Windows 10 Desktop App and WebAuthn not working (mobile, browser extensions work fine)

I’m on the testing build of VaultWarden.

When trying to use FIDO2 WebAuthn login on the Bitwarden desktop app on Windows 10, the app displays “Loading” and never progresses. The following occurs in the vaultwarden logs:

[2021-10-26 10:07:37.321][request][INFO] POST /api/accounts/prelogin
[2021-10-26 10:07:37.321][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
[2021-10-26 10:07:37.358][request][INFO] POST /identity/connect/token
[2021-10-26 10:07:37.396][error][ERROR] 2FA token not provided
[2021-10-26 10:07:37.396][response][INFO] POST /identity/connect/token (login) => 400 Bad Request

The mobile apps and browser extensions work as expected with WebAuthn (including the browser extension for Firefox on the same PC as the Desktop app having this issue).

Vaultwarden is hosted on my server at home and only accessible on my local LAN. I followed the HAProxy for pfSense guide to set up the reverse proxy.

DOMAIN variable is set in Unraid Docker for VaultWarden. Domain is also set in admin panel. No trailing / on the domain ( correctly resolves the WebAuthn image (which is suppose to appear in the desktop app).

Any ideas?

1 Like

I have a similar problem on the desktop application

vaultwarden server responds with these headers:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: public, max-age=600
Server: Rocket
Feature-Policy: accelerometer ‘none’; ambient-light-sensor ‘none’; autoplay ‘none’; camera ‘none’; encrypted-media ‘none’; fullscreen ‘none’; geolocation ‘none’; gyroscope ‘none’; magnetometer ‘none’; microphone ‘none’; midi ‘none’; payment ‘none’; picture-in-picture ‘none’; sync-xhr ‘self’; usb ‘none’; vr ‘none’
Referrer-Policy: same-origin
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: frame-ancestors ‘self’ chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* ;
Content-Length: 1181
Date: Mon, 08 Nov 2021 10:30:18 GMT

We discovered a problem for fido2 webauth authorization with 2 headers: X-Frame-Options and Content-Security-Policy

if we disable the following directives on reverse proxy, fido2 authentication works:
proxy_hide_header Content-Security-Policy;
proxy_hide_header X-Frame-Options;

it’s just a workaround and disabling it is probably not good from a security perspective

this should be fixed in the desktop app


I removed all my headers from pfSense HAProxy and still have the issue.

I even directly added the IP:Port of BitWarden to the desktop app instead of using the URL and I still have the issue.

Please continue here: Windows 10 Desktop app FIDO2 Webauthn stuck on "Loading" · Discussion #2111 · dani-garcia/vaultwarden · GitHub to keep all a bit centralized.