        "autofillOnPageLoad": null,
        "fido2Credentials": [
            {
                "counter": "2.qFgULgMbCy4TYuYs4na2Bw==|WnN+ISYKl0Bd3QlkuJdsWQ==|zKOcGXdTTc++MZ6/3aSs1mmPS3uof0wKbH/p721UTKU=",
                "creationDate": "2024-04-08T01:34:50.231Z",
                "credentialId": null,
                "discoverable": "2.1yDRw5iBE6WYd8nZwKJL1g==|O3PsmrvNrfgoADDDFpaDhA==|WM1uLUF2aFQ0xF8vPpU8EmuhoHLxwnx40oVnCZLpg30=",
                "keyAlgorithm": null,
                "keyCurve": null,
                "keyType": null,
                "keyValue": null,
                "response": null,
                "rpId": null,
                "rpName": null,
                "userDisplayName": null,
                "userHandle": null,
                "userName": null
            }
        ],
        "fields": [],
        "name": "2.wU9/SFSriwUVOxavQdr1vA==|MSDbZpNJE1rjI6OQDO7NKA==|oNK+d/np/J/SMRpZYLcHF2cCs3YDA+iCBNAu3RXvbnc=",
        "notes": null,
        "password": null,
        "passwordHistory": [],
        "passwordRevisionDate": null,
        "totp": null,
        "uri": null,
        "uris": [],
        "username": null
    },
    "deletedDate": "2024-08-31T12:57:10.666074Z",
    "edit": true,
    "favorite": false,
    "fields": [],
    "folderId": null,
    "id": "f8802069-b5b6-4349-aa44-edc3980409e2",
    "identity": null,
    "key": null,
    "login": {
        "autofillOnPageLoad": null,
        "fido2Credentials": [
            {
                "counter": "2.qFgULgMbCy4TYuYs4na2Bw==|WnN+ISYKl0Bd3QlkuJdsWQ==|zKOcGXdTTc++MZ6/3aSs1mmPS3uof0wKbH/p721UTKU=",
                "creationDate": "2024-04-08T01:34:50.231Z",
                "credentialId": null,
                "discoverable": "2.1yDRw5iBE6WYd8nZwKJL1g==|O3PsmrvNrfgoADDDFpaDhA==|WM1uLUF2aFQ0xF8vPpU8EmuhoHLxwnx40oVnCZLpg30=",
                "keyAlgorithm": null,
                "keyCurve": null,
                "keyType": null,
                "keyValue": null,
                "response": null,
                "rpId": null,
                "rpName": null,
                "userDisplayName": null,
                "userHandle": null,
                "userName": null
            }
        ],
        "password": null,
        "passwordRevisionDate": null,
        "totp": null,
        "uri": null,
        "uris": [],
        "username": null
    },
    "name": "2.wU9/SFSriwUVOxavQdr1vA==|MSDbZpNJE1rjI6OQDO7NKA==|oNK+d/np/J/SMRpZYLcHF2cCs3YDA+iCBNAu3RXvbnc=",
    "notes": null,
    "object": "cipherDetails",
    "organizationId": null,
    "organizationUseTotp": true,
    "passwordHistory": [],
    "reprompt": 0,
    "revisionDate": "2024-08-31T12:57:10.666279Z",
    "secureNote": null,
    "sshKey": null,
    "type": 1,
    "viewPassword": true
}

This is the only object with $.login.fido2Credentials[0].credentialId set to null.

