bitwarden
Windows 10 Desktop Fails to Sync or Login
Steps To Reproduce
Three Problems: Fails to Sync:
- Have a desktop client logged in which uses an authenticator app
- Click File
- Click Sync Vault
Fails to add new item:
- Have a desktop client logged in which uses an authenticator app
- Create a new item
- Click the save button
Fails to Login:
- Install Windows Desktop Client Version 2024.3.2 either local or computer wide, or logout of desktop client updated to 2024.3.2
- Enter login credentials
- Enter authenticator code from app
Expected Result
Scenario 1: Sync the vault
Scenario 2: Add a new item
Scenario 3: Login
Actual Result
Scenario 1: Receive Generic Error Failed to Sync popup
Scenario 2 and 3: Receive Error Popup Which says: An error has occurred. Failed to decode access token: JWT must have 3 parts
Screenshots or Videos
No response
Additional Context
I have a version 2023.9.0 installer that I was able to use which does not have this issue. And it appears to be the same problem as this thread, but I'm not on the Linux client I'm on the Windows client.
Things I have attempted to fix it:
- Log out, login, discovered error pops up at two-factor step
- Uninstall and reinstall 2024.3.4 version, both local and computer-wide
- Uninstall and install 2023.9.0 version, finally made error go away
Operating System
Windows
Operating System Version
Windows 10 Build 19045.4170
Installation method
Direct Download (from bitwarden.com)
Build Version
2024.3.4
Issue Tracking Info
- [X] I understand that work is tracked outside of GitHub. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
Hi there!
Thank you for your report, it seems like it is a duplicate of this one https://github.com/bitwarden/clients/issues/8651
If you wish to add any further information/screenshots/recordings etc., please feel free to do so at any time in there - our engineering team will be happy to review these.
This issue will now be closed.
Thanks!
@sean-abercrombie we have re-opened this issue, as after further investigation there are possibly OS-specific issues occurring here and #8651 addresses issues with Linux. In case there are Windows-specific considerations we'll keep this one open.
Thank you for the detailed writeup of the issue. You've included that you use an authenticator app. Have you tried performing these actions:
- On the account after disabling 2FA altogether?
- On the account after switching to a different 2FA method?
We are trying to isolate reproduction steps of your issue and would like to make sure we do so fully.
Could you also tell us what your Vault Timeout settings are (timout action and timeout)?
Thank you!
My Vault timeout settings are 15 minutes and lock, but on reinstall it defaults to on restart and lock.
Trying your suggestions:
- Turning off 2FA altogether does not give the ability to sync. Logging out and logging back in succeeds this time, unlike with 2FA on, but results in an infinite loading circle where the items should be.
- Changing to 2FA email results in the same behavior as 2FA app. Nothing changes, sync is blocked if already logged in and unable to log in if I log out. Email and app 2FA are the only 2FA I have available to me.
Uninstalling and reinstalling after changing 2FA status does not change behavior. All tests done on version 2024.4.1.
Also if you or anyone else knows how to get the latest version before 2024.3.2 for Windows I'd appreciate it. I only have 2023.9.0 to downgrade to, and I assume that's a less secure version (though I'm not sure if it's by so much that it matters).
@sean-abercrombie thank you very much!
The driver for different behavior on login appears to be the enabling of 2FA, but behavior stays the same related to sync. Is that an accurate assessment?
For Login
- If 2FA of any method is enabled, login fails
- If 2FA is disabled, login succeeds but no vault content loads
For Sync
- If 2FA is enabled, sync fails
- If 2FA is disabled, sync fails
We are attempting replication internally and investigating the root cause, and this has been very helpful. Thank you for your help.
If possible, would you be able to look in the app.log log file that is persisted to your local app directory after running the latest version, while experiencing this error, to see if any logs appear, and attaching them to the ticket?
That is an accurate description of what was happening. Unfortunately I can't provide any more useful information as the problem seems to have resolved itself and I have normal functionality in 2024.4.1 now, and I have no app.log available from the previous errors to give you.
After I ran the tests yesterday, I uninstalled 2024.4.1 and reinstalled 2023.9.0. I opened the application several times since where it gave a prompt to restart to update to 2024.4.1, but I clicked "later" instead of "restart" and when I closed the application I denied it UAC privileges to update. Then just now I chose "restart" instead of "later", and allowed it UAC privileges so I could try to generate an app.log with the errors. But now it just works as normal and I get no errors when syncing, adding a new item, or logging back in after logging out. The about says I'm on 2024.4.1.
