[GH-ISSUE #6154] [bug]WebAuth Doesn't Work for testing images #29846

Closed
opened 2026-06-17 09:29:56 -05:00 by GiteaMirror · 76 comments
Owner

Originally created by @IamTaoChen on GitHub (Aug 9, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6154

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.34.3-a133d4e9
  • Web-vault version: v2025.7.0
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: SQLite
  • Database version: 3.50.2
  • Uses config.json: false
  • Uses a reverse proxy: true
  • IP Header check: true (X-Forwarded-For)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • TZ environment: Asia/Shanghai
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "*****://***********",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://************",
  "domain_origin": "*****://************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": false,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "autofill-overlay,autofill-v2,browser-fileless-import,extension-refresh,fido2-vault-credentials,inline-menu-positioning-improvements,ssh-key-vault-item,ssh-agent,export-attachments,anon-addy-self-host-alias,simple-login-self-host-alias,mutual-tls",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": "***",
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "KyzDt",
  "invitations_allowed": true,
  "ip_header": "X-Forwarded-For",
  "job_poll_interval_ms": 30000,
  "log_file": "/log/vaultwarden.log",
  "log_level": "debug",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f%z",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.eu",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://api.bitwarden.eu",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "***************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "https://xxxxx",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "https://xxxxx/identity/connect/oidc-signin",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "xxxx",
  "sso_client_secret": "***",
  "sso_debug_tokens": true,
  "sso_enabled": false,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "openid email profile offline_access",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

testing

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

nginx

Host/Server Operating System

Linux

Operating System Version

Mac

Clients

Browser Extension

Client Version

No response

Steps To Reproduce

  1. I try to configure OIDC, but it doesn't work
  2. Then I set SSO_ENABLED = false and use master password to login
  3. It asked me to provide webauth, it passed but not action

Expected Result

should login

Actual Result

no action after webauth

Logs

vaultwarden  | [2025-08-09 10:08:27.016+0800][start][INFO] Rocket has launched from https://0.0.0.0:80
vaultwarden  | [2025-08-09 10:08:31.249+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
vaultwarden  | [2025-08-09 10:08:31.252+0800][request][INFO] POST /identity/accounts/prelogin
vaultwarden  | [2025-08-09 10:08:31.253+0800][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
vaultwarden  | [2025-08-09 10:08:31.258+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
vaultwarden  | [2025-08-09 10:08:31.628+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
vaultwarden  | [2025-08-09 10:08:31.630+0800][request][INFO] POST /identity/connect/token
vaultwarden  | [2025-08-09 10:08:31.957+0800][error][ERROR] 2FA token not provided
vaultwarden  | [2025-08-09 10:08:31.957+0800][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
vaultwarden  | [2025-08-09 10:08:31.958+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
vaultwarden  | [2025-08-09 10:08:33.609+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
vaultwarden  | [2025-08-09 10:08:33.611+0800][request][INFO] GET /webauthn-fallback-connector.html?data=xxxxx
vaultwarden  | [2025-08-09 10:08:33.611+0800][response][INFO] (web_files) GET /<p..> [10] => 200 OK
vaultwarden  | [2025-08-09 10:08:33.613+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
vaultwarden  | [2025-08-09 10:08:56.735+0800][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins
vaultwarden  | [2025-08-09 10:08:56.735+0800][vaultwarden::api::core::two_factor::duo_oidc][DEBUG] Purging Duo authentication contexts
vaultwarden  | [2025-08-09 10:08:56.735+0800][vaultwarden::api::core::accounts][DEBUG] Purging auth requests
vaultwarden  | [2025-08-09 10:09:06.724+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
vaultwarden  | [2025-08-09 10:09:06.725+0800][request][INFO] GET /webauthn-fallback-connector.html?data=eyJhbGxvd0NyZWRlbnRpYWxzI
vaultwarden  | [2025-08-09 10:09:06.726+0800][response][INFO] (web_files) GET /<p..> [10] => 200 OK
vaultwarden  | [2025-08-09 10:09:06.728+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
vaultwarden  | [2025-08-09 10:09:26.584+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
vaultwarden  | [2025-08-09 10:09:26.584+0800][rustls::server::hs][DEBUG] Chosen ALPN protocol [xxxx]
vaultwarden  | [2025-08-09 10:09:26.588+0800][request][INFO] GET /alive
vaultwarden  | [2025-08-09 10:09:26.589+0800][response][INFO] (alive) GET /alive => 200 OK
vaultwarden  | [2025-08-09 10:09:26.591+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
vaultwarden  | [2025-08-09 10:09:56.737+0800][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins
vaultwarden  | [2025-08-09 10:09:56.737+0800][vaultwarden::api::core::accounts][DEBUG] Purging auth requests
vaultwarden  | [2025-08-09 10:09:56.737+0800][vaultwarden::api::core::two_factor::duo_oidc][DEBUG] Purging Duo authentication contexts
vaultwarden  | [2025-08-09 10:09:56.738+0800][vaultwarden::api::core::two_factor][INFO] User iamtaochen@outlook.com did not complete a 2FA login within the configured time limit. IP: xxxx
vaultwarden  | [2025-08-09 10:09:56.749+0800][rustls::webpki::anchors][DEBUG] add_parsable_certificates processed 142 valid and 0 invalid certs
vaultwarden  | [2025-08-09 10:09:58.246+0800][rustls::client::hs][DEBUG] No cached session for DnsName("xxxx")
vaultwarden  | [2025-08-09 10:09:58.246+0800][rustls::client::hs][DEBUG] Not resuming any session
vaultwarden  | [2025-08-09 10:09:58.613+0800][rustls::client::hs][DEBUG] Using ciphersuite TLS13_AES_256_GCM_SHA384
vaultwarden  | [2025-08-09 10:09:58.613+0800][rustls::client::tls13][DEBUG] Not resuming
vaultwarden  | [2025-08-09 10:09:58.614+0800][rustls::client::tls13][DEBUG] TLS1.3 encrypted extensions: ServerExtensions { unknown_extensions: {}, .. }
vaultwarden  | [2025-08-09 10:09:58.615+0800][rustls::client::hs][DEBUG] ALPN protocol is None
vaultwarden  | [2025-08-09 10:10:02.949+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
vaultwarden  | [2025-08-09 10:10:26.690+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
vaultwarden  | [2025-08-09 10:10:26.690+0800][rustls::server::hs][DEBUG] Chosen ALPN protocol [1xxxx]
vaultwarden  | [2025-08-09 10:10:26.694+0800][request][INFO] GET /alive
vaultwarden  | [2025-08-09 10:10:26.694+0800][response][INFO] (alive) GET /alive => 200 OK
vaultwarden  | [2025-08-09 10:10:26.696+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
vaultwarden  | [2025-08-09 10:10:56.739+0800][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins
vaultwarden  | [2025-08-09 10:10:56.740+0800][vaultwarden::api::core::accounts][DEBUG] Purging auth requests
vaultwarden  | [2025-08-09 10:10:56.740+0800][vaultwarden::api::core::two_factor::duo_oidc][DEBUG] Purging Duo authentication contexts

Screenshots or Videos

No response

Additional Context

No response

Originally created by @IamTaoChen on GitHub (Aug 9, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6154 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3-a133d4e9 * Web-vault version: v2025.7.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: false * Uses a reverse proxy: true * IP Header check: true (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * TZ environment: Asia/Shanghai * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "*****://***********", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://************", "domain_origin": "*****://************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": false, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "autofill-overlay,autofill-v2,browser-fileless-import,extension-refresh,fido2-vault-credentials,inline-menu-positioning-improvements,ssh-key-vault-item,ssh-agent,export-attachments,anon-addy-self-host-alias,simple-login-self-host-alias,mutual-tls", "extended_logging": true, "helo_name": null, "hibp_api_key": "***", "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "KyzDt", "invitations_allowed": true, "ip_header": "X-Forwarded-For", "job_poll_interval_ms": 30000, "log_file": "/log/vaultwarden.log", "log_level": "debug", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f%z", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.eu", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://api.bitwarden.eu", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***************", "smtp_from_name": "Vaultwarden", "smtp_host": "**************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "***************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "https://xxxxx", "sso_authorize_extra_params": "", "sso_callback_path": "https://xxxxx/identity/connect/oidc-signin", "sso_client_cache_expiration": 0, "sso_client_id": "xxxx", "sso_client_secret": "***", "sso_debug_tokens": true, "sso_enabled": false, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "openid email profile offline_access", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version testing ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy nginx ### Host/Server Operating System Linux ### Operating System Version Mac ### Clients Browser Extension ### Client Version _No response_ ### Steps To Reproduce 1. I try to configure OIDC, but it doesn't work 2. Then I set `SSO_ENABLED = false` and use master password to login 3. It asked me to provide webauth, it passed but not action ### Expected Result should login ### Actual Result no action after webauth ### Logs ```text vaultwarden | [2025-08-09 10:08:27.016+0800][start][INFO] Rocket has launched from https://0.0.0.0:80 vaultwarden | [2025-08-09 10:08:31.249+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 vaultwarden | [2025-08-09 10:08:31.252+0800][request][INFO] POST /identity/accounts/prelogin vaultwarden | [2025-08-09 10:08:31.253+0800][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK vaultwarden | [2025-08-09 10:08:31.258+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify vaultwarden | [2025-08-09 10:08:31.628+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 vaultwarden | [2025-08-09 10:08:31.630+0800][request][INFO] POST /identity/connect/token vaultwarden | [2025-08-09 10:08:31.957+0800][error][ERROR] 2FA token not provided vaultwarden | [2025-08-09 10:08:31.957+0800][response][INFO] (login) POST /identity/connect/token => 400 Bad Request vaultwarden | [2025-08-09 10:08:31.958+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify vaultwarden | [2025-08-09 10:08:33.609+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 vaultwarden | [2025-08-09 10:08:33.611+0800][request][INFO] GET /webauthn-fallback-connector.html?data=xxxxx vaultwarden | [2025-08-09 10:08:33.611+0800][response][INFO] (web_files) GET /<p..> [10] => 200 OK vaultwarden | [2025-08-09 10:08:33.613+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify vaultwarden | [2025-08-09 10:08:56.735+0800][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins vaultwarden | [2025-08-09 10:08:56.735+0800][vaultwarden::api::core::two_factor::duo_oidc][DEBUG] Purging Duo authentication contexts vaultwarden | [2025-08-09 10:08:56.735+0800][vaultwarden::api::core::accounts][DEBUG] Purging auth requests vaultwarden | [2025-08-09 10:09:06.724+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 vaultwarden | [2025-08-09 10:09:06.725+0800][request][INFO] GET /webauthn-fallback-connector.html?data=eyJhbGxvd0NyZWRlbnRpYWxzI vaultwarden | [2025-08-09 10:09:06.726+0800][response][INFO] (web_files) GET /<p..> [10] => 200 OK vaultwarden | [2025-08-09 10:09:06.728+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify vaultwarden | [2025-08-09 10:09:26.584+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 vaultwarden | [2025-08-09 10:09:26.584+0800][rustls::server::hs][DEBUG] Chosen ALPN protocol [xxxx] vaultwarden | [2025-08-09 10:09:26.588+0800][request][INFO] GET /alive vaultwarden | [2025-08-09 10:09:26.589+0800][response][INFO] (alive) GET /alive => 200 OK vaultwarden | [2025-08-09 10:09:26.591+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify vaultwarden | [2025-08-09 10:09:56.737+0800][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins vaultwarden | [2025-08-09 10:09:56.737+0800][vaultwarden::api::core::accounts][DEBUG] Purging auth requests vaultwarden | [2025-08-09 10:09:56.737+0800][vaultwarden::api::core::two_factor::duo_oidc][DEBUG] Purging Duo authentication contexts vaultwarden | [2025-08-09 10:09:56.738+0800][vaultwarden::api::core::two_factor][INFO] User iamtaochen@outlook.com did not complete a 2FA login within the configured time limit. IP: xxxx vaultwarden | [2025-08-09 10:09:56.749+0800][rustls::webpki::anchors][DEBUG] add_parsable_certificates processed 142 valid and 0 invalid certs vaultwarden | [2025-08-09 10:09:58.246+0800][rustls::client::hs][DEBUG] No cached session for DnsName("xxxx") vaultwarden | [2025-08-09 10:09:58.246+0800][rustls::client::hs][DEBUG] Not resuming any session vaultwarden | [2025-08-09 10:09:58.613+0800][rustls::client::hs][DEBUG] Using ciphersuite TLS13_AES_256_GCM_SHA384 vaultwarden | [2025-08-09 10:09:58.613+0800][rustls::client::tls13][DEBUG] Not resuming vaultwarden | [2025-08-09 10:09:58.614+0800][rustls::client::tls13][DEBUG] TLS1.3 encrypted extensions: ServerExtensions { unknown_extensions: {}, .. } vaultwarden | [2025-08-09 10:09:58.615+0800][rustls::client::hs][DEBUG] ALPN protocol is None vaultwarden | [2025-08-09 10:10:02.949+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify vaultwarden | [2025-08-09 10:10:26.690+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 vaultwarden | [2025-08-09 10:10:26.690+0800][rustls::server::hs][DEBUG] Chosen ALPN protocol [1xxxx] vaultwarden | [2025-08-09 10:10:26.694+0800][request][INFO] GET /alive vaultwarden | [2025-08-09 10:10:26.694+0800][response][INFO] (alive) GET /alive => 200 OK vaultwarden | [2025-08-09 10:10:26.696+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify vaultwarden | [2025-08-09 10:10:56.739+0800][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins vaultwarden | [2025-08-09 10:10:56.740+0800][vaultwarden::api::core::accounts][DEBUG] Purging auth requests vaultwarden | [2025-08-09 10:10:56.740+0800][vaultwarden::api::core::two_factor::duo_oidc][DEBUG] Purging Duo authentication contexts ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_
GiteaMirror added the bug label 2026-06-17 09:29:56 -05:00
Author
Owner