*Originally created by @handsomexdd1024 on 7/22/2025* ### Prerequisites - [x] I have searched the existing issues and discussions - [x] I have read the documentation ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.1 * Web-vault version: v2025.5.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.49.1 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: false * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN **Config:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": true, "domain": "*****://********************", "domain_origin": "*****://********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 12, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "BYRIO", "invitations_allowed": true, "ip_header": "X-Forwarded-For", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "***************,**************************,******************", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 100000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": true, "signups_allowed": true, "signups_domains_whitelist": "***********,*******,**********,*******,********", "signups_verify": true, "signups_verify_resend_limit": 3, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": true, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*******************", "smtp_from_name": "BYRIO Vaultwarden", "smtp_host": "*******************************************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "*******************************************************************************************************************************************************************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": "61841", "yubico_secret_key": "***", "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.34.1 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy nginx 1.18.0 ### Host/Server Operating System Linux ### Operating System Version Ubuntu 22.04. LTS ### Clients Android ### Client Version Bitwarden Android 2025.07-rc24 (dev version), 2025.06.01 ### Steps To Reproduce 1. Configure WebAuthn and TOTP 2FA method for vaultwarden account. 2. Connect to Vaultwarden server, login with password. 3. When prompted for WebAuthn verification, open in browser, return (cancel) and use TOTP. 4. Log in with TOTP. 5. Enter vault page and error produced. ### Expected Result The vault can load successfully. ### Actual Result Vault and Send failed to load, even though login was succesful. ### Logs ```text kotlinx.serialization.json.internal.JsonDecodingException: Unexpected JSON token at offset 675198: Expected string literal but 'null' literal was found at path: $.ciphers[257].login.fido2Credentials[0].credentialId ``` ### Screenshots or Videos _No response_ ### Additional Context Since app logs from debug client contain sensitive information, I hat to post only the log line producing error. Apologies if partial info does not help debugging. In case full log is required, provide a valid OpenPGP public key and I'll send log file through mail. By searching previous content for `"credentialId":null"`, I extracted this object from server response: ```json { "attachments": null, "card": null, "collectionIds": [], "creationDate": "2024-08-31T12:56:40.977696Z", "data": { "autofillOnPageLoad": null, "fido2Credentials": [ { "counter": "2.qFgULgMbCy4TYuYs4na2Bw==|WnN+ISYKl0Bd3QlkuJdsWQ==|zKOcGXdTTc++MZ6/3aSs1mmPS3uof0wKbH/p721UTKU=", "creationDate": "2024-04-08T01:34:50.231Z", "credentialId": null, "discoverable": "2.1yDRw5iBE6WYd8nZwKJL1g==|O3PsmrvNrfgoADDDFpaDhA==|WM1uLUF2aFQ0xF8vPpU8EmuhoHLxwnx40oVnCZLpg30=", "keyAlgorithm": null, "keyCurve": null, "keyType": null, "keyValue": null, "response": null, "rpId": null, "rpName": null, "userDisplayName": null, "userHandle": null, "userName": null } ], "fields": [], "name": "2.wU9/SFSriwUVOxavQdr1vA==|MSDbZpNJE1rjI6OQDO7NKA==|oNK+d/np/J/SMRpZYLcHF2cCs3YDA+iCBNAu3RXvbnc=", "notes": null, "password": null, "passwordHistory": [], "passwordRevisionDate": null, "totp": null, "uri": null, "uris": [], "username": null }, "deletedDate": "2024-08-31T12:57:10.666074Z", "edit": true, "favorite": false, "fields": [], "folderId": null, "id": "f8802069-b5b6-4349-aa44-edc3980409e2", "identity": null, "key": null, "login": { "autofillOnPageLoad": null, "fido2Credentials": [ { "counter": "2.qFgULgMbCy4TYuYs4na2Bw==|WnN+ISYKl0Bd3QlkuJdsWQ==|zKOcGXdTTc++MZ6/3aSs1mmPS3uof0wKbH/p721UTKU=", "creationDate": "2024-04-08T01:34:50.231Z", "credentialId": null, "discoverable": "2.1yDRw5iBE6WYd8nZwKJL1g==|O3PsmrvNrfgoADDDFpaDhA==|WM1uLUF2aFQ0xF8vPpU8EmuhoHLxwnx40oVnCZLpg30=", "keyAlgorithm": null, "keyCurve": null, "keyType": null, "keyValue": null, "response": null, "rpId": null, "rpName": null, "userDisplayName": null, "userHandle": null, "userName": null } ], "password": null, "passwordRevisionDate": null, "totp": null, "uri": null, "uris": [], "username": null }, "name": "2.wU9/SFSriwUVOxavQdr1vA==|MSDbZpNJE1rjI6OQDO7NKA==|oNK+d/np/J/SMRpZYLcHF2cCs3YDA+iCBNAu3RXvbnc=", "notes": null, "object": "cipherDetails", "organizationId": null, "organizationUseTotp": true, "passwordHistory": [], "reprompt": 0, "revisionDate": "2024-08-31T12:57:10.666279Z", "secureNote": null, "sshKey": null, "type": 1, "viewPassword": true } ``` This is the only object with `$.login.fido2Credentials[0].credentialId` set to null.

MrUnknownDE closed this issue

2026-04-05 21:22:29 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#461