Unable login via all methods

I was using 1.18 (bitwarden_rs) docker image of arm64 and it works perfectly.

I updated to vaultwarden 1.27.0 by recreate the container, and it works for a while (several minutes).

However, I’m not able to login via WebVault, chrome extension, android app., …etc, currently.

The logs merely says:
[2023-01-10 13:32:47.200][request][INFO] POST /identity/connect/token
[2023-01-10 13:32:47.201][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: xxx.xxx.xxx.xxx. Username: xxxx@xxx.com.
[2023-01-10 13:32:47.201][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

Does anyone have hints about what is going on?

Hard to tell without more information. First of all, make sure you are running the latest version 1.27.0 (see #3082).

Can you post the full log and maybe even increase the LOG_LEVEL?

Also what does the /admin page say? Does it list your users and the expected the numbers of items? And can you share the support string from the diagnostics page?

To simplified the problem, let me focus on the WebVault first.

The container version is tagged as 1.27, the binary reports the version as 1.27.0, the web vault reports its version at the bottom as 2.25.0, and the /admin does not report its version.

Regarding the admin panel, I’ve configure the ADMIN_TOKEN in environment variable and admin_token in config.json with different value.

When I copy-paste the ADMIN_TOKEN to /admin, I see the “Configuration” page, however, the values are the default values, and are not the values loaded from config.json.
When using ADMIN_TOKEN, I have no access to other pages, such as /admin/user, /admin/diagnostics, …etc (http 401).

When I copy-paste the admin_token from config.json to /admin, it just said " Error: Invalid admin token, please try again."

The db.sqlite3 has 566 rows in ciphers table, and 2 rows in users table, which seems OK.

I’ll attach the log (level=trace extended=true) later, as I hit “too many requests” currently

Update: I forgot to refresh the web-vault between switching versions back and forth, the web-vault is indeed 2022.12.0

Okay. If you are using the latest docker image you should be using a newer version of the web-vault as it is bundled with the image (unless you are using a custom web-vault). As said in the linked issue #3082 the version should be reported as v2022.12.0 in the footer. So make sure you have started the new container and there is no other vaultwarden (or bitwarden_rs) container running.

One a side note the config.json generally overrides the values set via environment variables. See

If you can’t even login into the admin interface, i suspect that there is something in between which either blocks headers, clears cookies or something.

Check your reverse proxy for logs, and if you have security stuff enabled which could cause issues, like ModSecurity for example.

Same for some browser extensions, some tend to block specific headers, which could break logins.

Try a different browser with and without Private/incognito window.

I always use private window for debugging issues, and directly connect to docker container using container’s ip address without port forwarding/reverse proxy … etc.

Here’s the log of normal login:

