server icon indicating copy to clipboard operation
server copied to clipboard

Published 20 hours ago verified publisher icon bitwarden

activation of passkeys triggers unhandled server error

Open airflow2010 opened this issue 6 months ago • 3 comments
trafficstars

Steps To Reproduce

Hello! I’m in the progress of trying out bitwarden as my new password management solution.

I use the unified image of bitwarden (docker).

So far the basic functionality works fine.

However, I run into a trouble when I want to enable any kind of passkey functionality for accessing Bitwarden itself. It doesn't matter whether I want to add a passkey as a second factor or if I want to enable the "Logon with passkey" function. In both cases the error looks the same.

In the case of "log on with passkey":

  1. When I am logged on into the self-hosted bitwarden system via Chrome browser (I tried both Ubuntu as well Windows 11), I click on “turn on” for the feature.
  2. I am being prompted to enter my master-password again.
  3. Bitwarden triggers my browser to display a pop-up which asks me if I want to create a passkey for logon for the service (bitwarden).
  4. It shows “Passkey successfully generated” and asks me for a name.
  5. After entry of the name and clicking “turn on” again, it throws an “An unhandled server error has occurred.”

This is a screenshot of the error happening: Image

I tried two different kinds of passkeys: One with software + biometrics (Windows Hello), the other with hardware (Yubikey). In both cases, the error looks the same.

For troubleshooting, I then also tried to create an account with bitwarden online in the cloud (not self-hosted). I configured everything exactly the same there. There I could without any problems create and use both kinds of passkeys. So it has to be some problem with the unified image. I looked in the logs of the console of the container, but there wasn't anything interesting.

Expected Result

passkey is created for further use

Actual Result

error-message "An unhandled server error has occurred."

Screenshots or Videos

Image

Additional Context

No response

Githash Version

4a7db112-dirty

Environment Details

Bitwarden 2025.5.0

Database Image

SQLITE

Issue-Link

https://github.com/bitwarden/server/issues/2480

Issue Tracking Info

  • [x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

airflow2010 avatar May 20 '25 15:05 airflow2010

Hi there,

This has been escalated for further investigation. If you have more information that can help us, please add it below.

Thanks!

Neonwarden avatar May 20 '25 16:05 Neonwarden

I would like to share three additional pieces of information which might be helpful in understanding the problem.

  1. My host has multiple IP adresses on its main adapter (3 aliases). Might that be a problem?
  2. I add my docker-compose file for reference (below).
  3. Perhaps my settings.env is interesting. It contains nothing special, though... (see below).

docker-compose.yml

services:
  bitwarden:
    env_file:
      - stack.env
    image: ghcr.io/bitwarden/self-host:beta
    container_name: bitwarden
    restart: unless-stopped
    ports:
      - 192.168.0.2:8888:8888/tcp
      - 192.168.0.2:8889:8889/tcp
    volumes:
      - /mnt/DATA/shares/persistent/docker/bitwarden/etc:/etc/bitwarden

settings.env

# Required Settings #
#####################

# Server hostname
BW_DOMAIN=<redacted>

# Database
# Available providers are sqlserver, postgresql, mysql/mariadb, or sqlite
BW_DB_PROVIDER=sqlite
#BW_DB_SERVER=db
#BW_DB_DATABASE=bitwarden_vault
#BW_DB_USERNAME=bitwarden
#BW_DB_PASSWORD=super_strong_password

# Installation information
# Get your ID and key from https://bitwarden.com/host/
BW_INSTALLATION_ID=<redacted>
BW_INSTALLATION_KEY=<redacted>

#####################
# Optional Settings #
#####################
# Learn more here: https://bitwarden.com/help/environment-variables/

# Container user ID/group ID
PUID=3052
PGID=3052

# Webserver ports
BW_PORT_HTTP=8888
BW_PORT_HTTPS=8889

# SSL
BW_ENABLE_SSL=true
#BW_ENABLE_SSL_CA=true
#BW_SSL_CERT=ssl.crt
#BW_SSL_KEY=ssl.key
#BW_SSL_CA_CERT=ca.crt

# Services
# Some services, namely for enterprise use cases, are disabled by default. Defaults shown below.
#BW_ENABLE_ADMIN=true
#BW_ENABLE_API=true
#BW_ENABLE_EVENTS=false
#BW_ENABLE_ICONS=true
#BW_ENABLE_IDENTITY=true
#BW_ENABLE_NOTIFICATIONS=true
#BW_ENABLE_SCIM=false
#BW_ENABLE_SSO=false

