Problem with U2F FIDO2

Hi, I’m having problem with bitwarden browser exstension, when I install the bitwarden browser extension on new browser it doen’t prompt FIDO2 authentication but it only prompt 2FA authentication.
If I open my vaultwarden web site it correctly prompt FIDO2 authentication.

Not sure if this was around the time bitwarden changed to webauthn. But you could try the last testing version which supports a new way.

I’m having the same issue except with the Bitwarden desktop app.

I’m prompted for my Yubikey NFC when logging into the website & browser extension, but the desktop Windows app gets stuck loading & never prompts for it so I need to use another 2FA method.

Which version of Vaultwarden are you using? There have been some web-vault changes which are currently only implemented into the testing images.

Vaultwarden Version 1.22.2 through docker on unRAID
Bitwarden desktop app Version 1.28.3

There are some patches in the testing image regarding webauthn. You could try that.

I have the same exact issue as solar. I’m in testing build and the browser and mobile extensions work as expected with webauthn, but the windows desktop app is stuck on “loading” screen.

vaultwarden logs show the following:

[2021-10-26 10:07:37.321][request][INFO] POST /api/accounts/prelogin
[2021-10-26 10:07:37.321][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
[2021-10-26 10:07:37.358][request][INFO] POST /identity/connect/token
[2021-10-26 10:07:37.396][error][ERROR] 2FA token not provided
[2021-10-26 10:07:37.396][response][INFO] POST /identity/connect/token (login) => 400 Bad Request
1 Like

I have a similar problem on the desktop application

Bitwarden Desktop: 1.29.1
vaultwarden tested on:

You need to change your reverse proxy to not send custom headers which are probably causing the a more strict policy.

We turned off the security headers, but we still have the same bug.

[2021-11-08 10:49:31.199][request][INFO] POST /api/accounts/prelogin
[2021-11-08 10:49:31.199][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
[2021-11-08 10:49:31.286][request][INFO] POST /identity/connect/token
[2021-11-08 10:49:31.366][error][ERROR] 2FA token not provided
[2021-11-08 10:49:31.366][response][INFO] POST /identity/connect/token (login) => 400 Bad Request
[2021-11-08 10:49:31.946][request][INFO] GET /webauthn-connector.html?data=eyJhbGxvd0NyZWRlbnRpYWxzI
[2021-11-08 10:49:31.946][response][INFO] GET /<p…> [10] (web_files) => 200 OK

reverse proxy config:

Any other suggestions?

Okay, we solved the problem. We suppose this is a just bug.

vaultwarden server responds with these headers:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: public, max-age=600
Server: Rocket
Feature-Policy: accelerometer ‘none’; ambient-light-sensor ‘none’; autoplay ‘none’; camera ‘none’; encrypted-media ‘none’; fullscreen ‘none’; geolocation ‘none’; gyroscope ‘none’; magnetometer ‘none’; microphone ‘none’; midi ‘none’; payment ‘none’; picture-in-picture ‘none’; sync-xhr ‘self’; usb ‘none’; vr ‘none’
Referrer-Policy: same-origin
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: frame-ancestors ‘self’ chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* ;
Content-Length: 1181
Date: Mon, 08 Nov 2021 10:30:18 GMT

We discovered a problem for fido2 webauth authorization with 2 headers: X-Frame-Options and Content-Security-Policy

if we disable the following directives on reverse proxy, fido2 authentication works:
proxy_hide_header Content-Security-Policy;
proxy_hide_header X-Frame-Options;

it’s just a workaround and disabling it is probably not good from a security perspective

this should be fixed in the desktop app