[2023-01-12 05:10:50.023][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins
[2023-01-12 05:11:05.746][tracing::span][TRACE] parse_headers;
[2023-01-12 05:11:05.746][tracing::span::active][TRACE] -> parse_headers;
[2023-01-12 05:11:05.746][tracing::span::active][TRACE] <- parse_headers;
[2023-01-12 05:11:05.746][tracing::span][TRACE] -- parse_headers;
[2023-01-12 05:11:05.747][request][INFO] POST /identity/accounts/prelogin
[2023-01-12 05:11:05.748][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2023-01-12 05:11:05.749][tracing::span][TRACE] encode_headers;
[2023-01-12 05:11:05.749][tracing::span::active][TRACE] -> encode_headers;
[2023-01-12 05:11:05.749][tracing::span::active][TRACE] <- encode_headers;
[2023-01-12 05:11:05.749][tracing::span][TRACE] -- encode_headers;
[2023-01-12 05:11:05.847][tracing::span][TRACE] parse_headers;
[2023-01-12 05:11:05.847][tracing::span::active][TRACE] -> parse_headers;
[2023-01-12 05:11:05.847][tracing::span::active][TRACE] <- parse_headers;
[2023-01-12 05:11:05.847][tracing::span][TRACE] -- parse_headers;
[2023-01-12 05:11:05.847][request][INFO] POST /identity/connect/token
[2023-01-12 05:11:05.848][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: Username: XXX@XXX.com.
[2023-01-12 05:11:05.848][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2023-01-12 05:11:05.848][tracing::span][TRACE] encode_headers;
[2023-01-12 05:11:05.848][tracing::span::active][TRACE] -> encode_headers;
[2023-01-12 05:11:05.848][tracing::span::active][TRACE] <- encode_headers;
[2023-01-12 05:11:05.848][tracing::span][TRACE] -- encode_headers;
[2023-01-12 05:11:05.908][tracing::span][TRACE] parse_headers;
[2023-01-12 05:11:05.908][tracing::span::active][TRACE] -> parse_headers;
[2023-01-12 05:11:05.909][tracing::span::active][TRACE] <- parse_headers;
[2023-01-12 05:11:05.909][tracing::span][TRACE] -- parse_headers;
[2023-01-12 05:11:05.909][request][INFO] GET /fonts/Open_Sans-normal-700.woff
[2023-01-12 05:11:05.909][tracing::span][TRACE] parse_headers;
[2023-01-12 05:11:05.909][tracing::span::active][TRACE] -> parse_headers;
[2023-01-12 05:11:05.909][tracing::span::active][TRACE] <- parse_headers;
[2023-01-12 05:11:05.909][tracing::span][TRACE] -- parse_headers;
[2023-01-12 05:11:05.910][response][INFO] (web_files) GET /<p..> [10] => 200 OK
[2023-01-12 05:11:05.910][request][INFO] GET /fonts/Open_Sans-italic-400.woff
[2023-01-12 05:11:05.910][response][INFO] (web_files) GET /<p..> [10] => 200 OK
[2023-01-12 05:11:05.911][tracing::span][TRACE] encode_headers;
[2023-01-12 05:11:05.911][tracing::span::active][TRACE] -> encode_headers;
[2023-01-12 05:11:05.911][tracing::span::active][TRACE] <- encode_headers;
[2023-01-12 05:11:05.911][tracing::span][TRACE] -- encode_headers;
[2023-01-12 05:11:05.912][tracing::span][TRACE] encode_headers;
[2023-01-12 05:11:05.912][tracing::span::active][TRACE] -> encode_headers;
[2023-01-12 05:11:05.912][tracing::span::active][TRACE] <- encode_headers;
[2023-01-12 05:11:05.912][tracing::span][TRACE] -- encode_headers;
[2023-01-12 05:11:50.026][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins

When I submit the token to /admin, it shows the general setting pages with default values, (not reading from my config.json)
When I land to /admin/users/overview, the log shows:

[2023-01-12 05:28:31.974][request][INFO] GET /admin/users/overview
[2023-01-12 05:28:31.975][vaultwarden::auth][ERROR] Error decoding JWT
[2023-01-12 05:28:31.975][vaultwarden::api::admin][ERROR] Invalid or expired admin JWT. IP:
[2023-01-12 05:28:31.975][_][WARN] Request guard `AdminToken` failed: "Session expired".
[2023-01-12 05:28:31.975][_][WARN] Responding with registered (admin_login) /admin 401 catcher.

The cookies is XXX.YYY.ZZZ,
where XXX, YYY are base64-decoded into (with proper padding "="s):

  • {"typ":"JWT","alg":"RS256"}
  • {"nbf":<some timestamp alike integer>,"exp":1673501967,"iss":"http://localhost|admin","sub":"admin_panel"}

The “exp” seems OK.
However, the ZZZ part is not base64-decod-able no matter how many "="s I appended at the end.

If you want to properly decode that key, you need to use jwt.io

Looking at the message, it says expired. That to me looks like the server or container date/time, or timezone is not set correctly.

This causes the token to be expired instantly.
Only thing you can do to bypass it, is disable the admin token for a short while so you can access the diagnostics page and check.

Ooops, I had a mistake in starting the container.

I was using a normal user account to start the container and configure the path as “~/bwdata”.

After upgrading, I start the container as root.

As a result the path “~/bwdata” changed from /home/user/bwdata to /root/bwdata.

That’s why there’s no data.

Thank you for your help.

1 Like