[GH-ISSUE #7372] Blank Screen on SSO Login #35642

Closed
opened 2026-07-13 20:28:51 -05:00 by GiteaMirror · 6 comments
Owner

Originally created by @lucasdina on GitHub (Jun 24, 2026).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7372

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.36.0
  • Web-vault version: v2026.4.1
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: SQLite
  • Database version: 3.51.3
  • Uses config.json: false
  • Uses a reverse proxy: false
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: false
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://*********",
  "domain_origin": "*****://*********",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "************",
  "smtp_from_name": "***********",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://***********",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://**************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "***********",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": true,
  "sso_pkce": true,
  "sso_scopes": "profile email offline_access vaultwarden openid",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.36.0

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

nginxproxymanager 2.15.1

Host/Server Operating System

Linux

Operating System Version

Linux Mint 22.3

Clients

Android

Client Version

2026.5.1

Steps To Reproduce

Open Bitwarden Android app
Select Log in with SSO / OIDC
Enter self-hosted Vaultwarden server URL
Redirect to Authelia login page
Observe black screen where login UI should be rendered

Expected Result

User should see the authelia log in page.

Actual Result

The URL is correct but the page renders nothing.

Logs

06/23/2026, 09:22:34 PM
STDOUT
[2026-06-24 03:22:34.003][request][INFO] GET /identity/sso/prevalidate?domainHint=none
06/23/2026, 09:22:34 PM
STDOUT
[2026-06-24 03:22:34.005][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK
06/23/2026, 09:22:34 PM
STDOUT
[2026-06-24 03:22:34.124][request][INFO] GET /identity/connect/authorize?client_id=mobile&redirect_uri=
06/23/2026, 09:22:34 PM
STDOUT
[2026-06-24 03:22:34.153][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect

Screenshots or Videos

No response

Additional Context

When using bitwarden mobile (android), I enter the url for my vaultwarden then select the sso login. Im taken to a blank screen. If I plug my phone into my computer and view the browser tab via the debugger, it renders properly. sso isnt an issue in the browser or the plugin, only mobile. via debug mode, im able to log into authelia and am prompted to enter my master password, then I have access. Ive tried adding "proxy_hide_header X-Frame-Options;" to nginx in case the issue was that the authelia page was embedded but I get the same result. Ill include the rest of my nginx config below.

`location / {
set $upstream_authelia http://x.x.x.y:9091; # This example assumes a Docker deployment
proxy_pass $upstream_authelia;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

Advanced Proxy Config

send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;

Basic Proxy Config

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;

set_real_ip_from x.x.x.x/16;
real_ip_header CF-Connecting-IP;
real_ip_recursive on;

proxy_hide_header X-Frame-Options;
}`

Originally created by @lucasdina on GitHub (Jun 24, 2026). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7372 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.36.0 * Web-vault version: v2026.4.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.51.3 * Uses config.json: false * Uses a reverse proxy: false * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: false * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://*********", "domain_origin": "*****://*********", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "************", "smtp_from_name": "***********", "smtp_host": "**************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://***********", "sso_authorize_extra_params": "", "sso_callback_path": "*****://**************************************", "sso_client_cache_expiration": 0, "sso_client_id": "***********", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": true, "sso_pkce": true, "sso_scopes": "profile email offline_access vaultwarden openid", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.36.0 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy nginxproxymanager 2.15.1 ### Host/Server Operating System Linux ### Operating System Version Linux Mint 22.3 ### Clients Android ### Client Version 2026.5.1 ### Steps To Reproduce Open Bitwarden Android app Select Log in with SSO / OIDC Enter self-hosted Vaultwarden server URL Redirect to Authelia login page Observe black screen where login UI should be rendered ### Expected Result User should see the authelia log in page. ### Actual Result The URL is correct but the page renders nothing. ### Logs ```text 06/23/2026, 09:22:34 PM STDOUT [2026-06-24 03:22:34.003][request][INFO] GET /identity/sso/prevalidate?domainHint=none 06/23/2026, 09:22:34 PM STDOUT [2026-06-24 03:22:34.005][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK 06/23/2026, 09:22:34 PM STDOUT [2026-06-24 03:22:34.124][request][INFO] GET /identity/connect/authorize?client_id=mobile&redirect_uri= 06/23/2026, 09:22:34 PM STDOUT [2026-06-24 03:22:34.153][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect ``` ### Screenshots or Videos _No response_ ### Additional Context When using bitwarden mobile (android), I enter the url for my vaultwarden then select the sso login. Im taken to a blank screen. If I plug my phone into my computer and view the browser tab via the debugger, it renders properly. sso isnt an issue in the browser or the plugin, only mobile. via debug mode, im able to log into authelia and am prompted to enter my master password, then I have access. Ive tried adding "proxy_hide_header X-Frame-Options;" to nginx in case the issue was that the authelia page was embedded but I get the same result. Ill include the rest of my nginx config below. `location / { set $upstream_authelia http://x.x.x.y:9091; # This example assumes a Docker deployment proxy_pass $upstream_authelia; client_body_buffer_size 128k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; # Basic Proxy Config proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 64 256k; set_real_ip_from x.x.x.x/16; real_ip_header CF-Connecting-IP; real_ip_recursive on; proxy_hide_header X-Frame-Options; }`
GiteaMirror added the bug label 2026-07-13 20:28:51 -05:00
Author
Owner