Thank you for the update. I'm glad that it is working for you now, and thank you for all of your help in providing detailed replication steps. We are continuing to investigate the root cause.
Just to confirm, there was no different process that you followed vs. previous upgrades to 2024.4.1?
Also, you noted in the ticket that the Windows app was a direct download from bitwarden.com. Is it accurate to say that you had the previous working version installed on the Windows machine (which had previously been downloaded), and the application automatically updated to 2024.3.2 at which point it stopped working?
Yes, I didn't do anything different. I had previously updated using auto-update from 2023.9.0 to 2024.4.1 when it originally came out and it did not work that time.
Also yes, before I started trouble shooting the state of the app was I downloaded and installed 2023.9.0 from the website back in September and it had been auto-updating from then until 2024.3.2 when it stopped working.
Thank you!
Also if you or anyone else knows how to get the latest version before 2024.3.2 for Windows I'd appreciate it. I only have 2023.9.0 to downgrade to, and I assume that's a less secure version (though I'm not sure if it's by so much that it matters)
To locate previous releases, you can look at the releases on Github. Here would be the 2024.3.0 release, for example, and you can download the Bitwarden-Installer-{version}.exe from there.
Copying my answer to @trmartin4's question here
- Running Windows 10 19045.4291
- Bitwarden version 2024.4.1 obtained via auto-update
- Vault timeout 15 minutes, action lock,
- No PIN or biometric on the Windows desktop app. Only master password and 2FA
Additionally, I tried uninstalling the app and installing 2024.3.0 from github releases. I was able to use my vault again. After getting an auto-update to 2024.4.1 I'm back to the same issue.
The problem begins with a "Failed to decode access token. JWT must have 3 parts" error message when saving an item. When logging out, I can't log back in.
I have created a test Bitwarden account and I hit the same bug. I intercepted the GET request on launch, I can share it with you if it can be of any help. There is no personal or confidential data on that test account and I won't mind sharing the details.
@uplifted-mauve if you are currently able to replicate the behavior, could you locate the app.log log file located at %AppData%\Bitwarden and send it to [email protected]? This may contain information about a root cause that will be helpful in diagnosing the issue. Thank you for your help.
@uplifted-mauve thank you for the logs. Just to confirm, the logs represent the state in which you've already experienced the "Failed to decode access token" error on sync, and now you can't log in? Are you receiving any error toast when you are unable to log in?
The steps I've documented are:
- Log in to the application after auto-update to
2024.4.1(login works at this point) - Attempt to update an item and receive "Failed to decode access token" error.
- Log out of the application.
- Attempt to log in again and are unable to do so.
My assumption is that we're on step 4 above at the point that we're seeing the logs.
Thank you again for all of your help.
The logs were taking during the following steps 0. Uninstall bitwarden desktop app and installed 2024.3.0 from github releases. (logs get deleted)
- Launch bitwarden, login to my test account
- Close bitwarden
- Relaunch bitwarden - verify that the app has been auto-updated to the latest (2024.4.1)
- Tried modifying an item in my vault and clicking save
At that point I see a red toast notification with the JWT error. That's the end of the log file.
In that situation, logging out and trying to log in again will cause the infinite loading.
Here's the app.log for the infinite loading state https://gist.github.com/uplifted-mauve/47f45f51fd9b5b158ce0888a4706f605
- Launch bitwarden (time 08:35:09)
- Enter credentials (08:35:25)
- Close bitwarden (08:39:25)
This is the app state
Hope that helps!
@uplifted-mauve, thank you! That second log is very helpful, but it did raise a few additional questions, as it is different from the logs of any of our replication environments. If you have a few more moments to help it would be very much appreciated.
I had two follow-up questions:
-
Is that the full contents of
app.log, from step 0 through step 4? I would expect to see logs indicating that the app had updated to2024.4.1(see example below). Going through these steps do you not see any logs of the app update taking place? -
Could you check Credential Manager on your PC and verify that you have two values in there with the
Bitwarden/prefix? One should be youraccessTokenKeyand the other yourrefreshToken.
Thank you again for all of your help.
