[GH-ISSUE #7387] FIDO2/WebAuthn passkey registration fails with DOMException across multiple browsers, OSes, and a fully fixed reverse proxy setup #35648

Closed
opened 2026-07-13 20:29:06 -05:00 by GiteaMirror · 0 comments
Owner

Originally created by @RNZB on GitHub (Jun 30, 2026).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7387

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.36.0
  • Web-vault version: v2026.4.1
  • OS/Arch: linux/aarch64
  • Running within a container: true (Base: Debian)
  • Database type: SQLite
  • Database version: 3.51.3
  • Uses config.json: false
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://******************************",
  "domain_origin": "*****://******************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 5,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "Login",
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "****************************",
  "smtp_from_name": "***********",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "****************************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://***********************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": false,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.36.0

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Traefik 3.3.7

Host/Server Operating System

Linux

Operating System Version

Raspberry Pi OS (Debian-based), linux/aarch64

Clients

Web Vault

Client Version

Web-Vault 2026.4.1

Steps To Reproduce

  1. Log into Vaultwarden web vault
  2. Go to Settings → Security → Two-step login
  3. Click "Passkey" → "Read key"
  4. Browser does not prompt to touch the security key; on macOS it goes straight to a PIN prompt and rejects an independently-verified-correct PIN
  5. Console shows: DOMException: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission.
  6. Network tab confirms /two-factor/get-webauthn and /two-factor/get-webauthn-challenge both return 200 OK with valid payloads before the exception fires — failure appears to be client-side in the navigator.credentials.create() call itself
  7. Same YubiKey registers and authenticates without issue on a separate self-hosted WebAuthn relying party (Authentik) using the same machines/browsers, and works fine on other WebAuthn sites (e.g. GitHub)

Expected Result

After clicking "Read key," the browser should prompt to touch the security key, then complete FIDO2 passkey registration successfully, the same way it does on Authentik and other WebAuthn-enabled sites with this same key.

Actual Result

Registration fails immediately with: DOMException: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission.

On macOS, the browser skips the expected "touch your key" prompt entirely and goes straight to a PIN prompt, which then incorrectly reports the PIN as wrong even though it's independently verified as correct via ykman.

On Windows, registration appears to "succeed," but subsequent login then hangs indefinitely on a spinning loading icon.

This has already been extensively debugged to rule out reverse proxy/config causes — WebSocket routing and security header issues (both confirmed real, separate problems) were found and fixed along the way, and Vaultwarden's own /admin/diagnostics page now reports a fully clean HTTP Response validation. Despite this, the WebAuthn registration failure persists identically across three browser engines (Firefox-based, WebKit, Chromium-based) and two OSes.

Other users have reported what looks like the same symptom specifically on Vaultwarden's own web vault while passkeys work fine elsewhere for them:

Happy to provide further logs, HAR captures, or test against a vanilla non-proxied instance if that would help isolate this further.

Logs

No Vaultwarden server-side logs were generated during the failed registration attempt (checked via `docker logs vaultwarden --since 2m | grep -i "webauthn|two-factor|2fa"`), consistent with the failure happening client-side in the browser's navigator.credentials.create() call before any meaningful request reaches the server.

Screenshots or Videos

No response

Additional Context

No response

Originally created by @RNZB on GitHub (Jun 30, 2026). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7387 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.36.0 * Web-vault version: v2026.4.1 * OS/Arch: linux/aarch64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.51.3 * Uses config.json: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://******************************", "domain_origin": "*****://******************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": false, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 5, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": "Login", "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "****************************", "smtp_from_name": "***********", "smtp_host": "**************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "****************************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "", "sso_authorize_extra_params": "", "sso_callback_path": "*****://***********************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": false, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "email profile", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.36.0 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy Traefik 3.3.7 ### Host/Server Operating System Linux ### Operating System Version Raspberry Pi OS (Debian-based), linux/aarch64 ### Clients Web Vault ### Client Version Web-Vault 2026.4.1 ### Steps To Reproduce 1. Log into Vaultwarden web vault 2. Go to Settings → Security → Two-step login 3. Click "Passkey" → "Read key" 4. Browser does not prompt to touch the security key; on macOS it goes straight to a PIN prompt and rejects an independently-verified-correct PIN 5. Console shows: DOMException: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission. 6. Network tab confirms /two-factor/get-webauthn and /two-factor/get-webauthn-challenge both return 200 OK with valid payloads before the exception fires — failure appears to be client-side in the navigator.credentials.create() call itself 7. Same YubiKey registers and authenticates without issue on a separate self-hosted WebAuthn relying party (Authentik) using the same machines/browsers, and works fine on other WebAuthn sites (e.g. GitHub) ### Expected Result After clicking "Read key," the browser should prompt to touch the security key, then complete FIDO2 passkey registration successfully, the same way it does on Authentik and other WebAuthn-enabled sites with this same key. ### Actual Result Registration fails immediately with: DOMException: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission. On macOS, the browser skips the expected "touch your key" prompt entirely and goes straight to a PIN prompt, which then incorrectly reports the PIN as wrong even though it's independently verified as correct via ykman. On Windows, registration appears to "succeed," but subsequent login then hangs indefinitely on a spinning loading icon. This has already been extensively debugged to rule out reverse proxy/config causes — WebSocket routing and security header issues (both confirmed real, separate problems) were found and fixed along the way, and Vaultwarden's own /admin/diagnostics page now reports a fully clean HTTP Response validation. Despite this, the WebAuthn registration failure persists identically across three browser engines (Firefox-based, WebKit, Chromium-based) and two OSes. Other users have reported what looks like the same symptom specifically on Vaultwarden's own web vault while passkeys work fine elsewhere for them: - https://vaultwarden.discourse.group/t/vaultwarden-and-passkey/4937 - https://vaultwarden.discourse.group/t/cannot-add-or-login-with-passkey/4762 - https://github.com/dani-garcia/vaultwarden/discussions/6901 - https://meta.discourse.org/t/issues-using-passkeys-with-vaultwarden/294865 Happy to provide further logs, HAR captures, or test against a vanilla non-proxied instance if that would help isolate this further. ### Logs ```text No Vaultwarden server-side logs were generated during the failed registration attempt (checked via `docker logs vaultwarden --since 2m | grep -i "webauthn|two-factor|2fa"`), consistent with the failure happening client-side in the browser's navigator.credentials.create() call before any meaningful request reaches the server. ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_
GiteaMirror added the bug label 2026-07-13 20:29:06 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#35648