@IamTaoChen commented on GitHub (Aug 9, 2025):

It cannot downgrade to lastest

vaultwarden  | [2025-08-09 10:20:02.368+0800][request][INFO] GET /api/devices/knowndevice
vaultwarden  | [2025-08-09 10:20:02.369+0800][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
vaultwarden  | [2025-08-09 10:20:04.400+0800][request][INFO] GET /api/devices/knowndevice
vaultwarden  | [2025-08-09 10:20:04.401+0800][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
vaultwarden  | [2025-08-09 10:20:06.609+0800][request][INFO] GET /api/devices/knowndevice
vaultwarden  | [2025-08-09 10:20:06.610+0800][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
vaultwarden  | [2025-08-09 10:20:09.069+0800][request][INFO] GET /api/devices/knowndevice
vaultwarden  | [2025-08-09 10:20:09.070+0800][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
vaultwarden  | [2025-08-09 10:20:15.308+0800][request][INFO] POST /identity/accounts/prelogin
vaultwarden  | [2025-08-09 10:20:15.309+0800][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
vaultwarden  | [2025-08-09 10:20:15.668+0800][request][INFO] POST /identity/connect/token
vaultwarden  | [2025-08-09 10:20:15.986+0800][error][ERROR] Serde.
vaultwarden  | [CAUSE] Error("missing field `type_`", line: 1, column: 607)
vaultwarden  | [2025-08-09 10:20:15.986+0800][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
<!-- gh-comment-id:3169663865 --> @IamTaoChen commented on GitHub (Aug 9, 2025): It cannot downgrade to `lastest` ```bash vaultwarden | [2025-08-09 10:20:02.368+0800][request][INFO] GET /api/devices/knowndevice vaultwarden | [2025-08-09 10:20:02.369+0800][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK vaultwarden | [2025-08-09 10:20:04.400+0800][request][INFO] GET /api/devices/knowndevice vaultwarden | [2025-08-09 10:20:04.401+0800][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK vaultwarden | [2025-08-09 10:20:06.609+0800][request][INFO] GET /api/devices/knowndevice vaultwarden | [2025-08-09 10:20:06.610+0800][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK vaultwarden | [2025-08-09 10:20:09.069+0800][request][INFO] GET /api/devices/knowndevice vaultwarden | [2025-08-09 10:20:09.070+0800][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK vaultwarden | [2025-08-09 10:20:15.308+0800][request][INFO] POST /identity/accounts/prelogin vaultwarden | [2025-08-09 10:20:15.309+0800][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK vaultwarden | [2025-08-09 10:20:15.668+0800][request][INFO] POST /identity/connect/token vaultwarden | [2025-08-09 10:20:15.986+0800][error][ERROR] Serde. vaultwarden | [CAUSE] Error("missing field `type_`", line: 1, column: 607) vaultwarden | [2025-08-09 10:20:15.986+0800][response][INFO] (login) POST /identity/connect/token => 400 Bad Request ```
Author
Owner

@BlackDex commented on GitHub (Aug 9, 2025):

You need to either remove 2fa, use a different 2fa type, or restore the record from a backup.

I'm not seeing a failed attempt using webauthn in de first log. I only see duo there. So, not sure what you tried there.

<!-- gh-comment-id:3170438906 --> @BlackDex commented on GitHub (Aug 9, 2025): You need to either remove 2fa, use a different 2fa type, or restore the record from a backup. I'm not seeing a failed attempt using webauthn in de first log. I only see duo there. So, not sure what you tried there.
Author
Owner

@Blacks-Army commented on GitHub (Aug 9, 2025):

I have the same Error, but only if I use the WebAuthn Passkey from my Bitwarden Account in Bitwarden. If I use my YubiKey it works.

Edit: It also happens with the yubikey here the log:

vaultwarden             | [2025-08-09 13:17:56.930][request][INFO] POST /identity/connect/token
vaultwarden             | [2025-08-09 13:17:56.947][webauthn_rs_core::core][ERROR] Credential backup elligibility has changed!
vaultwarden             | [2025-08-09 13:17:56.947][error][ERROR] Webauthn.
vaultwarden             | [CAUSE] CredentialBackupElligibilityInconsistent
vaultwarden             | [2025-08-09 13:17:56.947][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
vaultwarden             | [2025-08-09 13:18:45.495][rocket::request::request][WARN] Header 'cookie' contains invalid UTF-8
vaultwarden             | [2025-08-09 13:18:45.495][rocket::request::request::_][WARN] Rocket only supports UTF-8 header values. Dropping header.
vaultwarden             | [2025-08-09 13:18:45.496][request][INFO] POST /identity/connect/token
vaultwarden             | [2025-08-09 13:18:45.500][vaultwarden::api::core::two_factor::webauthn][ERROR] Can't recover login challenge
vaultwarden             | [2025-08-09 13:18:45.500][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
<!-- gh-comment-id:3170631472 --> @Blacks-Army commented on GitHub (Aug 9, 2025): I have the same Error, but only if I use the WebAuthn Passkey from my Bitwarden Account in Bitwarden. If I use my YubiKey it works. Edit: It also happens with the yubikey here the log: ```yaml vaultwarden | [2025-08-09 13:17:56.930][request][INFO] POST /identity/connect/token vaultwarden | [2025-08-09 13:17:56.947][webauthn_rs_core::core][ERROR] Credential backup elligibility has changed! vaultwarden | [2025-08-09 13:17:56.947][error][ERROR] Webauthn. vaultwarden | [CAUSE] CredentialBackupElligibilityInconsistent vaultwarden | [2025-08-09 13:17:56.947][response][INFO] (login) POST /identity/connect/token => 400 Bad Request vaultwarden | [2025-08-09 13:18:45.495][rocket::request::request][WARN] Header 'cookie' contains invalid UTF-8 vaultwarden | [2025-08-09 13:18:45.495][rocket::request::request::_][WARN] Rocket only supports UTF-8 header values. Dropping header. vaultwarden | [2025-08-09 13:18:45.496][request][INFO] POST /identity/connect/token vaultwarden | [2025-08-09 13:18:45.500][vaultwarden::api::core::two_factor::webauthn][ERROR] Can't recover login challenge vaultwarden | [2025-08-09 13:18:45.500][response][INFO] (login) POST /identity/connect/token => 400 Bad Request ```
Author
Owner

@Blacks-Army commented on GitHub (Aug 9, 2025):

Maybe my issue is related to PR #5934?

<!-- gh-comment-id:3171023296 --> @Blacks-Army commented on GitHub (Aug 9, 2025): Maybe my issue is related to PR #5934?
Author
Owner

@BlackDex commented on GitHub (Aug 9, 2025):

I see strange stuff regarding non-utf-8 characters in your logs. Those shouldn't be happening at all. That might also break the WebauthN data sent to the server.

Not sure what is in between the browser and the Vaultwarden instance, but it looks like it is adjusting your WebAuthN response to the server.

<!-- gh-comment-id:3171312512 --> @BlackDex commented on GitHub (Aug 9, 2025): I see strange stuff regarding non-utf-8 characters in your logs. Those shouldn't be happening at all. That might also break the WebauthN data sent to the server. Not sure what is in between the browser and the Vaultwarden instance, but it looks like it is adjusting your WebAuthN response to the server.
Author
Owner

@Blacks-Army commented on GitHub (Aug 9, 2025):

I am using Traefik, but this also did not happened before. Traefik only sets Headers and Rate Limits.

Edit: And I am not setting a Header named cookie

<!-- gh-comment-id:3171410380 --> @Blacks-Army commented on GitHub (Aug 9, 2025): I am using Traefik, but this also did not happened before. Traefik only sets Headers and Rate Limits. Edit: And I am not setting a Header named cookie
Author
Owner

@BlackDex commented on GitHub (Aug 9, 2025):

I'm unable to reproduce this on my side.

I used the current stable version to create the 2FA tokens, and i used both SoftU2F and my YubiKey5c. Then compiled the main branch, and logged in just fine.

Be sure you have HTTPS working with a valid certificate. Check /admin/diagnostics to see if there are issues.

@IamTaoChen i would suggest to make the admin interface available so that you can also check the diagnostics page. It provides us useful information which otherwise makes it almost impossible for us to help in a useful way.

@Blacks-Army, In your case it looks like it has something to do with a backup key. Not sure which key you are using right now, is that the key used during the creation, or are you now using the backup key to verify.

I noticed something similar in Proxmox regarding this message. But, i do not have the means to test this my self, as i do not have two YubiKey's.

<!-- gh-comment-id:3171623121 --> @BlackDex commented on GitHub (Aug 9, 2025): I'm unable to reproduce this on my side. I used the current stable version to create the 2FA tokens, and i used both SoftU2F and my YubiKey5c. Then compiled the main branch, and logged in just fine. Be sure you have HTTPS working with a valid certificate. Check `/admin/diagnostics` to see if there are issues. @IamTaoChen i would suggest to make the admin interface available so that you can also check the diagnostics page. It provides us useful information which otherwise makes it almost impossible for us to help in a useful way. @Blacks-Army, In your case it looks like it has something to do with a backup key. Not sure which key you are using right now, is that the key used during the creation, or are you now using the backup key to verify. I noticed something similar in Proxmox regarding this message. But, i do not have the means to test this my self, as i do not have two YubiKey's.
Author
Owner

@BlackDex commented on GitHub (Aug 9, 2025):

As a reference to where i found it at Proxmox: https://git.proxmox.com/?p=proxmox.git;a=commit;h=e4d5cce8ec7b97353b4c922424bf1bc4dcede420

@zUnixorn, maybe you have an idea regarding this?

<!-- gh-comment-id:3171641843 --> @BlackDex commented on GitHub (Aug 9, 2025): As a reference to where i found it at Proxmox: https://git.proxmox.com/?p=proxmox.git;a=commit;h=e4d5cce8ec7b97353b4c922424bf1bc4dcede420 @zUnixorn, maybe you have an idea regarding this?
Author
Owner

@BlackDex commented on GitHub (Aug 9, 2025):

I't might be as easy as allowing allow_backup_eligible_upgrade but I'm not sure.

