[GH-ISSUE #7416] 2FA "Remember Me" option ignored when logging in via SSO identifier URL (/sso?identifier=...) #35653

Closed
opened 2026-07-13 20:29:14 -05:00 by GiteaMirror · 1 comment
Owner

Originally created by @netzdvt on GitHub (Jul 13, 2026).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7416

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.36.0
  • Web-vault version: v2026.2.0
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: PostgreSQL
  • Database version: PostgreSQL 15.17 on x86_64-redhat-linux-gnu, compiled by gcc (GCC) 11.5.0 20240719 (Red Hat 11.5.0-14), 64-bit
  • Uses config.json: true
  • Uses a reverse proxy: true
  • IP Header check: true (x-forwarded-for)
  • Internet access: false
  • Internet access via a proxy: true
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: n/a
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, ORG_CREATION_USERS, INVITATIONS_ALLOWED, ADMIN_TOKEN, IP_HEADER, SSO_ENABLED, SSO_SIGNUPS_MATCH_EMAIL, SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SSO_SCOPES, SSO_MASTER_PASSWORD_POLICY, SSO_AUTH_ONLY_NOT_SESSION, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM

Config:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": false,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 10,
  "admin_ratelimit_seconds": 60,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "/opt/vaultwarden/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "/opt/vaultwarden",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "**********://*************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": true,
  "dns_prefer_ipv6": false,
  "domain": "*****://*****************",
  "domain_origin": "*****://*****************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": false,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "/opt/vaultwarden/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 0,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "x-forwarded-for",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 50,
  "login_ratelimit_seconds": 10,
  "org_attachment_limit": null,
  "org_creation_users": "***********************",
  "org_events_enabled": false,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "/opt/vaultwarden/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "/opt/vaultwarden/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***********************",
  "smtp_from_name": "***********",
  "smtp_host": "**********************",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "off",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "sso_allow_unknown_email_verification": true,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": true,
  "sso_authority": "*****://*****************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://**********************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "****************************************************************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": "{\"minComplexity\":3,\"minLength\":12,\"requireLower\":true,\"requireNumbers\":true,\"requireSpecial\":false,\"requireUpper\":true}",
  "sso_only": true,
  "sso_pkce": true,
  "sso_scopes": "profile offline_access",
  "sso_signups_match_email": false,
  "templates_folder": "/templates",
  "tmp_folder": "/opt/vaultwarden/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": true,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

### Vaultwarden Build Version

1.36.0

### Deployment method

Build from source

### Custom deployment method

_No response_

### Reverse Proxy

-

### Host/Server Operating System

Linux

### Operating System Version

Vaultwarden's Dockerfile.debian

### Clients

Web Vault

### Client Version

2026.2.0

### Steps To Reproduce

1. Set SSO_ONLY=true and DISABLE_2FA_REMEMBER=false.
2. Access the vault directly via https://<vault-url>/#/sso?identifier=00000000-01DC-01DC-01DC-00000000000
3. Authenticate via SSO.
4. When prompted for 2FA, check the box "Don't ask again on this device for 30 days" and complete the 2FA.
5.  Log out or clear the session, then access the exact same URL again.

### Expected Result

If DISABLE_2FA_REMEMBER is false, the vault should respect the saved device cookie/token and log the user in without requiring a 2FA prompt for 30 days, even when using the direct SSO identifier URL.

### Actual Result

You are prompted for 2FA again, ignoring the previously saved device state.

