DUO 2FA not working - displaying web page

Greetings everyone,
Ive opened a ticket with support but i am posting here as maybe i can get a quicker reply.
I have a self hosted instance where other than the updates to the docker containers, i do not make any changes to the environment.
I recently had to log into my instance from another PC and how it typically has gone is that i get a 2FA prompt on my phone from DUO. I know get the following error message

{"error": "invalid_grant", "error_description": "Redirect URI 'http://vault.example.com/duo-redirect-connector.html?client=web' must begin with 'https://'."}

From what i can somewhat understand from that error message, i am not being redirected to the https URL of the site. I don’t recall this ever being a problem so i have to assume there is something perhaps that changed on the docker instances?

Version 2024.2.5

Just to add in a bit more detail. A new page opens up with the URL below and with that error message about redirect

(https://api-7ab00aa2.duosecurity.com/oauth/v1/authorize?client_id=<code snippted out)


Just a heads up that the DUO api url you posted if visited generates the error listing your vault URL so you may want to edit your post and remove the link?

The error is from DUO stating that the redirect link must be https, so more likely to be a DUO policy update than a bitwarden one if you haven’t changed any settings.

Having said that, is the url set in your config.yml set to http or https? Bitwarden will redirect to https, but if the url in the config is set to http that will proably be sent to DUO as the return link and that may be causing the error.

e.g. /opt/bitwarden/bwdata/config.yml

#Full URL for accessing the installation from a browser. (Required)
url: https://xxxxxxxxxxxx

If you update the config, don’t forget to run

./bitwarden.sh rebuild

from the /opt/bitwarden directory afterwards

1 Like

You are super incredible.
Your advice set me on the path to correcting it.

  1. The config.yml did have my domain at http:// but after i rebuild and start my instance i was still facing the same issue.
  2. I then did a search within my /opt/bitwarden directory for anything that had http://example.com grep -ir http:example.com and what showed up was my global.override.env file which had the base URI at http. Once i changed it there and restarted my instance all is resolved.

The curious pieces to this issue was why did this stop working all of a sudden? It seems that the bitwarden application tells DUO what the redirect URL should be in order to bring up the option to push the 2FA prompt. If so then why did it work prior? Maybe there was a change at DUO that disallowed any API calls to be done over http ?
Either way, this is resolved !