#BW_ICONS_PROXY_TO_CLOUD=false

# Mail
globalSettings__mail__replyToEmail=<redacted>
globalSettings__mail__smtp__host=<redacted>
globalSettings__mail__smtp__port=587
globalSettings__mail__smtp__ssl=true
globalSettings__mail__smtp__username=<redacted>
globalSettings__mail__smtp__password=<redacted>

# Yubikey
#globalSettings__yubico__clientId=REPLACE
#globalSettings__yubico__key=REPLACE

# Other
#globalSettings__disableUserRegistration=false
#globalSettings__hibpApiKey=REPLACE
adminSettings__admins=<redacted>

airflow2010 avatar May 25 '25 10:05 airflow2010

I had the same issue, it seems to be solved for me with the latest server version (2025.6.0)

roberto-sartori-gl avatar Jun 06 '25 12:06 roberto-sartori-gl

@airflow2010 Can you confirm that this has also been fixed for you in 2025.6.0?

trmartin4 avatar Jun 21 '25 17:06 trmartin4

I'm sorry, but since I needed a working solution faster I decided to switch to the normal (not self) hosted solution and cannot test this any more.

airflow2010 avatar Jun 24 '25 08:06 airflow2010

I still have this Issue, combined with Use for vault encryption not being able to recognize the key, after it is able to read the key when trying to setup the passwordless login. When Use vault encryption is unchecked, and I try to add the key, it errors and the api.log shows this: Fido2NetLib.Fido2VerificationException: User Verified flag not set in authenticator data and user verification was required

AsterAether avatar Jul 12 '25 12:07 AsterAether

Hi there,

This has been escalated for further investigation. If you have more information that can help us, please add it below.

Thanks!

I have axactly this issue on 2025.7.3.

vuminhtuanhvtc avatar Aug 09 '25 04:08 vuminhtuanhvtc

I am also unable to create a passkey for two factor on 2025.7.2 due to "an unhandled server error has occurred" when attempting to save (confirmed works on bitwarden.com).

In /var/log/bitwarden/api.log I see the following, which seems to indicate it's an issue with the FIDO2 fully qualified origin lacking the default port number 8443.

I noticed app-id.json does not have the port number, either. What is generating /app/Web/app-id.json ?

Fido2NetLib.Fido2VerificationException: Fully qualified origin https://xxx:8443 of https://xxx:8443 not equal to fully qualified original origin https://xxx (1) at Fido2NetLib.AuthenticatorResponse.BaseVerify(HashSet1 fullyQualifiedExpectedOrigins, ReadOnlySpan1 originalChallenge, ReadOnlySpan1 requestTokenBindingId) at Fido2NetLib.AuthenticatorAttestationResponse.VerifyAsync(CredentialCreateOptions originalOptions, Fido2Configuration config, IsCredentialIdUniqueToUserAsyncDelegate isCredentialIdUniqueToUser, IMetadataService metadataService, Byte[] requestTokenBindingId, CancellationToken cancellationToken) at Fido2NetLib.Fido2.MakeNewCredentialAsync(AuthenticatorAttestationRawResponse attestationResponse, CredentialCreateOptions origChallenge, IsCredentialIdUniqueToUserAsyncDelegate isCredentialIdUniqueToUser, Byte[] requestTokenBindingId, CancellationToken cancellationToken) at Bit.Core.Services.UserService.CompleteWebAuthRegistrationAsync(User user, Int32 id, String name, AuthenticatorAttestationRawResponse attestationResponse) in /source/src/Core/Services/Implementations/UserService.cs:line 406 at Bit.Api.Auth.Controllers.TwoFactorController.PutWebAuthn(TwoFactorWebAuthnRequestModel model) in /source/src/Api/Auth/Controllers/TwoFactorController.cs:line 269 at lambda_method1050(Closure, Object) at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Logged|12_1(ControllerActionInvoker invoker) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextExceptionFilterAsync>g__Awaited|26_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)

MontereyRedheaded avatar Aug 20 '25 04:08 MontereyRedheaded