<!-- gh-comment-id:3171694749 --> @BlackDex commented on GitHub (Aug 9, 2025): I't might be as easy as allowing `allow_backup_eligible_upgrade` but I'm not sure.
Author
Owner

@BlackDex commented on GitHub (Aug 9, 2025):

Also, looking at the code and description from YubiKey it self. It might be you registered the spare key (which you might be using right now) after you verified the main key in Vaultwarden. If that is the case, then i think this error is legit, and increases security of Vaultwarden. I think the previous implementation just didn't bothered looking at it, and that is why you were able to use it and login.

<!-- gh-comment-id:3171794557 --> @BlackDex commented on GitHub (Aug 9, 2025): Also, looking at the code and description from YubiKey it self. It might be you registered the spare key (which you might be using right now) after you verified the main key in Vaultwarden. If that is the case, then i think this error is legit, and increases security of Vaultwarden. I think the previous implementation just didn't bothered looking at it, and that is why you were able to use it and login.
Author
Owner

@Blacks-Army commented on GitHub (Aug 9, 2025):

In the Admin Diagnostics I only get this

API calls:
Header: 'x-xss-protection' does not contain '0'
2FA Connector calls:
Header: 'x-xss-protection' does not contain '0'
Header: 'x-frame-options' is present while it should not

<!-- gh-comment-id:3171845380 --> @Blacks-Army commented on GitHub (Aug 9, 2025): In the Admin Diagnostics I only get this API calls: Header: 'x-xss-protection' does not contain '0' 2FA Connector calls: Header: 'x-xss-protection' does not contain '0' Header: 'x-frame-options' is present while it should not
Author
Owner

@Blacks-Army commented on GitHub (Aug 9, 2025):

Well in Vaultwarden I have multiple Keys. Why does it matter which I use I do not understand tbh.

PassKey - IOS Keychain
YubiKey 5C NFC (Main)
Bitwarden - in the vault itself

<!-- gh-comment-id:3171860957 --> @Blacks-Army commented on GitHub (Aug 9, 2025): Well in Vaultwarden I have multiple Keys. Why does it matter which I use I do not understand tbh. PassKey - IOS Keychain YubiKey 5C NFC (Main) Bitwarden - in the vault itself
Author
Owner

@IamTaoChen commented on GitHub (Aug 9, 2025):

Sorry, it’s evening here in China and I’ve had a few beers. I’ll run the tests and add more logs tomorrow.

<!-- gh-comment-id:3171871239 --> @IamTaoChen commented on GitHub (Aug 9, 2025): Sorry, it’s evening here in China and I’ve had a few beers. I’ll run the tests and add more logs tomorrow.
Author
Owner

@IamTaoChen commented on GitHub (Aug 9, 2025):

I have some update about Client Actions (Mac Chrome Extension & Desktop App)

  1. Logged out and attempted to log back in.
  • On the Chrome extension (Mac): Passkey is stored in Apple Passwords; fingerprint verification succeeded, but the next step did not proceed.
  • On the desktop app: No action occurred—no fingerprint prompt appeared.
  1. Used an alternative 2FA method to log in to the desktop client.
  2. Logged in again afterwards(extension), and it is now working.

I am not certain whether these actions are directly related to the this issue being discussed.


Sorry, this comment is using the latest image not testing(I forgot to mention it before)

<!-- gh-comment-id:3171929956 --> @IamTaoChen commented on GitHub (Aug 9, 2025): I have some update about Client Actions (Mac Chrome Extension & Desktop App) 1. Logged out and attempted to log back in. - On the Chrome extension (Mac): Passkey is stored in Apple Passwords; fingerprint verification succeeded, but the next step did not proceed. - On the desktop app: No action occurred—no fingerprint prompt appeared. 2. Used an alternative 2FA method to log in to the desktop client. 3. Logged in again afterwards(extension), and it is now working. I am not certain whether these actions are directly related to the this issue being discussed. ---- Sorry, this comment is using the latest image not testing(I forgot to mention it before)
Author
Owner

@BlackDex commented on GitHub (Aug 9, 2025):

@Blacks-Army, i would suggest to fix those items, as they might cause some weird issues with some clients.

I tried on a macOS device, and I'm able to add a key, but afterwards I'm unable to login with it.

[2025-08-09 19:15:42.416][webauthn_rs_core::core][DEBUG] extensions: AuthenticationSignedExtensions { unknown_keys: {} }
[2025-08-09 19:15:42.416][vaultwarden::api::core::two_factor::webauthn][ERROR] Credential not present

Using my YubiKey5c on the mac works fine though.

<!-- gh-comment-id:3171946301 --> @BlackDex commented on GitHub (Aug 9, 2025): @Blacks-Army, i would suggest to fix those items, as they might cause some weird issues with some clients. I tried on a macOS device, and I'm able to add a key, but afterwards I'm unable to login with it. ``` [2025-08-09 19:15:42.416][webauthn_rs_core::core][DEBUG] extensions: AuthenticationSignedExtensions { unknown_keys: {} } [2025-08-09 19:15:42.416][vaultwarden::api::core::two_factor::webauthn][ERROR] Credential not present ``` Using my YubiKey5c on the mac works fine though.
Author
Owner

@BlackDex commented on GitHub (Aug 9, 2025):

Maybe @yaleman or @Firstyear have some clue regarding this? (Sorry for tagging)

<!-- gh-comment-id:3171948312 --> @BlackDex commented on GitHub (Aug 9, 2025): Maybe @yaleman or @Firstyear have some clue regarding this? (Sorry for tagging)
Author
Owner

@BlackDex commented on GitHub (Aug 9, 2025):

@IamTaoChen, if you are not using :latest, then it can't have anything to do with the latest webauthn-rs version, as that currently is only in the :testing tagged images.

I wouldn't be surprised if Apple doesn't fully adhere to the standards which might cause issues.

<!-- gh-comment-id:3171949973 --> @BlackDex commented on GitHub (Aug 9, 2025): @IamTaoChen, if you are not using `:latest`, then it can't have anything to do with the latest webauthn-rs version, as that currently is only in the `:testing` tagged images. I wouldn't be surprised if Apple doesn't fully adhere to the standards which might cause issues.
Author
Owner

@Blacks-Army commented on GitHub (Aug 9, 2025):

Removing the Headers did not fix anything.

However I noticed that this only happens on Software saved Passkeys like a Passkey saved in the Apple Keychain or in Bitwarden itself.

It works with YubiKey as a Passkey and Yubico OTP.

<!-- gh-comment-id:3171963139 --> @Blacks-Army commented on GitHub (Aug 9, 2025): Removing the Headers did not fix anything. However I noticed that this only happens on Software saved Passkeys like a Passkey saved in the Apple Keychain or in Bitwarden itself. It works with YubiKey as a Passkey and Yubico OTP.
Author
Owner

@IamTaoChen commented on GitHub (Aug 9, 2025):

I update the diagnostics page

<!-- gh-comment-id:3171982088 --> @IamTaoChen commented on GitHub (Aug 9, 2025): I update the diagnostics page
Author
Owner

@IamTaoChen commented on GitHub (Aug 9, 2025):

Testing Image

Login with master password

2FA by PassKey

  1. Login from web
  2. Input password and ask for the fingerprint
  3. error happen
[2025-08-10 01:31:39.022+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
[2025-08-10 01:31:39.023+0800][request][INFO] GET /api/devices/knowndevice
[2025-08-10 01:31:39.024+0800][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2025-08-10 01:31:39.025+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
[2025-08-10 01:31:39.059+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
[2025-08-10 01:31:39.060+0800][request][INFO] GET /icons/pw.kyzdt.com/icon.png
[2025-08-10 01:31:39.061+0800][reqwest::connect][DEBUG] starting new connection: https://xxxx.com/
[2025-08-10 01:31:39.062+0800][reqwest::connect][DEBUG] starting new connection: https://xxxx.com/
[2025-08-10 01:31:39.063+0800][vaultwarden::api::icons][WARN] IP xxx for domain 'xxxx' is not a global IP!
[2025-08-10 01:31:39.064+0800][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK
[2025-08-10 01:31:39.064+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
[2025-08-10 01:31:42.191+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
[2025-08-10 01:31:42.193+0800][request][INFO] POST /identity/accounts/prelogin
[2025-08-10 01:31:42.194+0800][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2025-08-10 01:31:42.195+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
[2025-08-10 01:31:42.348+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
[2025-08-10 01:31:42.349+0800][request][INFO] POST /identity/connect/token
[2025-08-10 01:31:42.671+0800][error][ERROR] 2FA token not provided
[2025-08-10 01:31:42.671+0800][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2025-08-10 01:31:42.672+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
[2025-08-10 01:31:43.380+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
[2025-08-10 01:31:43.381+0800][request][INFO] GET /webauthn-connector.html?data=eyJhbGxvd0NyZWRlbnRpYWxzI
[2025-08-10 01:31:43.382+0800][response][INFO] (web_files) GET /<p..> [10] => 200 OK
[2025-08-10 01:31:43.383+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
[2025-08-10 01:31:49.245+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
[2025-08-10 01:31:49.246+0800][request][INFO] POST /identity/connect/token
[2025-08-10 01:31:49.563+0800][webauthn_rs_core::core][ERROR] Credential backup elligibility has changed!
[2025-08-10 01:31:49.563+0800][error][ERROR] Webauthn.
[CAUSE] CredentialBackupElligibilityInconsistent
[2025-08-10 01:31:49.564+0800][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2025-08-10 01:31:49.565+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
Image

2FA by Authebticater APP

Wroks.

<!-- gh-comment-id:3171990444 --> @IamTaoChen commented on GitHub (Aug 9, 2025): ## Testing Image ### Login with master password #### 2FA by PassKey 1. Login from web 2. Input password and ask for the fingerprint 3. error happen ```bash [2025-08-10 01:31:39.022+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 [2025-08-10 01:31:39.023+0800][request][INFO] GET /api/devices/knowndevice [2025-08-10 01:31:39.024+0800][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK [2025-08-10 01:31:39.025+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify [2025-08-10 01:31:39.059+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 [2025-08-10 01:31:39.060+0800][request][INFO] GET /icons/pw.kyzdt.com/icon.png [2025-08-10 01:31:39.061+0800][reqwest::connect][DEBUG] starting new connection: https://xxxx.com/ [2025-08-10 01:31:39.062+0800][reqwest::connect][DEBUG] starting new connection: https://xxxx.com/ [2025-08-10 01:31:39.063+0800][vaultwarden::api::icons][WARN] IP xxx for domain 'xxxx' is not a global IP! [2025-08-10 01:31:39.064+0800][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK [2025-08-10 01:31:39.064+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify [2025-08-10 01:31:42.191+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 [2025-08-10 01:31:42.193+0800][request][INFO] POST /identity/accounts/prelogin [2025-08-10 01:31:42.194+0800][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK [2025-08-10 01:31:42.195+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify [2025-08-10 01:31:42.348+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 [2025-08-10 01:31:42.349+0800][request][INFO] POST /identity/connect/token [2025-08-10 01:31:42.671+0800][error][ERROR] 2FA token not provided [2025-08-10 01:31:42.671+0800][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2025-08-10 01:31:42.672+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify [2025-08-10 01:31:43.380+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 [2025-08-10 01:31:43.381+0800][request][INFO] GET /webauthn-connector.html?data=eyJhbGxvd0NyZWRlbnRpYWxzI [2025-08-10 01:31:43.382+0800][response][INFO] (web_files) GET /<p..> [10] => 200 OK [2025-08-10 01:31:43.383+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify [2025-08-10 01:31:49.245+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 [2025-08-10 01:31:49.246+0800][request][INFO] POST /identity/connect/token [2025-08-10 01:31:49.563+0800][webauthn_rs_core::core][ERROR] Credential backup elligibility has changed! [2025-08-10 01:31:49.563+0800][error][ERROR] Webauthn. [CAUSE] CredentialBackupElligibilityInconsistent [2025-08-10 01:31:49.564+0800][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2025-08-10 01:31:49.565+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify ``` <img width="1454" height="1140" alt="Image" src="https://github.com/user-attachments/assets/f4f1d1f8-62f5-440d-b2e4-f09f572bbe68" /> #### 2FA by Authebticater APP Wroks.
Author
Owner

@IamTaoChen commented on GitHub (Aug 9, 2025):

@BlackDex Hi, I have noticed that the diagnostics page(Support String) displays certain OIDC information that is not concealed.(not about this issue, but maybe important)

<!-- gh-comment-id:3171996199 --> @IamTaoChen commented on GitHub (Aug 9, 2025): @BlackDex Hi, I have noticed that the diagnostics page(Support String) displays certain OIDC information that is not concealed.(not about this issue, but maybe important)
Author
Owner

@IamTaoChen commented on GitHub (Aug 9, 2025):

I'll revcover my DB. if any other information need, please let me know.

