Cant use fido webauth with desktop app or extension (but works ok for web vault)

Help
1

Hi, just wondering if this is a limitation/bug of vaultwarden or if i have a setting wrong somewhere or need to raise this with bitwardens support?

running latest 1.27 (docker vaultwarden:latest)
Vaultwarden (unofficial Bitwarden® server)
Version 2022.12.0
brave browser with extension version 2023.1.0

Ive recently enabled the use of 2 x yubikey bio’s and this works perfectly as expected for web vault logins

fido-vault2
fido-vault2573×616 62.8 KB

however for browser extension login, it doesnt pop up anything I just see

fido-extension
fido-extension376×589 8.54 KB

also the desktop app just shows a black screen (but i can use TOTP ok)
image

(i can use backup TOTP) and logs in OK, ideally for convenience id rather use the security key each time…

is this a known issue or do i have a setting wrong somewhere or is this something I need to raise on Bitwardens forum?
if it makes a difference i am not using the standard port 443
(but i do have the correct url:port in the custom settings in extension & app)
thanks

2

Check your DOMAIN config, or your reverse proxy setup.
Most settings you can validate via /admin/diagnostics, but some like headers you will need to check if your reverse proxy is blocking/removing or modifying some security headers which are default set by Vaultwarden already where needed.
Some security options like ModSecurity for example cause issues.

1 Like
3

thankyou,
diagnostics seems to show OK

image
image526×627 15 KB

in admin settings the https://domain.com:port is correct and fido is working fine for when accessing the web vault, it appears to only affect the official bitwarden app & extension

i just noticed a specific yubikey section (which i haven’t edited) - do i need to put my server url in there fo rthe extension/app to work?

image
image1268×438 5.8 KB

i do use swag as a reverse proxy, ill have a look through the logs to check now, thanks for your help

4

Ah, wait, you want to use YubiKey instead of WebAuthn.
In that case, i suggest to read the following page and run those steps and provide the valid values.

1 Like
5

Hi no i want to use webauth/fido (its a yubikey bio) it doesnt have OTP, just as yet cant fathom why it fails to connect in the extension/app - will check proxy when i get back

(i do have otp as a fallback option on aegis app)

6

You probably want the WebAuthn MFA/2FA option then instead.
That is a bit more universal, and your key it self should handle the Bio part.

7

HI yes thats what option i am using with webauthn/fido

image
image755×388 40 KB

sign in to web vault prompts & works
sign in from desktop app or extension failis to connect, which i why im thinking it maybe an issue with bitwardens official app/extension being able to use custom ports?

8

Then you probably have some security headers which are changed.
Like the X-Frame-Options or Content-Security-Policy.

If those are changed, or always added, it will cause issues with those popup’s in other apps then a web browser.

9

thanks ive been trying turning different headers off/on as yet no joy, here is original ssl.conf config


ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA38>
ssl_prefer_server_ciphers off;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;


### Linuxserver.io Defaults

# Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;

# Diffie-Hellman Parameters
ssl_dhparam /config/nginx/dhparams.pem;

# Enable TLS 1.3 early data
ssl_early_data on;

# HSTS, remove # from the line below to enable HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

# Optional additional headers
add_header Cache-Control "no-transform" always;
add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
add_header Permissions-Policy "interest-cohort=()";
add_header Referrer-Policy "same-origin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-UA-Compatible "IE=Edge" always;
add_header X-XSS-Protection "1; mode=block" always;


add_header X-Permitted-Cross-Domain-Policies    "none"          always;
add_header X-Robots-Tag                         "none"          always;
fastcgi_hide_header X-Powered-By;
10

weirdly after disabling the 3 below with # then its working… but any one of these doesn’t seem to make any difference… thanks for the heads up its working now, but i need to ensure ive not dramatically reduced my security doing this!

hsts
content security policy
xframe

# HSTS, remove # from the line below to enable HSTS
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# Optional additional headers
#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
#add_header X-Frame-Options "SAMEORIGIN" always;

tada i now get prompted in app & extension for the key
image

thanks so much for your help, i need to read up & understand more on these headers

11

You need to remove X-Frame-Options and Content-Security-Policy you are setting there.
They cause the issues you are having.

Actually, i suggest to remove everything except the Strict-Transport-Security.

1 Like
12

yep disabling them 2, enabling hsts again and restarting swag worked… but i couldnt help feel i had weakened something/less secure?

after a bit of reading about the headers i stumbled on this

so i now have the original config with all headers as they were except for now ive added my url into the frame-ancestors field (just in case this helps anyone in future)

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self' https://*.mydomain.com:port";
add_header X-Frame-Options "SAMEORIGIN" always;

so far so good, both app & extension now fine, and prompt for the bio key.

again many thanks for your help in sorting this!