@trmartin4
- The app.log content I sent in the gist above was truncated for clarity. Here is the full log of this repro https://gist.github.com/uplifted-mauve/1eba0584e0dbd5f0aa28d54056429953
- I looked into the Credential Manager and there are no entries for Bitwarden.
Since the error mentions a JWT, here's what I intercepted in the /connect/token response https://gist.github.com/uplifted-mauve/7b087d9048c6ee05dab161d5e3ca104d. I can email the full requests if needed.
Thanks!
@uplifted-mauve Thank you very much! Your help has been critical in trying to nail down the root cause of this problem. If you have time to provide some additional information, I have two requests:
- Uninstall bitwarden desktop app and installed 2024.3.0 from github releases. (logs get deleted)
- Launch bitwarden, login to my test account
- Close bitwarden
- Relaunch bitwarden - verify that the app has been auto-updated to the latest (2024.4.1)
- Tried modifying an item in my vault and clicking save
-
In the replication steps above, you indicated that you launch and log in to version
2024.3.0, close Bitwarden, and then open the application again to see it's2024.4.1. Can you clarify the details on those steps a bit, so we can make sure we are capturing the nuance in our replication steps? First, in step 1, are you clicking "Later" on the upgrade popup that appears when you open the2024.3.0version? Second, when you open the application again in step 3, are you prompted to unlock or log in? -
Also, if you feel comfortable doing so (and only if this is a test account with no actual account passwords in it), could you create a Bitwarden Send with the contents of your
data.jsonfile from%AppData%\Bitwardenand send the link to [email protected]?
Thanks for following up @trmartin4.
- Answers to your questions
First, in step 1, are you clicking "Later" on the upgrade popup that appears when you open the 2024.3.0 version
Yes I clicked "Later". This allows me to login with version 2024.3.0
when you open the application again in step 3, are you prompted to unlock or log in?
I'm prompted to unlock. The message is "Your vault is locked. Verify your identity to continue" with a master password box.
- I created a Bitwarden Send with the
data.jsonfile and sent it to support. The test account has one fake entry, and no real or personal information in it. This is the SHA1 hash of the filedata.json: f3dfa073c5d2e13b79974f2fb22f4aa2022c2e77.
@uplifted-mauve would you be able to check your Windows Event Log to see if there are any errors around the time that you triggered this issue to occur? We aren't sure which of the logs it would be in (Application, Security, etc.), so it would be best to check all of them to be sure.
Thank you for your help.
@trmartin4 Sure, there are only audit logs probably showing Bitwarden's attempt at reading the credential store, plus one access as system which may or may not be related (event id: 5382). I double checked my Credential Manager and there is no Bitwarden entry.
This is a log of me launching Bitwarden, entering my password to unlock the vault and hitting the infinite loading.
@uplifted-mauve we are working on a solution to this issue, but in our investigation of possible root causes, we encountered the possibility that there is a limit to the number of credentials stored by Credential Manager. We do not see explicit documentation that such a limit exists, but we would like to see if you happen to have a large number of other credentials stored in Credential Manager.
Thank you for your help!
Hi @trmartin4, the test vault I used had only 1 credential stored. I could easily repro the issue with that account, even after uninstalling and re-installing the app.
My real vault has 457 items spread across Login, Card, Identity and Secure note. Both accounts are affected by the same bug.
@uplifted-mauve I'm not sure if you and @trmartin4 are speaking of the same thing. I think @trmartin4 means the Windows Credential Manager and you, @uplifted-mauve, are speaking of Bitwarden. Is that correct?
Nonetheless I have 3 Web Passwords under Web Credentials and a lot more under Windows Credentials (1 Windows Credential, 0 Certificate-Based Credentials and 95 Generic Credentials, if I haven't miscounted). I hope this information helps.
I'm sorry, you are correct. I misread @trmartin4 last comment. My Windows Credential Manager has lots of "Windows Credentials", easily 100 if not more.
I got curious so I experimented a bit, it seems like the Credential Manager on my Windows install is broken. I tried making a small app adding a credential to the manager with CredWriteW and got the same NTSTATUS STATUS_NO_MEMORY that Bitwarden hits when trying to write to the cred manager.