<!-- gh-comment-id:3171999961 --> @IamTaoChen commented on GitHub (Aug 9, 2025): I'll revcover my DB. if any other information need, please let me know.
Author
Owner

@BlackDex commented on GitHub (Aug 9, 2025):

@BlackDex Hi, I have noticed that the diagnostics page(Support String) displays certain OIDC information that is not concealed.(not about this issue, but maybe important)

@Timshel

<!-- gh-comment-id:3172004818 --> @BlackDex commented on GitHub (Aug 9, 2025): > [@BlackDex](https://github.com/BlackDex) Hi, I have noticed that the diagnostics page(Support String) displays certain OIDC information that is not concealed.(not about this issue, but maybe important) @Timshel
Author
Owner

@stefan0xC commented on GitHub (Aug 9, 2025):

I think we should be masking (at least) sso_client_id and sso_authority here a133d4e90c/src/config.rs (L268-L272)

<!-- gh-comment-id:3172006451 --> @stefan0xC commented on GitHub (Aug 9, 2025): I think we should be masking (at least) `sso_client_id` and `sso_authority` here https://github.com/dani-garcia/vaultwarden/blob/a133d4e90c6f864c87ad54a877ea501f4d4f92ec/src/config.rs#L268-L272
Author
Owner

@IamTaoChen commented on GitHub (Aug 9, 2025):

I think we should be masking (at least) sso_client_id and sso_authority here

vaultwarden/src/config.rs

Lines 268 to 272 in a133d4e

pub fn get_support_json(&self) -> serde_json::Value {
// Define which config keys need to be masked.
// Pass types will always be masked and no need to put them in the list.
// Besides Pass, only String types will be masked via _privacy_mask.
const PRIVACY_CONFIG: &[&str] = &[

and sso_callback_path which contains the domain of vaultwarden

<!-- gh-comment-id:3172011720 --> @IamTaoChen commented on GitHub (Aug 9, 2025): > I think we should be masking (at least) `sso_client_id` and `sso_authority` here > > [vaultwarden/src/config.rs](https://github.com/dani-garcia/vaultwarden/blob/a133d4e90c6f864c87ad54a877ea501f4d4f92ec/src/config.rs#L268-L272) > > Lines 268 to 272 in [a133d4e](/dani-garcia/vaultwarden/commit/a133d4e90c6f864c87ad54a877ea501f4d4f92ec) > > pub fn get_support_json(&self) -> serde_json::Value { > // Define which config keys need to be masked. > // Pass types will always be masked and no need to put them in the list. > // Besides Pass, only String types will be masked via _privacy_mask. > const PRIVACY_CONFIG: &[&str] = &[ and `sso_callback_path` which contains the domain of vaultwarden
Author
Owner

@Blacks-Army commented on GitHub (Aug 9, 2025):

I think we should be masking (at least) sso_client_id and sso_authority here a133d4e90c/src/config.rs (L268-L272)

You mean the secret right?

<!-- gh-comment-id:3172025847 --> @Blacks-Army commented on GitHub (Aug 9, 2025): > I think we should be masking (at least) `sso_client_id` and `sso_authority` here https://github.com/dani-garcia/vaultwarden/blob/a133d4e90c6f864c87ad54a877ea501f4d4f92ec/src/config.rs#L268-L272 You mean the secret right?
Author
Owner

@stefan0xC commented on GitHub (Aug 9, 2025):

// Pass types will always be masked and no need to put them in the list. 

You mean the secret right?

Nope. That already is of type Pass so it's hidden already. I've updated my PR #6153 to also mask those three options.

<!-- gh-comment-id:3172067028 --> @stefan0xC commented on GitHub (Aug 9, 2025): > > // Pass types will always be masked and no need to put them in the list. > You mean the secret right? Nope. That already is of type `Pass` so it's hidden already. I've updated my PR #6153 to also mask those three options.
Author
Owner

@Timshel commented on GitHub (Aug 9, 2025):

When debugging an issue the sso_authority can be useful, but it can be sensitive too.
The sso_client_id will almost certainly never be useful.

<!-- gh-comment-id:3172103486 --> @Timshel commented on GitHub (Aug 9, 2025): When debugging an issue the `sso_authority` can be useful, but it can be sensitive too. The `sso_client_id` will almost certainly never be useful.
Author
Owner

@zUnixorn commented on GitHub (Aug 9, 2025):

I't might be as easy as allowing allow_backup_eligible_upgrade but I'm not sure.

Looking at the code (here), this seems to be the problem, I am not sure what this means though.

The value of allow_backup_eligible_upgrade seems to be a difference between start_securitykey_authentication() and start_passkey_authentication().

start_passkey_authentication() allows allow_backup_eligible_upgrade while start_securitykey_authentication disallows allow_backup_eligible_upgrade.

Unfortunately I don't know what security implications this has. Originally start_passkey_authentication() was used but it required modifying the JSON, now start_securitykey_authentication() is used since it produces the same JSON webauthn request as before the crate update, but as it seems, it doesn't allow allow_backup_eligible_upgrade.

In the CredentialV3 this wasn't present, in the migration, a value of false is assumed for backup_eligible.

I think allowing allow_backup_eligible_upgrade using the underlying webauthn_core_rs crate or using start_passkey_authentication() as before, could fix this.

Since you already pinged two Maintainers of webauthn-rs, maybe they know what security implication allow_backup_eligible_upgrade has and why this is allowed for start_passkey_authentication() but not start_securitykey_authentication()

The docs mention the following regarding the *_security_key() methods:

A Security Key for a user. These are the legacy “second factor” method of security tokens.
You should avoid this type in favour of Passkey or AttestedPasskey

Maybe this is the reason that security keys work but passkeys don't always?

Contrary to the initial suggestion, using start_passkey_authentication() may be more compatible with the original implementation with webauthn-rs 0.3

<!-- gh-comment-id:3172106930 --> @zUnixorn commented on GitHub (Aug 9, 2025): > I't might be as easy as allowing `allow_backup_eligible_upgrade` but I'm not sure. Looking at the code ([here](https://github.com/kanidm/webauthn-rs/blob/fee572215b7a6906b41f271b94ad4a8929bc5d38/webauthn-rs-core/src/core.rs#L887)), this seems to be the problem, I am not sure what this means though. The value of `allow_backup_eligible_upgrade` seems to be a difference between [start_securitykey_authentication()](https://docs.rs/webauthn-rs/latest/webauthn_rs/struct.Webauthn.html#method.start_securitykey_authentication) and [start_passkey_authentication()](https://docs.rs/webauthn-rs/latest/webauthn_rs/struct.Webauthn.html#method.start_passkey_authentication). `start_passkey_authentication()` [allows](https://docs.rs/webauthn-rs/latest/src/webauthn_rs/lib.rs.html#682) `allow_backup_eligible_upgrade` while `start_securitykey_authentication` [disallows](https://docs.rs/webauthn-rs/latest/src/webauthn_rs/lib.rs.html#961) `allow_backup_eligible_upgrade`. Unfortunately I don't know what security implications this has. Originally `start_passkey_authentication()` was used but it required modifying the JSON, now `start_securitykey_authentication()` is used since it produces the same JSON webauthn request as before the crate update, but as it seems, it doesn't allow `allow_backup_eligible_upgrade`. In the [CredentialV3](https://docs.rs/webauthn-rs-core/0.5.2/webauthn_rs_core/proto/struct.CredentialV3.html) this wasn't present, in the [migration](https://docs.rs/webauthn-rs-core/0.5.2/src/webauthn_rs_core/interface.rs.html#320-346), a value of `false` is assumed for `backup_eligible`. I think allowing `allow_backup_eligible_upgrade` using the underlying webauthn_core_rs crate or using `start_passkey_authentication()` as before, could fix this. Since you already pinged two Maintainers of webauthn-rs, maybe they know what security implication `allow_backup_eligible_upgrade` has and why this is allowed for `start_passkey_authentication()` but not `start_securitykey_authentication()` The [docs mention](https://docs.rs/webauthn-rs/latest/webauthn_rs/prelude/struct.SecurityKey.html) the following regarding the *_security_key() methods: > A Security Key for a user. These are the legacy “second factor” method of security tokens. > You should avoid this type in favour of [Passkey](https://docs.rs/webauthn-rs/latest/webauthn_rs/prelude/struct.Passkey.html) or [AttestedPasskey](https://docs.rs/webauthn-rs/latest/webauthn_rs/prelude/struct.AttestedPasskey.html) Maybe this is the reason that security keys work but passkeys don't always? Contrary to the [initial suggestion](https://github.com/dani-garcia/vaultwarden/pull/5934#pullrequestreview-3058117864), using `start_passkey_authentication()` may be more compatible with the original implementation with webauthn-rs 0.3
Author
Owner

@zUnixorn commented on GitHub (Aug 9, 2025):

I reverted to using the original start_passkey_authentication() approach in this branch: https://github.com/zUnixorn/vaultwarden/tree/use_passkey_methods_webauthn_rs

I couldn't reproduce this issue on my end and cannot test this, but you could try if the version in my branch exhibits the same behavior or if it actually fixes the problem.

<!-- gh-comment-id:3172117850 --> @zUnixorn commented on GitHub (Aug 9, 2025): I reverted to using the original start_passkey_authentication() approach in this branch: https://github.com/zUnixorn/vaultwarden/tree/use_passkey_methods_webauthn_rs I couldn't reproduce this issue on my end and cannot test this, but you could try if the version in my branch exhibits the same behavior or if it actually fixes the problem.
Author
Owner

@Firstyear commented on GitHub (Aug 10, 2025):

Since you already pinged two Maintainers of webauthn-rs, maybe they know what security implication allow_backup_eligible_upgrade has and why this is allowed for start_passkey_authentication() but not start_securitykey_authentication()

The difference is that it allows a key that was previously hardware bound to a single device, to now be transient to many devices. As an RP, this changes the security assumptions of the device, since what you thought was single device, now has moved.

In general for the vaultwarden use case, you probably want "securitykey" options here, because that treats the device as a single factor, where as passkeys treat the device as self-contained multifactor and will force user verification.

<!-- gh-comment-id:3172263400 --> @Firstyear commented on GitHub (Aug 10, 2025): > Since you already pinged two Maintainers of webauthn-rs, maybe they know what security implication `allow_backup_eligible_upgrade` has and why this is allowed for `start_passkey_authentication()` but not `start_securitykey_authentication()` The difference is that it allows a key that was previously hardware bound to a single device, to now be transient to many devices. As an RP, this changes the security assumptions of the device, since what you thought was single device, now has moved. In general for the vaultwarden use case, you probably want "securitykey" options here, because that treats the device as a single factor, where as passkeys treat the device as self-contained multifactor and will force user verification.
Author
Owner

@Blacks-Army commented on GitHub (Aug 10, 2025):

Since you already pinged two Maintainers of webauthn-rs, maybe they know what security implication allow_backup_eligible_upgrade has and why this is allowed for start_passkey_authentication() but not start_securitykey_authentication()

The difference is that it allows a key that was previously hardware bound to a single device, to now be transient to many devices. As an RP, this changes the security assumptions of the device, since what you thought was single device, now has moved.

