github-starred/vaultwarden
2
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-05-24 17:12:43 -05:00
Code Issues 307 Packages Projects Releases 83 Wiki Activity

Android Login fails at 2FA #2209

New Issue
Closed
opened 2025-11-07 07:37:10 -06:00 by GiteaMirror · 5 comments
GiteaMirror commented 2025-11-07 07:37:10 -06:00
Owner
Copy Link

Originally created by @matt-mai on GitHub (Mar 3, 2025).

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.33.2
  • Web-vault version: v2025.1.1
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: SQLite
  • Database version: 3.48.0
  • Environment settings overridden!: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED

Config:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "bw-data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "bw-data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "******************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*************************",
  "domain_origin": "*****://*************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "bw-data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": true,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "bw-data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "bw-data/sends",
  "show_password_hint": true,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 10,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*************************",
  "smtp_from_name": "Bitwarden",
  "smtp_host": "************************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "**************************",
  "templates_folder": "bw-data/templates",
  "tmp_folder": "bw-data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.33.2

Deployment method

Official Container Image

Custom deployment method

Vaultwarden is running in Kubernetes using ghcr.io/dani-garcia/vaultwarden:1.33.2 image.
With ingress-nginx as ingress controller.

Reverse Proxy

nginx 1.25.5

Host/Server Operating System

Linux

Operating System Version

No response

Clients

Android

Client Version

2025.2.2 (19740)

Steps To Reproduce

  1. Fresh install of Android Client
  2. Login on self hosted server
  3. Provide correct Username and Password

Expected Result

App should request the second factor after password was accepted

Actual Result

App returns an error instead:
"This is not a recognized Bitwarden server. You may need to check with your provider or update your server"

Logs

Server Logs: 
[2025-03-03 12:26:41.306][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2025-03-03 12:26:51.730][request][INFO] POST /identity/accounts/prelogin
[2025-03-03 12:26:51.731][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2025-03-03 12:26:52.111][request][INFO] POST /identity/connect/token
[2025-03-03 12:27:03.268][error][ERROR] 2FA token not provided
[2025-03-03 12:27:03.268][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

Screenshots or Videos

No response

Additional Context

The 2 FA Token is generated and I get the E-Mail containing the token, but the app does not even request it, it just gives me the error message.

Originally created by @matt-mai on GitHub (Mar 3, 2025). ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.33.2 * Web-vault version: v2025.1.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.48.0 * Environment settings overridden!: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED **Config:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "bw-data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "bw-data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "******************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*************************", "domain_origin": "*****://*************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "bw-data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "", "invitations_allowed": false, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": true, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 100000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "bw-data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "bw-data/sends", "show_password_hint": true, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 10, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*************************", "smtp_from_name": "Bitwarden", "smtp_host": "************************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "**************************", "templates_folder": "bw-data/templates", "tmp_folder": "bw-data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.33.2 ### Deployment method Official Container Image ### Custom deployment method Vaultwarden is running in Kubernetes using ghcr.io/dani-garcia/vaultwarden:1.33.2 image. With ingress-nginx as ingress controller. ### Reverse Proxy nginx 1.25.5 ### Host/Server Operating System Linux ### Operating System Version _No response_ ### Clients Android ### Client Version 2025.2.2 (19740) ### Steps To Reproduce 1. Fresh install of Android Client 2. Login on self hosted server 3. Provide correct Username and Password ### Expected Result App should request the second factor after password was accepted ### Actual Result App returns an error instead: "This is not a recognized Bitwarden server. You may need to check with your provider or update your server" ### Logs ```text Server Logs: [2025-03-03 12:26:41.306][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2025-03-03 12:26:51.730][request][INFO] POST /identity/accounts/prelogin [2025-03-03 12:26:51.731][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK [2025-03-03 12:26:52.111][request][INFO] POST /identity/connect/token [2025-03-03 12:27:03.268][error][ERROR] 2FA token not provided [2025-03-03 12:27:03.268][response][INFO] (login) POST /identity/connect/token => 400 Bad Request ``` ### Screenshots or Videos _No response_ ### Additional Context The 2 FA Token is generated and I get the E-Mail containing the token, but the app does not even request it, it just gives me the error message.
GiteaMirror added the bug label 2025-11-07 07:37:10 -06:00
GiteaMirror commented 2025-11-07 07:37:11 -06:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Mar 3, 2025):

Try to fully logout, clear data, uninstall, reinstall and try again.