@stefan0xC commented on GitHub (Jun 24, 2026):

Why do you think that this is a bug in Vaultwarden?

<!-- gh-comment-id:4786070175 --> @stefan0xC commented on GitHub (Jun 24, 2026): Why do you think that this is a bug in Vaultwarden?
Author
Owner

@lucasdina commented on GitHub (Jun 24, 2026):

@stefan0xC I don't think its 100% vaultwarden but the bitwarden guys sent me here. Apparently they wont touch the bug because my back end is vault warden. Here's the bug I opened on their side:
https://github.com/bitwarden/android/issues/7094

<!-- gh-comment-id:4786086418 --> @lucasdina commented on GitHub (Jun 24, 2026): @stefan0xC I don't think its 100% vaultwarden but the bitwarden guys sent me here. Apparently they wont touch the bug because my back end is vault warden. Here's the bug I opened on their side: https://github.com/bitwarden/android/issues/7094
Author
Owner

@stefan0xC commented on GitHub (Jun 24, 2026):

Why do you think that it is a bug at all? I see a Domain Configuration Check: false for example, which hints to me that you did not configure your instance correctly. Now I am not sure if that is responsible for the black screen on your Android but if the redirect works it seems more likely to be an issue with your Android? Can you try to enable the flight recorder as described in the Android troubleshooting guide?

<!-- gh-comment-id:4786114732 --> @stefan0xC commented on GitHub (Jun 24, 2026): Why do you think that it is a bug at all? I see a `Domain Configuration Check: false` for example, which hints to me that you did not configure your instance correctly. Now I am not sure if that is responsible for the black screen on your Android but if the redirect works it seems more likely to be an issue with your Android? Can you try to enable the flight recorder as described in the [Android troubleshooting guide](https://github.com/dani-garcia/vaultwarden/wiki/Bitwarden-Android-troubleshooting)?
Author
Owner

@lucasdina commented on GitHub (Jun 24, 2026):

I think its a bug because I haven't changed my config in about a year now. Its been very stable and I've been happy with it. I need to log off for the night but I'll try the domain config check property tomorrow as well as the android flight recorder. Just a note, on my android, if i try to log in via web, sso works perfectly. The issue is only via the mobile app plus sso. Thank you for the responses as well.

<!-- gh-comment-id:4786160419 --> @lucasdina commented on GitHub (Jun 24, 2026): I think its a bug because I haven't changed my config in about a year now. Its been very stable and I've been happy with it. I need to log off for the night but I'll try the domain config check property tomorrow as well as the android flight recorder. Just a note, on my android, if i try to log in via web, sso works perfectly. The issue is only via the mobile app plus sso. Thank you for the responses as well.
Author
Owner

@stefan0xC commented on GitHub (Jun 24, 2026):

Well, given your description and that it works for other clients I think the same argument would apply for Vaultwarden and it would have to be a bug in either the Bitwarden Android app or the WebView (your Android version, default browser, something else the Flight Recorder or an adb session might give more clues) or your configuration.

<!-- gh-comment-id:4786213640 --> @stefan0xC commented on GitHub (Jun 24, 2026): Well, given your description and that it works for other clients I think the same argument would apply for Vaultwarden and it would have to be a bug in either the Bitwarden Android app or the WebView (your Android version, default browser, something else the Flight Recorder or an adb session might give more clues) or your configuration.
Author
Owner

@BlackDex commented on GitHub (Jun 24, 2026):

I also see that the diagnostics doesn't see the IP header. So either something is wrong with your reverse proxy, or you accessed the admin backend via a different route, like direct IP or something.

<!-- gh-comment-id:4786266179 --> @BlackDex commented on GitHub (Jun 24, 2026): I also see that the diagnostics doesn't see the IP header. So either something is wrong with your reverse proxy, or you accessed the admin backend via a different route, like direct IP or something.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#35642