~~I can't really explain why or how I'm hitting this error, but I tried reproducing on a VM by adding thousands of credentials with large CredentialBlob to the Credential Manager, but wasn't successful.~~
Even more interesting, I deleted one single entry from my Credential Manager and it seemed to have fixed the issue. I can now call CredWriteW and I can sign in with Bitwarden.
Edit: I wasn't satisfied so I tried really finding a limit on the cred manager size. It turns out I can hit a limit, it's just higher than I expected (in the 500k range, by my estimation). Here's a quick prototype I made to try to guess where the credential manager size limit is. It could be very wrong, but I know for sure that after adding lots of creds with CredWriteW I did hit some sort of limit.
@uplifted-mauve thank you so much for this extensive testing. This has been very helpful in isolating the issue.
For anyone experiencing this issue, we have a build available if you would like to download and verify that it addresses the problem, even with a "broken" Credential Manager as @uplifted-mauve you have experienced. This is a non-production build still in review, so we do advise that you back up your vault before using.
The change will detect whether there are issues with the OS credential store and fall back to disk storage for the access token and refresh token if there are any problems storing it. Secure storage is the preference and the default, but we recognize that there may be circumstances in which the OS cannot provide that mechanism and we need to support it without preventing the user from accessing their vault.
FYI, I just had the same issue on Win11 22631.3447 and Bitwarden Desktop v2024.4.3 (and also v2024.4.1) and I got it fixed thanks to your debugging efforts @uplifted-mauve All I had to do was removing a random entry* under Generic Credentials in the Credential Manager, logging out in Bitwarden and logging in again. Before there were also no Bitwarden credentials listed, now there are two entries.
*My credential manager is stuffed with 100+ XblGrts entries from the Xbox app, and I removed some older one.
I'm glad it could help @nagutdahastdu.
*My credential manager is stuffed with 100+ XblGrts entries from the Xbox app, and I removed some older one.
It seems like that could be a common issue. I figured I'd spend some time making a utility to remove old credentials since the Windows GUI is slow and I'd rather spend a hour automating a repetitive task that would otherwise take 5 minutes...
https://github.com/uplifted-mauve/CredManager
If you have time, file a problem report on the Xbox app using Feedback Hub. With enough reports they might notice the problem and start deleting their old credentials.
@trmartin4 I just tried the build (portable windows version: Bitwarden-Portable-2024.4.3.exe) you last mentioned there but still experiencing the syncing failed issue. For reference, my issue was originally detailed here: https://github.com/bitwarden/clients/issues/8857
I can confirm I had the issue with Windows 11 (OS Build 22631.3593) and the problem was resolved by removing multiple entries of vscodevscode.microsoft* (about 200 of them) and XblGrts* (around 5) in Windows Credentials Manager. Newly installed Bitwarden app (version 2024.5.0), I've been using the web version using Chrome and never had this problem before.
The PowerShell command to remove those Credential Manager entries (from https://stackoverflow.com/questions/39478018/remove-an-entry-from-credential-manager-for-all-users-on-windows) was:
cmdkey /list | ForEach-Object{if($_ -like "*Target:*" -and $_ -like "*vscodevscode*"){cmdkey /del:($_ -replace " ","" -replace "Target:","")}}
I believe I am experiencing a subset of this issue as well. I have email 2FA enabled; Login succeeds with no issues but no vault content loads. When attempting a manual vault sync, I am only presented with the error message "Syncing Failed".
I am on Windows 10 Pro - 22H2/19045. I was originally using Bitwarden 2024.4.1 but upgraded to the test build posted by @trmartin4 version 2024.4.3 to see if that fixed the issue. It unfortunately did not.
I have tried the troubleshooting steps listed above. Uninstall/Reinstall, Log Out/In, Upgrade To Different Version, Remove Entries From Windows Credential Manager.
Looking in the app.log file between both versions, no log output occurs when attempting a manual vault sync that fails. After about 5 minutes I do see "Error: Failed to decode access token: JWT must have 3 parts".
Not sure if it's related or not; On launch of the Bitwarden client, both versions I listed above, there is an error in the app.log file of "Error: Element not found. (0x80070490)"
Update: I have just tested Bitwarden client version 2024.5.0 that was just released and the issue is still occurring
I still have the very same issue with this build. Is there any other way to fix it? I installed the application several times, tried several forks, older versions, cleared cache, cleared windows appData