In general for the vaultwarden use case, you probably want "securitykey" options here, because that treats the device as a single factor, where as passkeys treat the device as self-contained multifactor and will force user verification.

I don't know if I quite understand that, but does that mean we need to use start_passkey_authentication() for soft tokens (passkeys in password managers) to work?

<!-- gh-comment-id:3172407111 --> @Blacks-Army commented on GitHub (Aug 10, 2025): > > Since you already pinged two Maintainers of webauthn-rs, maybe they know what security implication `allow_backup_eligible_upgrade` has and why this is allowed for `start_passkey_authentication()` but not `start_securitykey_authentication()` > > The difference is that it allows a key that was previously hardware bound to a single device, to now be transient to many devices. As an RP, this changes the security assumptions of the device, since what you thought was single device, now has moved. > > In general for the vaultwarden use case, you probably want "securitykey" options here, because that treats the device as a single factor, where as passkeys treat the device as self-contained multifactor and will force user verification. I don't know if I quite understand that, but does that mean we need to use `start_passkey_authentication()` for soft tokens (passkeys in password managers) to work?
Author
Owner

@BlackDex commented on GitHub (Aug 10, 2025):

I'm not sure what v0.3.2 was using as it's base verification policy, which we should try to not change i think.

But Bitwarden did renamed the MFA option from WebauthN/FIDO to Passkeys. While I'm of course for more security, it might make it more difficult for users to use the same WebauthN on both there iOS device and macOS. Or maybe an Android device which was transferred, of that modifies something maybe, or possibly at all.

I might check what the different outcome will be between the two options.

<!-- gh-comment-id:3172431785 --> @BlackDex commented on GitHub (Aug 10, 2025): I'm not sure what v0.3.2 was using as it's base verification policy, which we should try to not change i think. But Bitwarden did renamed the MFA option from WebauthN/FIDO to Passkeys. While I'm of course for more security, it might make it more difficult for users to use the same WebauthN on both there iOS device and macOS. Or maybe an Android device which was transferred, of that modifies something maybe, or possibly at all. I might check what the different outcome will be between the two options.
Author
Owner

@Blacks-Army commented on GitHub (Aug 10, 2025):

I reverted to using the original start_passkey_authentication() approach in this branch: https://github.com/zUnixorn/vaultwarden/tree/use_passkey_methods_webauthn_rs

I couldn't reproduce this issue on my end and cannot test this, but you could try if the version in my branch exhibits the same behavior or if it actually fixes the problem.

Is there an image available? Or do I need to build it myself? If so I don't know how...

<!-- gh-comment-id:3172586544 --> @Blacks-Army commented on GitHub (Aug 10, 2025): > I reverted to using the original start_passkey_authentication() approach in this branch: https://github.com/zUnixorn/vaultwarden/tree/use_passkey_methods_webauthn_rs > > I couldn't reproduce this issue on my end and cannot test this, but you could try if the version in my branch exhibits the same behavior or if it actually fixes the problem. Is there an image available? Or do I need to build it myself? If so I don't know how...
Author
Owner

@zUnixorn commented on GitHub (Aug 10, 2025):

Is there an image available? Or do I need to build it myself? If so I don't know how...

Currently there is no image available, but I can build one later so it's easier to test. I will comment it here, when i've come around to make one available.

<!-- gh-comment-id:3172631498 --> @zUnixorn commented on GitHub (Aug 10, 2025): > Is there an image available? Or do I need to build it myself? If so I don't know how... Currently there is no image available, but I can build one later so it's easier to test. I will comment it here, when i've come around to make one available.
Author
Owner

@BlackDex commented on GitHub (Aug 10, 2025):

I tried with the patch form @zUnixorn, but that doesn't solve the Apple macOS/iOS issue for me.
Either it's not fully supported by webauthn-rs, or it's not using standards.

Unfortunately the test/demo application isn't working of webauthn-rs, which prevents me, and others from seeing which data is transfered/used to try and authenticate. This might help the developers of webauthn-rs to fix issues or maybe supply some details regarding issues with some of these devices.

<!-- gh-comment-id:3172674435 --> @BlackDex commented on GitHub (Aug 10, 2025): I tried with the patch form @zUnixorn, but that doesn't solve the Apple macOS/iOS issue for me. Either it's not fully supported by webauthn-rs, or it's not using standards. Unfortunately the test/demo application isn't working of webauthn-rs, which prevents me, and others from seeing which data is transfered/used to try and authenticate. This might help the developers of webauthn-rs to fix issues or maybe supply some details regarding issues with some of these devices.
Author
Owner

@Blacks-Army commented on GitHub (Aug 10, 2025):

Kanidm uses also webauthn-rs 0.5.2 and there it does work
38b54969d1/Cargo.toml (L305C1-L305C69)

<!-- gh-comment-id:3172676909 --> @Blacks-Army commented on GitHub (Aug 10, 2025): Kanidm uses also webauthn-rs 0.5.2 and there it does work https://github.com/kanidm/kanidm/blob/38b54969d1e3e5ca9aeb6189fec49e43577d5652/Cargo.toml#L305C1-L305C69
Author
Owner

@Blacks-Army commented on GitHub (Aug 10, 2025):

I am just seeing this part maybe we need this dependency?

38b54969d1/Cargo.toml (L302)

<!-- gh-comment-id:3172677661 --> @Blacks-Army commented on GitHub (Aug 10, 2025): I am just seeing this part maybe we need this dependency? https://github.com/kanidm/kanidm/blob/38b54969d1e3e5ca9aeb6189fec49e43577d5652/Cargo.toml#L302
Author
Owner

@BlackDex commented on GitHub (Aug 10, 2025):

@Blacks-Army, that seems to be the client-side of the code, not server-side, and thus not something useful.

I do think i see some strange things though. Currently debugging to see what the difference are.

<!-- gh-comment-id:3172722197 --> @BlackDex commented on GitHub (Aug 10, 2025): @Blacks-Army, that seems to be the client-side of the code, not server-side, and thus not something useful. I do think i see some strange things though. Currently debugging to see what the difference are.
Author
Owner

@BlackDex commented on GitHub (Aug 10, 2025):

Yes, I have found a bug which prevents almost every device except for some hardware keys to continue.

Here:
e35c6f8705/src/api/core/two_factor/webauthn.rs (L437)

There is a check if the credential id's match, but, it also checks if there is an updated needed, but if that part fails, the whole authentication fails. And, if i read the documentation correctly, almost no device uses this feature, and it's also not really needed.

Ill check what happens if i update this. But, that still leaves me a bit undecided if using security or passkey would be the right way to go. But, since we probably want to have Soft tokens like Apple work cross device, and that needs to allow the backup_state to be able to be set to true, I think passkeys is probably the way to go.

<!-- gh-comment-id:3172739826 --> @BlackDex commented on GitHub (Aug 10, 2025): Yes, I have found a bug which prevents almost every device except for some hardware keys to continue. Here: https://github.com/dani-garcia/vaultwarden/blob/e35c6f87054563af6ecfec9f100779523b62c473/src/api/core/two_factor/webauthn.rs#L437 There is a check if the credential id's match, but, it also checks if there is an updated needed, but if that part fails, the whole authentication fails. And, if i read the documentation correctly, almost no device uses this feature, and it's also not really needed. Ill check what happens if i update this. But, that still leaves me a bit undecided if using `security` or `passkey` would be the right way to go. But, since we probably want to have Soft tokens like Apple work cross device, and that needs to allow the `backup_state` to be able to be set to `true`, I think `passkeys` is probably the way to go.
Author
Owner

@BlackDex commented on GitHub (Aug 10, 2025):

I Found the issue and created a PR to fix this.

<!-- gh-comment-id:3172768180 --> @BlackDex commented on GitHub (Aug 10, 2025): I Found the issue and created a PR to fix this.
Author
Owner

@BlackDex commented on GitHub (Aug 10, 2025):

Once https://github.com/dani-garcia/vaultwarden/actions/runs/16864227130 is finished you should be able to test if this fully resolves the issues reported here by using the :testing tagged images.

<!-- gh-comment-id:3172777821 --> @BlackDex commented on GitHub (Aug 10, 2025): Once https://github.com/dani-garcia/vaultwarden/actions/runs/16864227130 is finished you should be able to test if this fully resolves the issues reported here by using the `:testing` tagged images.
Author
Owner

@IamTaoChen commented on GitHub (Aug 10, 2025):

No, It still doesn't work

[2025-08-11 01:36:01.910+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
[2025-08-11 01:36:01.911+0800][request][INFO] GET /icons/xxxx.com/icon.png
[2025-08-11 01:36:01.912+0800][opendal::services::fs::backend][DEBUG] backend build started: FsBuilder { config: FsConfig { root: Some("data/icon_cache"), atomic_write_dir: None } }
[2025-08-11 01:36:01.912+0800][opendal::services::fs::backend][DEBUG] backend use root data/icon_cache
[2025-08-11 01:36:02.062+0800][reqwest::connect][DEBUG] starting new connection: https://xxx.com/
[2025-08-11 01:36:02.062+0800][reqwest::connect][DEBUG] starting new connection: https://xxxx.com/
[2025-08-11 01:36:02.064+0800][vaultwarden::api::icons][WARN] IP 172.30.32.253 for domain 'xxxx.com' is not a global IP!
[2025-08-11 01:36:02.064+0800][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK
[2025-08-11 01:36:02.064+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
[2025-08-11 01:36:04.153+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
[2025-08-11 01:36:04.154+0800][request][INFO] GET /api/devices/knowndevice
[2025-08-11 01:36:04.155+0800][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2025-08-11 01:36:04.156+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
[2025-08-11 01:36:05.094+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
[2025-08-11 01:36:05.095+0800][request][INFO] POST /identity/accounts/prelogin
[2025-08-11 01:36:05.096+0800][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2025-08-11 01:36:05.097+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
[2025-08-11 01:36:05.231+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
[2025-08-11 01:36:05.232+0800][request][INFO] POST /identity/connect/token
[2025-08-11 01:36:05.567+0800][error][ERROR] 2FA token not provided
[2025-08-11 01:36:05.567+0800][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2025-08-11 01:36:05.569+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
[2025-08-11 01:36:06.154+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
[2025-08-11 01:36:06.155+0800][request][INFO] GET /webauthn-connector.html?data=eyJhbGxvd0NyZWRlbnRpYWxzI
[2025-08-11 01:36:06.156+0800][response][INFO] (web_files) GET /<p..> [10] => 200 OK
[2025-08-11 01:36:06.157+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
[2025-08-11 01:36:06.214+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
[2025-08-11 01:36:06.214+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
[2025-08-11 01:36:06.216+0800][request][INFO] GET /connectors/webauthn.b8f01de2a110dcccf490.js
[2025-08-11 01:36:06.217+0800][request][INFO] GET /connectors/webauthn.6c71ed707506614311d1.css
[2025-08-11 01:36:06.217+0800][response][INFO] (web_files) GET /<p..> [10] => 200 OK
[2025-08-11 01:36:06.218+0800][response][INFO] (web_files) GET /<p..> [10] => 200 OK
[2025-08-11 01:36:06.218+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
[2025-08-11 01:36:06.221+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
[2025-08-11 01:36:09.993+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
[2025-08-11 01:36:09.993+0800][rustls::server::hs][DEBUG] Chosen ALPN protocol [xxxx]
[2025-08-11 01:36:09.998+0800][request][INFO] GET /alive
[2025-08-11 01:36:09.998+0800][response][INFO] (alive) GET /alive => 200 OK
[2025-08-11 01:36:09.999+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify
[2025-08-11 01:36:10.462+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384
[2025-08-11 01:36:10.463+0800][request][INFO] POST /identity/connect/token
[2025-08-11 01:36:10.787+0800][webauthn_rs_core::core][ERROR] Credential backup elligibility has changed!
[2025-08-11 01:36:10.787+0800][error][ERROR] Webauthn.
[CAUSE] CredentialBackupElligibilityInconsistent
[2025-08-11 01:36:10.787+0800][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2025-08-11 01:36:10.789+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify

<!-- gh-comment-id:3172787427 --> @IamTaoChen commented on GitHub (Aug 10, 2025): No, It still doesn't work ```bash [2025-08-11 01:36:01.910+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 [2025-08-11 01:36:01.911+0800][request][INFO] GET /icons/xxxx.com/icon.png [2025-08-11 01:36:01.912+0800][opendal::services::fs::backend][DEBUG] backend build started: FsBuilder { config: FsConfig { root: Some("data/icon_cache"), atomic_write_dir: None } } [2025-08-11 01:36:01.912+0800][opendal::services::fs::backend][DEBUG] backend use root data/icon_cache [2025-08-11 01:36:02.062+0800][reqwest::connect][DEBUG] starting new connection: https://xxx.com/ [2025-08-11 01:36:02.062+0800][reqwest::connect][DEBUG] starting new connection: https://xxxx.com/ [2025-08-11 01:36:02.064+0800][vaultwarden::api::icons][WARN] IP 172.30.32.253 for domain 'xxxx.com' is not a global IP! [2025-08-11 01:36:02.064+0800][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK [2025-08-11 01:36:02.064+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify [2025-08-11 01:36:04.153+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 [2025-08-11 01:36:04.154+0800][request][INFO] GET /api/devices/knowndevice [2025-08-11 01:36:04.155+0800][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK [2025-08-11 01:36:04.156+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify [2025-08-11 01:36:05.094+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 [2025-08-11 01:36:05.095+0800][request][INFO] POST /identity/accounts/prelogin [2025-08-11 01:36:05.096+0800][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK [2025-08-11 01:36:05.097+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify [2025-08-11 01:36:05.231+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 [2025-08-11 01:36:05.232+0800][request][INFO] POST /identity/connect/token [2025-08-11 01:36:05.567+0800][error][ERROR] 2FA token not provided [2025-08-11 01:36:05.567+0800][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2025-08-11 01:36:05.569+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify [2025-08-11 01:36:06.154+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 [2025-08-11 01:36:06.155+0800][request][INFO] GET /webauthn-connector.html?data=eyJhbGxvd0NyZWRlbnRpYWxzI [2025-08-11 01:36:06.156+0800][response][INFO] (web_files) GET /<p..> [10] => 200 OK [2025-08-11 01:36:06.157+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify [2025-08-11 01:36:06.214+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 [2025-08-11 01:36:06.214+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 [2025-08-11 01:36:06.216+0800][request][INFO] GET /connectors/webauthn.b8f01de2a110dcccf490.js [2025-08-11 01:36:06.217+0800][request][INFO] GET /connectors/webauthn.6c71ed707506614311d1.css [2025-08-11 01:36:06.217+0800][response][INFO] (web_files) GET /<p..> [10] => 200 OK [2025-08-11 01:36:06.218+0800][response][INFO] (web_files) GET /<p..> [10] => 200 OK [2025-08-11 01:36:06.218+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify [2025-08-11 01:36:06.221+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify [2025-08-11 01:36:09.993+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 [2025-08-11 01:36:09.993+0800][rustls::server::hs][DEBUG] Chosen ALPN protocol [xxxx] [2025-08-11 01:36:09.998+0800][request][INFO] GET /alive [2025-08-11 01:36:09.998+0800][response][INFO] (alive) GET /alive => 200 OK [2025-08-11 01:36:09.999+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify [2025-08-11 01:36:10.462+0800][rustls::server::hs][DEBUG] decided upon suite TLS13_AES_256_GCM_SHA384 [2025-08-11 01:36:10.463+0800][request][INFO] POST /identity/connect/token [2025-08-11 01:36:10.787+0800][webauthn_rs_core::core][ERROR] Credential backup elligibility has changed! [2025-08-11 01:36:10.787+0800][error][ERROR] Webauthn. [CAUSE] CredentialBackupElligibilityInconsistent [2025-08-11 01:36:10.787+0800][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2025-08-11 01:36:10.789+0800][rustls::common_state][DEBUG] Sending warning alert CloseNotify ```
Author
Owner

@Blacks-Army commented on GitHub (Aug 10, 2025):

For me it is not working... Same Error

<!-- gh-comment-id:3172793344 --> @Blacks-Army commented on GitHub (Aug 10, 2025): For me it is not working... Same Error
Author
Owner

@BlackDex commented on GitHub (Aug 10, 2025):

And you both are sure you did a docker pull or docker compose pull first?
What is the version running? Does it has the last commit tag currently in our main branch?

Also @Blacks-Army, do you still have those strange header errors? And did you fixed those warnings the diagnostics page reported?

<!-- gh-comment-id:3172799294 --> @BlackDex commented on GitHub (Aug 10, 2025): And you both are sure you did a `docker pull` or `docker compose pull` first? What is the version running? Does it has the last commit tag currently in our main branch? Also @Blacks-Army, do you still have those strange header errors? And did you fixed those warnings the diagnostics page reported?
Author
Owner

@Blacks-Army commented on GitHub (Aug 10, 2025):

Yes I did and I even checked the Digset

<!-- gh-comment-id:3172799793 --> @Blacks-Army commented on GitHub (Aug 10, 2025): Yes I did and I even checked the Digset
Author
Owner

@BlackDex commented on GitHub (Aug 10, 2025):

Also, i think that the issue regarding @IamTaoChen still is because of the backup key is being used in some way. And not the original key used, but I'm not 100% sure regarding that.

Then maybe @zUnixorn could rebase on main, and provide a working image maybe of his security > passkey changes?
That is then the only item i think could be the issue then.

But, at least Bitwarden Passkeys and macOS/iOS Passkeys work again without issues.

<!-- gh-comment-id:3172801126 --> @BlackDex commented on GitHub (Aug 10, 2025): Also, i think that the issue regarding @IamTaoChen still is because of the backup key is being used in some way. And not the original key used, but I'm not 100% sure regarding that. Then maybe @zUnixorn could rebase on main, and provide a working image maybe of his security > passkey changes? That is then the only item i think could be the issue then. But, at least Bitwarden Passkeys and macOS/iOS Passkeys work again without issues.
Author
Owner

@Blacks-Army commented on GitHub (Aug 10, 2025):

Also, i think that the issue regarding @IamTaoChen still is because of the backup key is being used in some way. And not the original key used, but I'm not 100% sure regarding that.

Then maybe @zUnixorn could rebase on main, and provide a working image maybe of his security > passkey changes?
That is then the only item i think could be the issue then.

But, at least Bitwarden Passkeys and macOS/iOS Passkeys work again without issues.

For me iOS and Bitwarden Passkeys didn't work... did you maybe add them on a freshly installed instance? I am doing a Upgrade and want to use my already saved passkeys.

<!-- gh-comment-id:3172808097 --> @Blacks-Army commented on GitHub (Aug 10, 2025): > Also, i think that the issue regarding @IamTaoChen still is because of the backup key is being used in some way. And not the original key used, but I'm not 100% sure regarding that. > > Then maybe @zUnixorn could rebase on main, and provide a working image maybe of his security > passkey changes? > That is then the only item i think could be the issue then. > > But, at least Bitwarden Passkeys and macOS/iOS Passkeys work again without issues. For me iOS and Bitwarden Passkeys didn't work... did you maybe add them on a freshly installed instance? I am doing a Upgrade and want to use my already saved passkeys.
Author
Owner

@BlackDex commented on GitHub (Aug 10, 2025):

Well they were migrated. But i can of course try that again.
But that will probably be tomorrow.

<!-- gh-comment-id:3172811376 --> @BlackDex commented on GitHub (Aug 10, 2025): Well they were migrated. But i can of course try that again. But that will probably be tomorrow.
Author
Owner

@zUnixorn commented on GitHub (Aug 11, 2025):

Ok, I rebased and generated the docker images with the *_passkey_* methods based on alpine or debian:

  • docker pull ghcr.io/zunixorn/vaultwarden:testing-alpine
  • docker pull ghcr.io/zunixorn/vaultwarden:testing

Does the problem persist with these versions?

<!-- gh-comment-id:3173405353 --> @zUnixorn commented on GitHub (Aug 11, 2025): Ok, I rebased and generated the docker images with the `*_passkey_*` methods based on alpine or debian: * `docker pull ghcr.io/zunixorn/vaultwarden:testing-alpine` * `docker pull ghcr.io/zunixorn/vaultwarden:testing` Does the problem persist with these versions?
Author
Owner

@Blacks-Army commented on GitHub (Aug 11, 2025):

Not for me...

vaultwarden  | [2025-08-11 09:15:52.612][request][INFO] GET /api/devices/knowndevice
vaultwarden  | [2025-08-11 09:15:52.614][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
vaultwarden  | [2025-08-11 09:15:59.199][request][INFO] POST /identity/accounts/prelogin
vaultwarden  | [2025-08-11 09:15:59.200][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
vaultwarden  | [2025-08-11 09:15:59.723][request][INFO] POST /identity/connect/token
vaultwarden  | [2025-08-11 09:15:59.922][error][ERROR] 2FA token not provided
vaultwarden  | [2025-08-11 09:15:59.922][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
vaultwarden  | [2025-08-11 09:16:03.223][request][INFO] GET /api/accounts/revision-date
vaultwarden  | [2025-08-11 09:16:03.223][vaultwarden::auth][ERROR] Token has expired
vaultwarden  | [2025-08-11 09:16:03.223][auth][ERROR] Unauthorized Error: Invalid claim
vaultwarden  | [2025-08-11 09:16:03.223][vaultwarden::api::core::accounts::_][WARN] Request guard `Headers` failed: "Invalid claim".
vaultwarden  | [2025-08-11 09:16:03.223][response][INFO] (revision_date) GET /api/accounts/revision-date => 401 Unauthorized
vaultwarden  | [2025-08-11 09:16:03.231][request][INFO] POST /identity/connect/token
vaultwarden  | [2025-08-11 09:16:03.232][vaultwarden::auth][ERROR] Token is invalid
vaultwarden  | [2025-08-11 09:16:03.232][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Impossible to read refresh_token: Token is invalid
vaultwarden  | [2025-08-11 09:16:03.232][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
vaultwarden  | [2025-08-11 09:16:03.270][request][INFO] POST /identity/connect/token
vaultwarden  | [2025-08-11 09:16:03.464][webauthn_rs_core::core][ERROR] Credential indicates it is backed up, but has not declared valid backup elligibility
vaultwarden  | [2025-08-11 09:16:03.464][error][ERROR] Webauthn.
vaultwarden  | [CAUSE] CredentialMayNotBeHardwareBound
vaultwarden  | [2025-08-11 09:16:03.464][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
<!-- gh-comment-id:3173550013 --> @Blacks-Army commented on GitHub (Aug 11, 2025): Not for me... ```yaml vaultwarden | [2025-08-11 09:15:52.612][request][INFO] GET /api/devices/knowndevice vaultwarden | [2025-08-11 09:15:52.614][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK vaultwarden | [2025-08-11 09:15:59.199][request][INFO] POST /identity/accounts/prelogin vaultwarden | [2025-08-11 09:15:59.200][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK vaultwarden | [2025-08-11 09:15:59.723][request][INFO] POST /identity/connect/token vaultwarden | [2025-08-11 09:15:59.922][error][ERROR] 2FA token not provided vaultwarden | [2025-08-11 09:15:59.922][response][INFO] (login) POST /identity/connect/token => 400 Bad Request vaultwarden | [2025-08-11 09:16:03.223][request][INFO] GET /api/accounts/revision-date vaultwarden | [2025-08-11 09:16:03.223][vaultwarden::auth][ERROR] Token has expired vaultwarden | [2025-08-11 09:16:03.223][auth][ERROR] Unauthorized Error: Invalid claim vaultwarden | [2025-08-11 09:16:03.223][vaultwarden::api::core::accounts::_][WARN] Request guard `Headers` failed: "Invalid claim". vaultwarden | [2025-08-11 09:16:03.223][response][INFO] (revision_date) GET /api/accounts/revision-date => 401 Unauthorized vaultwarden | [2025-08-11 09:16:03.231][request][INFO] POST /identity/connect/token vaultwarden | [2025-08-11 09:16:03.232][vaultwarden::auth][ERROR] Token is invalid vaultwarden | [2025-08-11 09:16:03.232][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Impossible to read refresh_token: Token is invalid vaultwarden | [2025-08-11 09:16:03.232][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized vaultwarden | [2025-08-11 09:16:03.270][request][INFO] POST /identity/connect/token vaultwarden | [2025-08-11 09:16:03.464][webauthn_rs_core::core][ERROR] Credential indicates it is backed up, but has not declared valid backup elligibility vaultwarden | [2025-08-11 09:16:03.464][error][ERROR] Webauthn. vaultwarden | [CAUSE] CredentialMayNotBeHardwareBound vaultwarden | [2025-08-11 09:16:03.464][response][INFO] (login) POST /identity/connect/token => 400 Bad Request ```
Author
Owner

@zUnixorn commented on GitHub (Aug 11, 2025):

Now it does not fail with CredentialBackupElligibilityInconsistent but instead with CredentialMayNotBeHardwareBound so switching to the passkey methods did indeed fix that previous error. Since your passkey seems to have the backup_state set to true, but the migration defaults to false for backup_eligible, the webauthn crate doesn't allow you to verify with that passkey.

