[GH-ISSUE #7054] Cookie Redirect endpoint does not exist (for Cloudflare Zero) #35551

Closed
opened 2026-07-13 20:22:39 -05:00 by GiteaMirror · 1 comment
Owner

Originally created by @dimaguy on GitHub (Apr 6, 2026).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7054

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.35.4
  • Web-vault version: v2026.1.1
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: SQLite
  • Database version: 3.50.2
  • Uses config.json: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Forwarded-For)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, ADMIN_TOKEN

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://************************",
  "domain_origin": "*****://************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Forwarded-For",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "***********",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://*****************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": false,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.35.4

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

N/A

Host/Server Operating System

Linux

Operating System Version

Ubuntu 24.04.4

Clients

Android

Client Version

Bitwarden 2026.3.0

Steps To Reproduce

  1. Configure zero trust access to require AD login
  2. Fresh login and Select login endpoint to selfhosted url
  3. Follow the apps' request to sync via browser https://vaultwarden.example.com/proxy-cookie-redirect-connector.html
  4. Hit a 404 in the web interface

Expected Result

Expected browser auth to succeed

Actual Result

Stacktrace:
com.bitwarden.network.exception.CookieRedirectException: Your request was interrupted because the app needed to re-authenticate. Please try again.
com.bitwarden.network.interceptor.CookieInterceptor.intercept(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:118)
zv.g.b(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:105)
yv.a.intercept(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:128)
zv.g.b(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:105)
wv.a.intercept(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:566)
zv.g.b(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:105)
eo.a.intercept(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:574)
zv.g.b(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:105)
eo.a.intercept(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:218)
zv.g.b(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:105)
kw.b.intercept(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:577)
zv.g.b(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:105)
com.bitwarden.network.interceptor.BaseUrlInterceptor.intercept(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:39)
zv.g.b(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:105)
com.bitwarden.network.interceptor.HeadersInterceptor.intercept(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:45)
zv.g.b(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:105)
yv.m.f(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:85)
yv.j.run(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:42)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1154)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:652)
java.lang.Thread.run(Thread.java:1564)

Version: 2026.3.0 (21345)
Device: 📱 samsung SM-G781B 🤖 13@33 📦 prod
CI: 🧱 commit: bitwarden/android/release/2026.3-rc48@d8a9c596b27c9a68b63304d49784117bbebc6683
💻 build source: bitwarden/android/actions/runs/23011287575/attempts/1

Logs


Screenshots or Videos

No response

Additional Context

No response

Originally created by @dimaguy on GitHub (Apr 6, 2026). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7054 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.35.4 * Web-vault version: v2026.1.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, ADMIN_TOKEN **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://************************", "domain_origin": "*****://************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Forwarded-For", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "", "smtp_from_name": "***********", "smtp_host": null, "smtp_password": null, "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "", "sso_authorize_extra_params": "", "sso_callback_path": "*****://*****************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": false, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "email profile", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.35.4 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy N/A ### Host/Server Operating System Linux ### Operating System Version Ubuntu 24.04.4 ### Clients Android ### Client Version Bitwarden 2026.3.0 ### Steps To Reproduce 1. Configure zero trust access to require AD login 2. Fresh login and Select login endpoint to selfhosted url 4. Follow the apps' request to sync via browser https://vaultwarden.example.com/proxy-cookie-redirect-connector.html 5. Hit a 404 in the web interface ### Expected Result Expected browser auth to succeed ### Actual Result Stacktrace: com.bitwarden.network.exception.CookieRedirectException: Your request was interrupted because the app needed to re-authenticate. Please try again. com.bitwarden.network.interceptor.CookieInterceptor.intercept(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:118) zv.g.b(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:105) yv.a.intercept(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:128) zv.g.b(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:105) wv.a.intercept(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:566) zv.g.b(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:105) eo.a.intercept(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:574) zv.g.b(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:105) eo.a.intercept(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:218) zv.g.b(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:105) kw.b.intercept(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:577) zv.g.b(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:105) com.bitwarden.network.interceptor.BaseUrlInterceptor.intercept(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:39) zv.g.b(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:105) com.bitwarden.network.interceptor.HeadersInterceptor.intercept(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:45) zv.g.b(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:105) yv.m.f(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:85) yv.j.run(r8-map-id-e93b2bd1d22df96ce775942f411adf47c5467a0290a6d1f67ff229ec6b206cd8:42) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1154) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:652) java.lang.Thread.run(Thread.java:1564) Version: 2026.3.0 (21345) Device: 📱 samsung SM-G781B 🤖 13@33 📦 prod CI: 🧱 commit: bitwarden/android/release/2026.3-rc48@d8a9c596b27c9a68b63304d49784117bbebc6683 💻 build source: bitwarden/android/actions/runs/23011287575/attempts/1 ### Logs ```text ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_
GiteaMirror added the bug label 2026-07-13 20:22:39 -05:00
Author
Owner

@dani-garcia commented on GitHub (Apr 6, 2026):

I don't believe the apps have ever worked behind an authenticated proxy like that, did that work for you before? The error you're hitting is because the proxy is returning an HTTP 302 error (probably to redirect you to the auth page?). I think the apps are trying to handle that better but that feature is not finished or meant to be used yet.

<!-- gh-comment-id:4192024885 --> @dani-garcia commented on GitHub (Apr 6, 2026): I don't believe the apps have ever worked behind an authenticated proxy like that, did that work for you before? The error you're hitting is because the proxy is returning an HTTP 302 error (probably to redirect you to the auth page?). I think the apps are trying to handle that better but that feature is not finished or meant to be used yet.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#35551