@BlackDex commented on GitHub (Mar 3, 2025): Try to fully logout, clear data, uninstall, reinstall and try again.
GiteaMirror commented 2025-11-07 07:37:11 -06:00
Author
Owner
Copy Link

@matt-mai commented on GitHub (Mar 3, 2025):

I did. I originally noticed this on a completely new android install and was able to reproduce on an older device with an existing app install.

@matt-mai commented on GitHub (Mar 3, 2025): I did. I originally noticed this on a completely new android install and was able to reproduce on an older device with an existing app install.
GiteaMirror commented 2025-11-07 07:37:12 -06:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Mar 3, 2025):

Then it might be somehow your reverse proxy changes the response maybe?

Try to download the dev Android client here https://github.com/bitwarden/android/actions/runs/13569085049

And check the adb logcat for output.

@BlackDex commented on GitHub (Mar 3, 2025): Then it might be somehow your reverse proxy changes the response maybe? Try to download the `dev` Android client here https://github.com/bitwarden/android/actions/runs/13569085049 And check the `adb logcat` for output.
GiteaMirror commented 2025-11-07 07:37:12 -06:00
Author
Owner
Copy Link

@matt-mai commented on GitHub (Mar 3, 2025):

I redacted the self hosted url and login data, but these seem to be the relevant logs.
It looks like it's trying to connect to https://api.bitwarden.com/connect/token for some reason?

It also seems as if 2FA isn't actually the problem. I created a new test account without 2FA and it still fails at the same step.

03-03 14:31:43.966 10443 12686 D BitwardenNetworkClient: <-- 200 https://<REDACTED>/identity/accounts/prelogin (306ms)
03-03 14:31:43.967 10443 12686 D BitwardenNetworkClient: date: Mon, 03 Mar 2025 13:31:43 GMT
03-03 14:31:43.967 10443 12686 D BitwardenNetworkClient: content-type: application/json
03-03 14:31:43.968 10443 12686 D BitwardenNetworkClient: content-length: 71
03-03 14:31:43.968 10443 12686 D BitwardenNetworkClient: x-frame-options: SAMEORIGIN
03-03 14:31:43.968 10443 12686 D BitwardenNetworkClient: permissions-policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()
03-03 14:31:43.969 10443 12686 D BitwardenNetworkClient: x-content-type-options: nosniff
03-03 14:31:43.969 10443 12686 D BitwardenNetworkClient: referrer-policy: same-origin
03-03 14:31:43.969 10443 12686 D BitwardenNetworkClient: x-robots-tag: noindex, nofollow
03-03 14:31:43.971 10443 12686 D BitwardenNetworkClient: x-xss-protection: 0
03-03 14:31:43.971 10443 12686 D BitwardenNetworkClient: cross-origin-resource-policy: same-origin
03-03 14:31:43.971 10443 12686 D BitwardenNetworkClient: content-security-policy: default-src 'none'; font-src 'self'; manifest-src 'self'; base-uri 'self'; form-action 'self'; object-src 'self' blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* ; img-src 'self' data: https://haveibeenpwned.com ; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory https://app.simplelogin.io/api/ https://app.addy.io/api/ https://api.fastmail.com/ https://api.forwardemail.net ;
03-03 14:31:43.972 10443 12686 D BitwardenNetworkClient: cache-control: no-cache, no-store, max-age=0
03-03 14:31:43.972 10443 12686 D BitwardenNetworkClient: strict-transport-security: max-age=63072000; includeSubDomains; preload
03-03 14:31:43.975 10443 12686 D BitwardenNetworkClient: {"kdf":0,"kdfIterations":600000,"kdfMemory":null,"kdfParallelism":null}
03-03 14:31:43.976 10443 12686 D BitwardenNetworkClient: <-- END HTTP (71-byte body)