I updated the docker image to migrate the passkeys with backup_eligible explicitly set to true, I don't know if that's something that should be done, but if this fixes the problem, we at least know where the problem lies.

So if you update the image, the CredentialMayNotBeHardwareBound error hopefully goes away too.

<!-- gh-comment-id:3173819972 --> @zUnixorn commented on GitHub (Aug 11, 2025): Now it does not fail with `CredentialBackupElligibilityInconsistent` but instead with `CredentialMayNotBeHardwareBound` so switching to the passkey methods did indeed fix that previous error. Since your passkey seems to have the `backup_state` set to `true`, but the migration [defaults](https://docs.rs/webauthn-rs-core/latest/src/webauthn_rs_core/interface.rs.html#336) to `false` for `backup_eligible`, the webauthn crate doesn't allow you to verify with that passkey. I updated the docker image to migrate the passkeys with `backup_eligible` explicitly set to `true`, I don't know if that's something that should be done, but if this fixes the problem, we at least know where the problem lies. So if you update the image, the `CredentialMayNotBeHardwareBound` error hopefully goes away too.
Author
Owner

@Blacks-Army commented on GitHub (Aug 11, 2025):

It works now! Thanks!

<!-- gh-comment-id:3173847610 --> @Blacks-Army commented on GitHub (Aug 11, 2025): It works now! Thanks!
Author
Owner

@zUnixorn commented on GitHub (Aug 11, 2025):

Thank you for testing this! Maybe this fixed @IamTaoChen's problem as well.

Now the question is, if it is desired to always migrate the old passkeys with backup_eligible set to true and using the *_passkey_* methods instead of *_securitykey_*. Since the webauthn 0.3 version didn't even check nor track this, I would think that allowing this wouldn't make this less secure then the v0.3 implementation, but I am not sure if this assumption is actually correct.

<!-- gh-comment-id:3173876017 --> @zUnixorn commented on GitHub (Aug 11, 2025): Thank you for testing this! Maybe this fixed @IamTaoChen's problem as well. ~~Now the question is, if it is desired to always migrate the old passkeys with `backup_eligible` set to `true` and using the `*_passkey_*` methods instead of `*_securitykey_*`. Since the webauthn 0.3 version didn't even check nor track this, I would think that allowing this wouldn't make this less secure then the v0.3 implementation, but I am not sure if this assumption is actually correct.~~
Author
Owner

@BlackDex commented on GitHub (Aug 11, 2025):

I would say, use passkeys, as that is also what Bitwarden calls it these days in the Security Settings of the user.

It would also help implementing the actual passkey login feature i guess, to not have multiple types of webauthn formats.
And, indeed, to stay compatible with the previous versions, i would say switch to *_passkey_*. If you can create a PR for that, then Ill do some tests my self too, and if ok, ill merge :).

<!-- gh-comment-id:3173939025 --> @BlackDex commented on GitHub (Aug 11, 2025): I would say, use passkeys, as that is also what Bitwarden calls it these days in the Security Settings of the user. It would also help implementing the actual passkey login feature i guess, to not have multiple types of webauthn formats. And, indeed, to stay compatible with the previous versions, i would say switch to `*_passkey_*`. If you can create a PR for that, then Ill do some tests my self too, and if ok, ill merge :).
Author
Owner

@zUnixorn commented on GitHub (Aug 11, 2025):

I will create a PR for that later today. Should I also change the backup_eligible value (this field) like I did in my current branch or leave it and only change to the passkey methods?

<!-- gh-comment-id:3173996466 --> @zUnixorn commented on GitHub (Aug 11, 2025): I will create a PR for that later today. ~~Should I also change the `backup_eligible` value ([this field](https://docs.rs/webauthn-rs-core/0.5.2/webauthn_rs_core/proto/struct.CredentialV5.html#structfield.backup_eligible)) like I did in my current branch or leave it and only change to the passkey methods?~~
Author
Owner

@BlackDex commented on GitHub (Aug 11, 2025):

If I'm correct leaving that off and switch to passkeys should solve it right? Since passkeys has that enabled by default?

<!-- gh-comment-id:3174000963 --> @BlackDex commented on GitHub (Aug 11, 2025): If I'm correct leaving that off and switch to passkeys should solve it right? Since passkeys has that enabled by default?
Author
Owner

@Blacks-Army commented on GitHub (Aug 11, 2025):

No, by default it is false

<!-- gh-comment-id:3174057249 --> @Blacks-Army commented on GitHub (Aug 11, 2025): No, by default it is `false`
Author
Owner

@zUnixorn commented on GitHub (Aug 11, 2025):

Ok after thinking about it, switching to passkeys should be enough. When I only applied that change, there was still CredentialMayNotBeHardwareBound thrown as an error. But after looking through the webauthn-rs code, this shouldn't happen if update_credential() is called, since it should update backup_eligible which would prevent CredentialMayNotBeHardwareBound from being thrown.

@Blacks-Army when you tested the first change that didn't work, did you try to authenticate multiple times or just once? I can't test it myself but I would think that it should only fail the first time but update backup_eligible. The second time it should work, because the value is set correctly then.

<!-- gh-comment-id:3174155355 --> @zUnixorn commented on GitHub (Aug 11, 2025): Ok after thinking about it, switching to passkeys should be enough. When I only applied that change, there was still `CredentialMayNotBeHardwareBound` thrown as an error. But after looking through the webauthn-rs code, this shouldn't happen if `update_credential()` is called, since it should update `backup_eligible` which would prevent `CredentialMayNotBeHardwareBound` from being thrown. @Blacks-Army when you tested the first change that didn't work, did you try to authenticate multiple times or just once? I can't test it myself but I would think that it should only fail the first time but update `backup_eligible`. The second time it should work, because the value is set correctly then.
Author
Owner

@Blacks-Army commented on GitHub (Aug 11, 2025):

I don't know anymore. I would need to test it again

<!-- gh-comment-id:3174162502 --> @Blacks-Army commented on GitHub (Aug 11, 2025): I don't know anymore. I would need to test it again
Author
Owner

@zUnixorn commented on GitHub (Aug 11, 2025):

Ok, could you try this image again:

  • docker pull ghcr.io/zunixorn/vaultwarden@sha256:c6a9c574220ad650e7ee321366d3216b47d848651d2d5cb5ebf5ba674f5f4535

And then try to authenticate 2 times, the first time should fail but update the stored backup eligibility and the second time should hopefully work then.

<!-- gh-comment-id:3174185340 --> @zUnixorn commented on GitHub (Aug 11, 2025): Ok, could you try this image again: * `docker pull ghcr.io/zunixorn/vaultwarden@sha256:c6a9c574220ad650e7ee321366d3216b47d848651d2d5cb5ebf5ba674f5f4535` And then try to authenticate 2 times, the first time should fail but update the stored backup eligibility and the second time should hopefully work then.
Author
Owner

@zUnixorn commented on GitHub (Aug 11, 2025):

If that's not the case the Credential doesn't get updated properly and then that should be fixed instead.

<!-- gh-comment-id:3174187836 --> @zUnixorn commented on GitHub (Aug 11, 2025): If that's not the case the Credential doesn't get updated properly and then that should be fixed instead.
Author
Owner

@Blacks-Army commented on GitHub (Aug 11, 2025):

Nope it does not work I am getting the same Error Message

<!-- gh-comment-id:3174208707 --> @Blacks-Army commented on GitHub (Aug 11, 2025): Nope it does not work I am getting the same Error Message
Author
Owner

@BlackDex commented on GitHub (Aug 11, 2025):

Hmm.. I'm not sure we should set it for all items as you currently do @zUnixorn.
My YubiKey for example has that set to false, which i would like to keep it that way. As that is a physical token and not software.

The *_passkey_* functions allow that boolean to be true. But, it doesn't force it to be true.
Setting everything to true, could cause a security issue i think.

<!-- gh-comment-id:3174254371 --> @BlackDex commented on GitHub (Aug 11, 2025): Hmm.. I'm not sure we should set it for all items as you currently do @zUnixorn. My YubiKey for example has that set to false, which i would like to keep it that way. As that is a physical token and not software. The `*_passkey_*` functions allow that boolean to be true. But, it doesn't force it to be true. Setting everything to true, could cause a security issue i think.
Author
Owner

@zUnixorn commented on GitHub (Aug 11, 2025):

Yeah, that's not the correct way. But I think I know what the problem is now.

When allow_backup_eligible_upgrade the backup_eligible should be updated when update_credential() is called. This works when the backup_state is still false e.g. the Passkey wasn't backed up. Because in that case the Authentication doesn't throw an error which allows update_credential() to be called and since backup_eligible is now set to the correct value, future authentications even after the key was backed up e.g. backup_state is true, will work fine.

But if the key was already backed up before the migration, backup_state is already true, which fails the Authentication and therefore prevents updating the Credential, which would actually solve the problem.

I am not sure if this is intended or a bug, but I am thinking about opening an issue in webauthn-rs since migrating already backed up passkeys seems to be impossible with my current understanding of its implementation.

For Reference:

<!-- gh-comment-id:3174346151 --> @zUnixorn commented on GitHub (Aug 11, 2025): Yeah, that's not the correct way. But I think I know what the problem is now. When `allow_backup_eligible_upgrade` the `backup_eligible` should be updated when `update_credential()` is called. This works when the `backup_state` is still `false` e.g. the Passkey wasn't backed up. Because in that case the Authentication doesn't throw an error which allows `update_credential()` to be called and since `backup_eligible` is now set to the correct value, future authentications even after the key was backed up e.g. `backup_state` is `true`, will work fine. But if the key was already backed up before the migration, `backup_state` is already true, which fails the Authentication and therefore prevents updating the Credential, which would actually solve the problem. I am not sure if this is intended or a bug, but I am thinking about opening an issue in webauthn-rs since migrating already backed up passkeys seems to be impossible with my current understanding of its implementation. For Reference: * [finish_passkey_authentication()](https://docs.rs/webauthn-rs/0.5.2/src/webauthn_rs/lib.rs.html#717-723) calls the internal [authenticate_credential()](https://docs.rs/webauthn-rs/0.5.2/src/webauthn_rs/lib.rs.html#717-723) method. * But [authenticate_credential()](https://docs.rs/webauthn-rs/0.5.2/src/webauthn_rs/lib.rs.html#717-723) throws an error [here](https://docs.rs/webauthn-rs-core/latest/src/webauthn_rs_core/core.rs.html#893) if `backup_state` is true when `backup_eligible` wasn't updated, regardless of `allow_backup_eligible_upgrade`'s value. * But to update `backup_eligible`, [finish_passkey_authentication()](https://docs.rs/webauthn-rs/0.5.2/src/webauthn_rs/lib.rs.html#717-723) must succeed to get the updated [AuthenticationResult](https://docs.rs/webauthn-rs/latest/webauthn_rs/prelude/struct.AuthenticationResult.html) and use it to update the credential's `backup_eligible` with [update_credential()](https://docs.rs/webauthn-rs/0.5.2/webauthn_rs/prelude/struct.Passkey.html#method.update_credential)
Author
Owner

@BlackDex commented on GitHub (Aug 11, 2025):

The problem here is, that my Hardware token, a YubiKey5c, has it set to false. You arn't allowed to set true to false for this flag. From false to true is allowed.

