[GH-ISSUE #7094] Mobile 2FA broken: WebAuthn provider advertised with null data when no keys exist #19383

New Issue

Closed

opened 2026-04-25 21:55:44 -05:00 by GiteaMirror · 2 comments

GiteaMirror commented 2026-04-25 21:55:44 -05:00

Owner

Copy Link

Originally created by @korund on GitHub (Apr 13, 2026).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7094

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.35.6
• Web-vault version: v2026.2.0
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: SQLite
• Database version: 3.51.1
• Uses config.json: false
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://*************************",
  "domain_origin": "*****://*************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "trace",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "***********",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://******************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": false,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.35.6

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

nginx/1.23.1 (Synology Web Station)

Host/Server Operating System

NAS/SAN

Operating System Version

Synology DSM 7.3.2-86009 Update 3

Clients

Android

Client Version

Bitwarden Android 2026.3.1 / 2025.12.1

Steps To Reproduce

1. Deploy Vaultwarden with DOMAIN set (e.g. DOMAIN=https://example.com:8080)
2. Create a user account, enable TOTP two-factor authentication
3. Do not register any WebAuthn/FIDO2 keys
4. Log in from the Bitwarden Android app

Expected Result

The app shows the TOTP code entry screen after entering the master password, same as the web vault and the official Bitwarden server (tested with bitwarden.eu).

Actual Result

The app shows an error dialog ("An error has occurred... contact us") with only a "Close" button. No 2FA prompt appears. After dismissing, the app stays on the password screen. The web vault works correctly with the same account and 2FA setup.

Logs

The Bitwarden Flight Recorder log shows:

POST /identity/connect/token -> 400 Bad Request (198-byte body)
WARNING – NetworkResultCall – retrofit2.HttpException: HTTP 400

-> app navigates back to password screen

The app receives the 400 response but does not recognize it as a 2FA challenge.

Vaultwarden response (POST /identity/connect/token):

{
  "MasterPasswordPolicy": {"Object": "masterPasswordPolicy"},
  "TwoFactorProviders": ["0", "8"],
  "TwoFactorProviders2": {"0": null, "8": null},
  "error": "invalid_grant",
  "error_description": "Two factor required."
}

bitwarden.eu response (same scenario — TOTP only, no WebAuthn keys):

{
  "TwoFactorProviders": ["0"],
  "TwoFactorProviders2": {"0": null},
  "MasterPasswordPolicy": null,
  "error": "invalid_grant",
  "error_description": "Two factor required."
}

Provider 8 (WebAuthn) is present in the Vaultwarden response with null challenge data, despite no WebAuthn credentials in the database (SELECT * FROM twofactor shows only the TOTP record, atype=0). The official server does not include provider 8 in this scenario.

Vaultwarden server log (LOG_LEVEL=trace) during the failed mobile login:

POST /identity/accounts/prelogin => 200 OK
POST /identity/connect/token
[error] 2FA token not provided
POST /identity/connect/token => 400 Bad Request

Server correctly returns the 2FA challenge. No follow-up request from the mobile client.

Screenshots or Videos

No response

Additional Context

Potentially relevant: #1471

Originally created by @korund on GitHub (Apr 13, 2026). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7094 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.35.6 * Web-vault version: v2026.2.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.51.1 * Uses config.json: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://*************************", "domain_origin": "*****://*************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "trace", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "", "smtp_from_name": "***********", "smtp_host": null, "smtp_password": null, "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "", "sso_authorize_extra_params": "", "sso_callback_path": "*****://******************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": false, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "email profile", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.35.6 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy nginx/1.23.1 (Synology Web Station) ### Host/Server Operating System NAS/SAN ### Operating System Version Synology DSM 7.3.2-86009 Update 3 ### Clients Android ### Client Version Bitwarden Android 2026.3.1 / 2025.12.1 ### Steps To Reproduce 1. Deploy Vaultwarden with `DOMAIN` set (e.g. `DOMAIN=https://example.com:8080`) 2. Create a user account, enable TOTP two-factor authentication 3. Do **not** register any WebAuthn/FIDO2 keys 4. Log in from the Bitwarden Android app ### Expected Result The app shows the TOTP code entry screen after entering the master password, same as the web vault and the official Bitwarden server (tested with bitwarden.eu). ### Actual Result The app shows an error dialog ("An error has occurred... contact us") with only a "Close" button. No 2FA prompt appears. After dismissing, the app stays on the password screen. The web vault works correctly with the same account and 2FA setup. ### Logs The Bitwarden Flight Recorder log shows: ```text POST /identity/connect/token -> 400 Bad Request (198-byte body) WARNING – NetworkResultCall – retrofit2.HttpException: HTTP 400 ``` -> app navigates back to password screen The app receives the 400 response but does not recognize it as a 2FA challenge. **Vaultwarden response** (`POST /identity/connect/token`): ```text { "MasterPasswordPolicy": {"Object": "masterPasswordPolicy"}, "TwoFactorProviders": ["0", "8"], "TwoFactorProviders2": {"0": null, "8": null}, "error": "invalid_grant", "error_description": "Two factor required." } ``` **bitwarden.eu response** (same scenario — TOTP only, no WebAuthn keys): ```text { "TwoFactorProviders": ["0"], "TwoFactorProviders2": {"0": null}, "MasterPasswordPolicy": null, "error": "invalid_grant", "error_description": "Two factor required." } ``` Provider `8` (WebAuthn) is present in the Vaultwarden response with `null` challenge data, despite no WebAuthn credentials in the database (`SELECT * FROM twofactor` shows only the TOTP record, atype=0). The official server does not include provider 8 in this scenario. Vaultwarden server log (`LOG_LEVEL=trace`) during the failed mobile login: ```text POST /identity/accounts/prelogin => 200 OK POST /identity/connect/token [error] 2FA token not provided POST /identity/connect/token => 400 Bad Request ``` Server correctly returns the 2FA challenge. No follow-up request from the mobile client. ### Screenshots or Videos _No response_ ### Additional Context Potentially relevant: [#1471](https://github.com/dani-garcia/vaultwarden/issues/1471)

GiteaMirror added the bug label 2026-04-25 21:55:44 -05:00

GiteaMirror closed this issue 2026-04-25 21:55:45 -05:00

GiteaMirror commented 2026-04-25 21:55:46 -05:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Apr 13, 2026):

Should already be resolved via #7093 in v1.35.7.

<!-- gh-comment-id:4239924646 --> @BlackDex commented on GitHub (Apr 13, 2026): Should already be resolved via #7093 in v1.35.7.

GiteaMirror commented 2026-04-25 21:55:46 -05:00

Author

Owner

Copy Link

@korund commented on GitHub (Apr 13, 2026):

That's a blazing fast fix! :D

Just checked with all the same inputs + VW 1.35.7. It works just fine. I confirm the resolution.

Thank you!

<!-- gh-comment-id:4240044314 --> @korund commented on GitHub (Apr 13, 2026): That's a blazing fast fix! :D Just checked with all the same inputs + VW 1.35.7. It works just fine. I confirm the resolution. Thank you!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.36.0

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#19383