---
03-03 14:31:44.710 10443 12686 D BitwardenNetworkClient: --> POST https://<REDACTED>/identity/connect/token
03-03 14:31:44.710 10443 12686 D BitwardenNetworkClient: Content-Type: application/x-www-form-urlencoded
03-03 14:31:44.712 10443 12686 D BitwardenNetworkClient: Content-Length: 240
03-03 14:31:44.713 10443 12686 D BitwardenNetworkClient: Auth-Email: bWFpQG5ldHp3ZXJrcGxhbi5kZQ
03-03 14:31:44.714 10443 12686 D BitwardenNetworkClient: User-Agent: Bitwarden_Mobile/2025.2.0 (debug/standard) (Android 13; SDK 33; Model Nokia G10)
03-03 14:31:44.714 10443 12686 D BitwardenNetworkClient: Bitwarden-Client-Name: mobile
03-03 14:31:44.715 10443 12686 D BitwardenNetworkClient: Bitwarden-Client-Version: 2025.2.0
03-03 14:31:44.716 10443 12686 D BitwardenNetworkClient: Device-Type: 0
03-03 14:31:44.718 10443 12686 D BitwardenNetworkClient: scope=api%20offline_access&client_id=mobile&username=<REDACTED>&password=<REDACTED>&deviceIdentifier=f3429d70-04b9-4d44-ab09-79493cdef42a&deviceName=Nokia%20G10&deviceType=0&grant_type=password
03-03 14:31:44.720 10443 12686 D BitwardenNetworkClient: --> END POST (240-byte body)