Using your latest patched version breaks my YubiKey login, but all the others are working now.
The main problem here is the migration. It migrates all items without knowing the correct values.

The only way i see to fix this, is migrate per credential upon usage, and extract the correct values from the provided V5 layout.

<!-- gh-comment-id:3174446337 --> @BlackDex commented on GitHub (Aug 11, 2025): The problem here is, that my Hardware token, a YubiKey5c, has it set to false. You arn't allowed to set `true` to `false` for this flag. From `false` to `true` is allowed. Using your latest patched version breaks my YubiKey login, but all the others are working now. The main problem here is the migration. It migrates all items without knowing the correct values. The only way i see to fix this, is migrate per credential upon usage, and extract the correct values from the provided V5 layout.
Author
Owner

@zUnixorn commented on GitHub (Aug 11, 2025):

I opened https://github.com/kanidm/webauthn-rs/issues/510, maybe I missed something but I am not sure how CredentialV3 is supposed to be migrated to CredentialV5 when the Passkey was backed up previously

<!-- gh-comment-id:3174449939 --> @zUnixorn commented on GitHub (Aug 11, 2025): I opened https://github.com/kanidm/webauthn-rs/issues/510, maybe I missed something but I am not sure how CredentialV3 is supposed to be migrated to CredentialV5 when the Passkey was backed up previously
Author
Owner

@zUnixorn commented on GitHub (Aug 11, 2025):

The problem here is, that my Hardware token, a YubiKey5c, has it set to false. You arn't allowed to set true to false for this flag. From false to true is allowed.

Using your latest patched version breaks my YubiKey login, but all the others are working now. The main problem here is the migration. It migrates all items without knowing the correct values.

Yes, that's my understanding as well.

The only way i see to fix this, is migrate per credential upon usage, and extract the correct values from the provided V5 layout.

Since the authenticator tells us what it expects to be the correct values, they could be set before authenticating to the correct ones, which would make this work correctly.

Normally this would be done automatically here, but because of the the "invalid state", it does not.

Unfortunately, manually setting the backup_eligible to the one provided by the authenticator upon first authentication would be quite hard since there would be some parsing to do without the help of the webauthn-rs crate. So this should ideally be possible to do in webauthn-rs itself for the purpose of migrating to the more extensive CredentialV5.

<!-- gh-comment-id:3174475326 --> @zUnixorn commented on GitHub (Aug 11, 2025): > The problem here is, that my Hardware token, a YubiKey5c, has it set to false. You arn't allowed to set `true` to `false` for this flag. From `false` to `true` is allowed. > > Using your latest patched version breaks my YubiKey login, but all the others are working now. The main problem here is the migration. It migrates all items without knowing the correct values. Yes, that's my understanding as well. > The only way i see to fix this, is migrate per credential upon usage, and extract the correct values from the provided V5 layout. Since the authenticator tells us what it expects to be the correct values, they could be set before authenticating to the correct ones, which would make this work correctly. Normally this would be done automatically [here](https://github.com/dani-garcia/vaultwarden/blob/main/src/api/core/two_factor/webauthn.rs#L441), but because of the the "invalid state", it does not. Unfortunately, manually setting the `backup_eligible` to the one provided by the authenticator upon first authentication would be quite hard since there would be some parsing to do without the help of the webauthn-rs crate. So this should ideally be possible to do in webauthn-rs itself for the purpose of migrating to the more extensive CredentialV5.
Author
Owner

@Blacks-Army commented on GitHub (Aug 11, 2025):

Could I use your image @zUnixorn then migrate the soft passkeys and then update to the latest vaultwarden/server image? That should work right?

<!-- gh-comment-id:3175238312 --> @Blacks-Army commented on GitHub (Aug 11, 2025): Could I use your image @zUnixorn then migrate the soft passkeys and then update to the latest vaultwarden/server image? That should work right?
Author
Owner

@BlackDex commented on GitHub (Aug 11, 2025):

Could I use your image @zUnixorn then migrate the soft passkeys and then update to the latest vaultwarden/server image? That should work right?

You could also manually modify the json. But keep in mind, hardware tokens will break with that image

<!-- gh-comment-id:3175250460 --> @BlackDex commented on GitHub (Aug 11, 2025): > Could I use your image [@zUnixorn](https://github.com/zUnixorn) then migrate the soft passkeys and then update to the latest vaultwarden/server image? That should work right? You could also manually modify the json. But keep in mind, hardware tokens will break with that image
Author
Owner

@Blacks-Army commented on GitHub (Aug 11, 2025):

No I mean I would migrate the soft passkeys with the image where it works (and don't touch the security keys) and then change it to the latest of this repo, that should work or not?

<!-- gh-comment-id:3175325932 --> @Blacks-Army commented on GitHub (Aug 11, 2025): No I mean I would migrate the soft passkeys with the image where it works (and don't touch the security keys) and then change it to the latest of this repo, that should work or not?
Author
Owner

@BlackDex commented on GitHub (Aug 11, 2025):

No I mean I would migrate the soft passkeys with the image where it works (and don't touch the security keys) and then change it to the latest of this repo, that should work or not?

And how do you prevent the hardware keys from being touched then? All are migrated in one go.

<!-- gh-comment-id:3175353005 --> @BlackDex commented on GitHub (Aug 11, 2025): > No I mean I would migrate the soft passkeys with the image where it works (and don't touch the security keys) and then change it to the latest of this repo, that should work or not? And how do you prevent the hardware keys from being touched then? All are migrated in one go.
Author
Owner

@Blacks-Army commented on GitHub (Aug 11, 2025):

No I mean I would migrate the soft passkeys with the image where it works (and don't touch the security keys) and then change it to the latest of this repo, that should work or not?

And how do you prevent the hardware keys from being touched then? All are migrated in one go.

Ahh okay, didn't know that.

<!-- gh-comment-id:3175357641 --> @Blacks-Army commented on GitHub (Aug 11, 2025): > > No I mean I would migrate the soft passkeys with the image where it works (and don't touch the security keys) and then change it to the latest of this repo, that should work or not? > > And how do you prevent the hardware keys from being touched then? All are migrated in one go. Ahh okay, didn't know that.
Author
Owner

@Firstyear commented on GitHub (Aug 13, 2025):

I'm not sure what v0.3.2 was using as it's base verification policy, which we should try to not change i think.

But Bitwarden did renamed the MFA option from WebauthN/FIDO to Passkeys. While I'm of course for more security, it might make it more difficult for users to use the same WebauthN on both there iOS device and macOS. Or maybe an Android device which was transferred, of that modifies something maybe, or possibly at all.

I might check what the different outcome will be between the two options.

I opened kanidm/webauthn-rs#510, maybe I missed something but I am not sure how CredentialV3 is supposed to be migrated to CredentialV5 when the Passkey was backed up previously

Both of these are kind of symptomatic of the issue, which was the webauthn wg and fido completely rewriting the rules underneath everyone. We went from a standard that was "hardware bound, touch only" to now having software authenticators that lie about their capabilities, authenticators that move between places, pretty much forced PIV/biometrics on many authenticators and more. There is so much confusion about this topic, and even just to highlight how confusing it is, there are 5 different definitions of what a passkey is!!!

And that's a big problem, because we wrote webauthn-rs at a time when we started with the first (hardware only single factors, maybe you had a PIN if you were hardcore). And then we've had to adapt and change as we go, trying to understand what the threats/risks were and wrap up them nicely so that people can have nice safe interfaces that "just work". We've always tried to model the library around "user experiences and workflows" and we've been forced to change those flows as webauthn has become messier and more confusing, and even undermined their own original workflows.

So at the time when we wrote the v3 -> v5 credential layout migration, there were no roaming authenticators, so we made an assumption of "well, nothing was backup eligible, default to false". But it's now what 3 or so years since then, and now when you do that migration that assumption is no longer true. There are so many roaming authenticators out there (even vaultwarden!) that we can't make that assumption.

Anyway, I made a PR to hopefully resolve this for you which assumes every authenticator was backup eligible by default. I do not believe this undermines anything for you. But I will caution and warn you that the issue now with how passkeys work is that they require userVerification, they are no longer just a touch and move on. You must enter a PIN or some other form of UV. This means older u2f style keys will fail to work in future where you expect just to touch and proceed.

<!-- gh-comment-id:3182028490 --> @Firstyear commented on GitHub (Aug 13, 2025): > I'm not sure what v0.3.2 was using as it's base verification policy, which we should try to not change i think. > > But Bitwarden did renamed the MFA option from WebauthN/FIDO to Passkeys. While I'm of course for more security, it might make it more difficult for users to use the same WebauthN on both there iOS device and macOS. Or maybe an Android device which was transferred, of that modifies something maybe, or possibly at all. > > I might check what the different outcome will be between the two options. > I opened [kanidm/webauthn-rs#510](https://github.com/kanidm/webauthn-rs/issues/510), maybe I missed something but I am not sure how CredentialV3 is supposed to be migrated to CredentialV5 when the Passkey was backed up previously Both of these are kind of symptomatic of the issue, which was the webauthn wg and fido completely rewriting the rules underneath everyone. We went from a standard that was "hardware bound, touch only" to now having software authenticators that lie about their capabilities, authenticators that move between places, pretty much forced PIV/biometrics on many authenticators and more. There is so much confusion about this topic, and even just to highlight how confusing it is, there are 5 different definitions of what a passkey is!!! And that's a big problem, because we wrote webauthn-rs at a time when we started with the first (hardware only single factors, maybe you had a PIN if you were hardcore). And then we've had to adapt and change as we go, trying to understand what the threats/risks were and wrap up them nicely so that people can have nice safe interfaces that "just work". We've always tried to model the library around "user experiences and workflows" and we've been forced to change those flows as webauthn has become messier and more confusing, and even undermined their own original workflows. So at the time when we wrote the v3 -> v5 credential layout migration, there were no roaming authenticators, so we made an assumption of "well, nothing was backup eligible, default to false". But it's now what 3 or so years since then, and now when you do that migration that assumption is no longer true. There are so many roaming authenticators out there (even vaultwarden!) that we can't make that assumption. Anyway, I made a PR to hopefully resolve this for you which assumes every authenticator was backup eligible by default. I do not believe this undermines anything for you. But I will caution and warn you that the issue now with how passkeys work is that they require userVerification, they are no longer just a touch and move on. You must enter a PIN or some other form of UV. This means older u2f style keys will fail to work in future where you expect just to touch and proceed.
Author
Owner

@BlackDex commented on GitHub (Aug 16, 2025):

I think i have tackled this issue now.
With some voodoo done during the response and verification Software/Passkeys should now work without issues after a migration. If you already migrated before, this should still fix those issues, as nothing is changed on how the migration converted the v3 to the v5 credentials.

<!-- gh-comment-id:3193806658 --> @BlackDex commented on GitHub (Aug 16, 2025): I think i have tackled this issue now. With some voodoo done during the response and verification Software/Passkeys should now work without issues after a migration. If you already migrated before, this should still fix those issues, as nothing is changed on how the migration converted the v3 to the v5 credentials.
Author
Owner

@Blacks-Army commented on GitHub (Aug 18, 2025):

I have just reregistered all PassKeys it works now

<!-- gh-comment-id:3196374291 --> @Blacks-Army commented on GitHub (Aug 18, 2025): I have just reregistered all PassKeys it works now
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#29846