### Logs

```text
[2026-07-13 05:49:31.063][request][INFO] POST /identity/connect/token
[2026-07-13 05:49:31.206][error][ERROR] 2FA token not provided
[2026-07-13 05:49:31.206][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

Screenshots or Videos

No response

Additional Context

We have configured Vaultwarden with SSO_ONLY=true and DISABLE_2FA_REMEMBER=false (allowing users to remember 2FA on their devices).

We allow our users to log in directly via the SSO URL by providing the identifier, bypassing the email input step:
https://our-vault/#/sso?identifier=00000000-01DC-01DC-01DC-00000000000

The Issue:
Even if users check the "Don't ask again on this device for 30 days" checkbox during the 2FA prompt, the setting is completely ignored. Users are forced to provide their 2FA token on every single login attempt via this URL.

It seems that during this specific direct SSO routing, Vaultwarden bypasses checking the "remember me" device cookie/token and immediately expects the 2FA token.

Originally created by @netzdvt on GitHub (Jul 13, 2026). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7416 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.36.0 * Web-vault version: v2026.2.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: PostgreSQL * Database version: PostgreSQL 15.17 on x86_64-redhat-linux-gnu, compiled by gcc (GCC) 11.5.0 20240719 (Red Hat 11.5.0-14), 64-bit * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (x-forwarded-for) * Internet access: false * Internet access via a proxy: true * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: n/a * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, ORG_CREATION_USERS, INVITATIONS_ALLOWED, ADMIN_TOKEN, IP_HEADER, SSO_ENABLED, SSO_SIGNUPS_MATCH_EMAIL, SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SSO_SCOPES, SSO_MASTER_PASSWORD_POLICY, SSO_AUTH_ONLY_NOT_SESSION, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM **Config:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": false, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 10, "admin_ratelimit_seconds": 60, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "/opt/vaultwarden/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "/opt/vaultwarden", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "**********://*************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": true, "dns_prefer_ipv6": false, "domain": "*****://*****************", "domain_origin": "*****://*****************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": false, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "/opt/vaultwarden/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 0, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "x-forwarded-for", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 50, "login_ratelimit_seconds": 10, "org_attachment_limit": null, "org_creation_users": "***********************", "org_events_enabled": false, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "/opt/vaultwarden/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "/opt/vaultwarden/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***********************", "smtp_from_name": "***********", "smtp_host": "**********************", "smtp_password": null, "smtp_port": 25, "smtp_security": "off", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "sso_allow_unknown_email_verification": true, "sso_audience_trusted": null, "sso_auth_only_not_session": true, "sso_authority": "*****://*****************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://**********************************************", "sso_client_cache_expiration": 0, "sso_client_id": "****************************************************************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": "{\"minComplexity\":3,\"minLength\":12,\"requireLower\":true,\"requireNumbers\":true,\"requireSpecial\":false,\"requireUpper\":true}", "sso_only": true, "sso_pkce": true, "sso_scopes": "profile offline_access", "sso_signups_match_email": false, "templates_folder": "/templates", "tmp_folder": "/opt/vaultwarden/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": true, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ### Vaultwarden Build Version 1.36.0 ### Deployment method Build from source ### Custom deployment method _No response_ ### Reverse Proxy - ### Host/Server Operating System Linux ### Operating System Version Vaultwarden's Dockerfile.debian ### Clients Web Vault ### Client Version 2026.2.0 ### Steps To Reproduce 1. Set SSO_ONLY=true and DISABLE_2FA_REMEMBER=false. 2. Access the vault directly via https://<vault-url>/#/sso?identifier=00000000-01DC-01DC-01DC-00000000000 3. Authenticate via SSO. 4. When prompted for 2FA, check the box "Don't ask again on this device for 30 days" and complete the 2FA. 5. Log out or clear the session, then access the exact same URL again. ### Expected Result If DISABLE_2FA_REMEMBER is false, the vault should respect the saved device cookie/token and log the user in without requiring a 2FA prompt for 30 days, even when using the direct SSO identifier URL. ### Actual Result You are prompted for 2FA again, ignoring the previously saved device state. ### Logs ```text [2026-07-13 05:49:31.063][request][INFO] POST /identity/connect/token [2026-07-13 05:49:31.206][error][ERROR] 2FA token not provided [2026-07-13 05:49:31.206][response][INFO] (login) POST /identity/connect/token => 400 Bad Request ``` ### Screenshots or Videos _No response_ ### Additional Context We have configured Vaultwarden with SSO_ONLY=true and DISABLE_2FA_REMEMBER=false (allowing users to remember 2FA on their devices). We allow our users to log in directly via the SSO URL by providing the identifier, bypassing the email input step: https://our-vault/#/sso?identifier=00000000-01DC-01DC-01DC-00000000000 The Issue: Even if users check the "Don't ask again on this device for 30 days" checkbox during the 2FA prompt, the setting is completely ignored. Users are forced to provide their 2FA token on every single login attempt via this URL. It seems that during this specific direct SSO routing, Vaultwarden bypasses checking the "remember me" device cookie/token and immediately expects the 2FA token.
GiteaMirror added the bug label 2026-07-13 20:29:14 -05:00
Author
Owner

@stefan0xC commented on GitHub (Jul 13, 2026):

That is a client-side issue / known limitiation because you don't enter a email address as discussed here https://github.com/dani-garcia/vaultwarden/issues/6191#issuecomment-3721330934

<!-- gh-comment-id:4957207392 --> @stefan0xC commented on GitHub (Jul 13, 2026): That is a client-side issue / known limitiation because you don't enter a email address as discussed here https://github.com/dani-garcia/vaultwarden/issues/6191#issuecomment-3721330934
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#35653