---
03-03 14:31:54.741 10443 12686 D BitwardenNetworkClient: <-- HTTP FAILED: java.net.SocketTimeoutException: timeout
03-03 14:31:54.747 10443 12686 W NetworkResultCall: Network Error: https://api.bitwarden.com/connect/token
03-03 14:31:54.747 10443 12686 W NetworkResultCall: java.net.SocketTimeoutException: timeout
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.http2.Http2Stream$StreamTimeout.newTimeoutException(Http2Stream.kt:675)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.http2.Http2Stream$StreamTimeout.exitAndThrowIfTimedOut(Http2Stream.kt:684)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.http2.Http2Stream.takeHeaders(Http2Stream.kt:143)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.http2.Http2ExchangeCodec.readResponseHeaders(Http2ExchangeCodec.kt:97)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.connection.Exchange.readResponseHeaders(Exchange.kt:110)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.http.CallServerInterceptor.intercept(CallServerInterceptor.kt:93)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:34)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.kt:221)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at com.x8bit.bitwarden.data.platform.datasource.network.interceptor.BaseUrlInterceptor.intercept(BaseUrlInterceptor.kt:25)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at com.x8bit.bitwarden.data.platform.datasource.network.interceptor.HeadersInterceptor.intercept(HeadersInterceptor.kt:18)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:517)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
03-03 14:31:54.747 10443 12686 W NetworkResultCall:     at java.lang.Thread.run(Thread.java:1012)
@matt-mai commented on GitHub (Mar 3, 2025): I redacted the self hosted url and login data, but these seem to be the relevant logs. It looks like it's trying to connect to `https://api.bitwarden.com/connect/token` for some reason? It also seems as if 2FA isn't actually the problem. I created a new test account without 2FA and it still fails at the same step. ``` 03-03 14:31:43.966 10443 12686 D BitwardenNetworkClient: <-- 200 https://<REDACTED>/identity/accounts/prelogin (306ms) 03-03 14:31:43.967 10443 12686 D BitwardenNetworkClient: date: Mon, 03 Mar 2025 13:31:43 GMT 03-03 14:31:43.967 10443 12686 D BitwardenNetworkClient: content-type: application/json 03-03 14:31:43.968 10443 12686 D BitwardenNetworkClient: content-length: 71 03-03 14:31:43.968 10443 12686 D BitwardenNetworkClient: x-frame-options: SAMEORIGIN 03-03 14:31:43.968 10443 12686 D BitwardenNetworkClient: permissions-policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=() 03-03 14:31:43.969 10443 12686 D BitwardenNetworkClient: x-content-type-options: nosniff 03-03 14:31:43.969 10443 12686 D BitwardenNetworkClient: referrer-policy: same-origin 03-03 14:31:43.969 10443 12686 D BitwardenNetworkClient: x-robots-tag: noindex, nofollow 03-03 14:31:43.971 10443 12686 D BitwardenNetworkClient: x-xss-protection: 0 03-03 14:31:43.971 10443 12686 D BitwardenNetworkClient: cross-origin-resource-policy: same-origin 03-03 14:31:43.971 10443 12686 D BitwardenNetworkClient: content-security-policy: default-src 'none'; font-src 'self'; manifest-src 'self'; base-uri 'self'; form-action 'self'; object-src 'self' blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* ; img-src 'self' data: https://haveibeenpwned.com ; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory https://app.simplelogin.io/api/ https://app.addy.io/api/ https://api.fastmail.com/ https://api.forwardemail.net ; 03-03 14:31:43.972 10443 12686 D BitwardenNetworkClient: cache-control: no-cache, no-store, max-age=0 03-03 14:31:43.972 10443 12686 D BitwardenNetworkClient: strict-transport-security: max-age=63072000; includeSubDomains; preload 03-03 14:31:43.975 10443 12686 D BitwardenNetworkClient: {"kdf":0,"kdfIterations":600000,"kdfMemory":null,"kdfParallelism":null} 03-03 14:31:43.976 10443 12686 D BitwardenNetworkClient: <-- END HTTP (71-byte body) --- 03-03 14:31:44.710 10443 12686 D BitwardenNetworkClient: --> POST https://<REDACTED>/identity/connect/token 03-03 14:31:44.710 10443 12686 D BitwardenNetworkClient: Content-Type: application/x-www-form-urlencoded 03-03 14:31:44.712 10443 12686 D BitwardenNetworkClient: Content-Length: 240 03-03 14:31:44.713 10443 12686 D BitwardenNetworkClient: Auth-Email: bWFpQG5ldHp3ZXJrcGxhbi5kZQ 03-03 14:31:44.714 10443 12686 D BitwardenNetworkClient: User-Agent: Bitwarden_Mobile/2025.2.0 (debug/standard) (Android 13; SDK 33; Model Nokia G10) 03-03 14:31:44.714 10443 12686 D BitwardenNetworkClient: Bitwarden-Client-Name: mobile 03-03 14:31:44.715 10443 12686 D BitwardenNetworkClient: Bitwarden-Client-Version: 2025.2.0 03-03 14:31:44.716 10443 12686 D BitwardenNetworkClient: Device-Type: 0 03-03 14:31:44.718 10443 12686 D BitwardenNetworkClient: scope=api%20offline_access&client_id=mobile&username=<REDACTED>&password=<REDACTED>&deviceIdentifier=f3429d70-04b9-4d44-ab09-79493cdef42a&deviceName=Nokia%20G10&deviceType=0&grant_type=password 03-03 14:31:44.720 10443 12686 D BitwardenNetworkClient: --> END POST (240-byte body) --- 03-03 14:31:54.741 10443 12686 D BitwardenNetworkClient: <-- HTTP FAILED: java.net.SocketTimeoutException: timeout 03-03 14:31:54.747 10443 12686 W NetworkResultCall: Network Error: https://api.bitwarden.com/connect/token 03-03 14:31:54.747 10443 12686 W NetworkResultCall: java.net.SocketTimeoutException: timeout 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.http2.Http2Stream$StreamTimeout.newTimeoutException(Http2Stream.kt:675) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.http2.Http2Stream$StreamTimeout.exitAndThrowIfTimedOut(Http2Stream.kt:684) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.http2.Http2Stream.takeHeaders(Http2Stream.kt:143) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.http2.Http2ExchangeCodec.readResponseHeaders(Http2ExchangeCodec.kt:97) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.connection.Exchange.readResponseHeaders(Exchange.kt:110) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.http.CallServerInterceptor.intercept(CallServerInterceptor.kt:93) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:34) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.kt:221) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at com.x8bit.bitwarden.data.platform.datasource.network.interceptor.BaseUrlInterceptor.intercept(BaseUrlInterceptor.kt:25) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at com.x8bit.bitwarden.data.platform.datasource.network.interceptor.HeadersInterceptor.intercept(HeadersInterceptor.kt:18) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:517) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644) 03-03 14:31:54.747 10443 12686 W NetworkResultCall: at java.lang.Thread.run(Thread.java:1012) ```
GiteaMirror commented 2025-11-07 07:37:12 -06:00
Author
Owner
Copy Link

@matt-mai commented on GitHub (Mar 3, 2025):

It seems there's an issue with a network policy in Kubernetes. Login works if i remove them all.
I can fix it myself from here, thanks for your help and sorry for the bother :)

Edit: Just in case someone runs into the same issue in the future:
I had egress traffic for the vaultwarden server limited to ports 80 and 443.
I don't actually see any other ports used, but as soon as i remove that limit, the login works.

@matt-mai commented on GitHub (Mar 3, 2025): It seems there's an issue with a network policy in Kubernetes. Login works if i remove them all. I can fix it myself from here, thanks for your help and sorry for the bother :) Edit: Just in case someone runs into the same issue in the future: I had egress traffic for the vaultwarden server limited to ports 80 and 443. I don't actually see any other ports used, but as soon as i remove that limit, the login works.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#2209
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?