I’m on the
testing build of VaultWarden.
When trying to use FIDO2 WebAuthn login on the Bitwarden desktop app on Windows 10, the app displays “Loading” and never progresses. The following occurs in the vaultwarden logs:
[2021-10-26 10:07:37.321][request][INFO] POST /api/accounts/prelogin
[2021-10-26 10:07:37.321][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
[2021-10-26 10:07:37.358][request][INFO] POST /identity/connect/token
[2021-10-26 10:07:37.396][error][ERROR] 2FA token not provided
[2021-10-26 10:07:37.396][response][INFO] POST /identity/connect/token (login) => 400 Bad Request
The mobile apps and browser extensions work as expected with WebAuthn (including the browser extension for Firefox on the same PC as the Desktop app having this issue).
Vaultwarden is hosted on my server at home and only accessible on my local LAN. I followed the HAProxy for pfSense guide to set up the reverse proxy.
DOMAIN variable is set in Unraid Docker for VaultWarden. Domain is also set in admin panel. No trailing / on the domain (https://vault.mylocaldomain.com).
https://vault.mylocaldomain.com/webauthn-mobile-connector.html correctly resolves the WebAuthn image (which is suppose to appear in the desktop app).
I have a similar problem on the desktop application
vaultwarden server responds with these headers:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: public, max-age=600
Feature-Policy: accelerometer ‘none’; ambient-light-sensor ‘none’; autoplay ‘none’; camera ‘none’; encrypted-media ‘none’; fullscreen ‘none’; geolocation ‘none’; gyroscope ‘none’; magnetometer ‘none’; microphone ‘none’; midi ‘none’; payment ‘none’; picture-in-picture ‘none’; sync-xhr ‘self’ https://haveibeenpwned.com https://2fa.directory; usb ‘none’; vr ‘none’
X-XSS-Protection: 1; mode=block
Content-Security-Policy: frame-ancestors ‘self’ chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* ;
Date: Mon, 08 Nov 2021 10:30:18 GMT
We discovered a problem for fido2 webauth authorization with 2 headers: X-Frame-Options and Content-Security-Policy
if we disable the following directives on reverse proxy, fido2 authentication works:
it’s just a workaround and disabling it is probably not good from a security perspective
this should be fixed in the desktop app
I removed all my headers from pfSense HAProxy and still have the issue.
I even directly added the IP:Port of BitWarden to the desktop app instead of using the URL and I still have the issue.