Cant use fido webauth with desktop app or extension (but works ok for web vault)

Hi, just wondering if this is a limitation/bug of vaultwarden or if i have a setting wrong somewhere or need to raise this with bitwardens support?

running latest 1.27 (docker vaultwarden:latest)
Vaultwarden (unofficial Bitwarden® server)
Version 2022.12.0
brave browser with extension version 2023.1.0

Ive recently enabled the use of 2 x yubikey bio’s and this works perfectly as expected for web vault logins

however for browser extension login, it doesnt pop up anything I just see

also the desktop app just shows a black screen (but i can use TOTP ok)

(i can use backup TOTP) and logs in OK, ideally for convenience id rather use the security key each time…

is this a known issue or do i have a setting wrong somewhere or is this something I need to raise on Bitwardens forum?
if it makes a difference i am not using the standard port 443
(but i do have the correct url:port in the custom settings in extension & app)

Check your DOMAIN config, or your reverse proxy setup.
Most settings you can validate via /admin/diagnostics, but some like headers you will need to check if your reverse proxy is blocking/removing or modifying some security headers which are default set by Vaultwarden already where needed.
Some security options like ModSecurity for example cause issues.

1 Like

diagnostics seems to show OK

in admin settings the is correct and fido is working fine for when accessing the web vault, it appears to only affect the official bitwarden app & extension

i just noticed a specific yubikey section (which i haven’t edited) - do i need to put my server url in there fo rthe extension/app to work?

i do use swag as a reverse proxy, ill have a look through the logs to check now, thanks for your help

Ah, wait, you want to use YubiKey instead of WebAuthn.
In that case, i suggest to read the following page and run those steps and provide the valid values.

1 Like

Hi no i want to use webauth/fido (its a yubikey bio) it doesnt have OTP, just as yet cant fathom why it fails to connect in the extension/app - will check proxy when i get back

(i do have otp as a fallback option on aegis app)

You probably want the WebAuthn MFA/2FA option then instead.
That is a bit more universal, and your key it self should handle the Bio part.

HI yes thats what option i am using with webauthn/fido

sign in to web vault prompts & works
sign in from desktop app or extension failis to connect, which i why im thinking it maybe an issue with bitwardens official app/extension being able to use custom ports?

Then you probably have some security headers which are changed.
Like the X-Frame-Options or Content-Security-Policy.

If those are changed, or always added, it will cause issues with those popup’s in other apps then a web browser.

thanks ive been trying turning different headers off/on as yet no joy, here is original ssl.conf config

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

### Defaults

# Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;

# Diffie-Hellman Parameters
ssl_dhparam /config/nginx/dhparams.pem;

# Enable TLS 1.3 early data
ssl_early_data on;

# HSTS, remove # from the line below to enable HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

# Optional additional headers
add_header Cache-Control "no-transform" always;
add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
add_header Permissions-Policy "interest-cohort=()";
add_header Referrer-Policy "same-origin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-UA-Compatible "IE=Edge" always;
add_header X-XSS-Protection "1; mode=block" always;

add_header X-Permitted-Cross-Domain-Policies    "none"          always;
add_header X-Robots-Tag                         "none"          always;
fastcgi_hide_header X-Powered-By;

weirdly after disabling the 3 below with # then its working… but any one of these doesn’t seem to make any difference… thanks for the heads up its working now, but i need to ensure ive not dramatically reduced my security doing this!

content security policy

# HSTS, remove # from the line below to enable HSTS
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# Optional additional headers
#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
#add_header X-Frame-Options "SAMEORIGIN" always;

tada i now get prompted in app & extension for the key

thanks so much for your help, i need to read up & understand more on these headers

You need to remove X-Frame-Options and Content-Security-Policy you are setting there.
They cause the issues you are having.

Actually, i suggest to remove everything except the Strict-Transport-Security.

1 Like

yep disabling them 2, enabling hsts again and restarting swag worked… but i couldnt help feel i had weakened something/less secure?

after a bit of reading about the headers i stumbled on this

so i now have the original config with all headers as they were except for now ive added my url into the frame-ancestors field (just in case this helps anyone in future)

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self' https://*";
add_header X-Frame-Options "SAMEORIGIN" always;

so far so good, both app & extension now fine, and prompt for the bio key.

again many thanks for your help in sorting this!