[Win10][Desktop] FIDO2 WebAuthn hangs on Loading

Ask the Community Password Manager
1

Version 2022.5.1
Shell 16.1.0
Renderer 96.0.4664.174
Node 16.9.1
Architecture x64

When trying to login to the Windows Desktop client using the Self-hosted server environment and an account for that server that works on the Bitwarden Firefox plugin, after entering my username and password the client ~stalls(?) with the message “FIDO2 WebAuthn Loading…”

The client is still interactable however, it will simply never move past this screen.

Reproduction steps:

  1. Download the Bitwarden Windows Desktop App ( https://vault.bitwarden.com/download/?app=desktop&platform=windows ) and install it for just this user. (Only one User on the PC.)
  2. Run the App.
  3. Click Settings in the top left.
  4. Enter the Server URL and click the Save Icon.
  5. Enter my email address and master password associated with my account on my self-hosted server.
  6. Click Log In.
  7. Wait forever as the app displays “FIDO2 WebAuthn Loading…” with a checkbox for Remember Me and buttons to Continue, Cancel, or Use another two-step login method.

These buttons are interactable. “Use another two-step login method” only has “FIDO2 WebAuthn” (Bringing me back to where I just was) and “Recovery Code” which disables 2-factor Authentication, which is useless for regular use. “Continue” brings up an error box saying “An error has occured. Verification code is required”. “Cancel” returns me back to the email/password entry page.

2

Hello and welcome @Luna_L_Nova

Being as the issue is with the self-hosted install this may not be specific to the client.

Could you perhaps provide further detail on your self-hosted setup?
Do you perhaps run your own reverse proxy in front of the Bitwarden stack?

I know there have been a few similar related posts here.

3

Thanks for the pointer, it was an issue with the frame-options setting in the content-security-policy header in our self hosted setup.

It’d be helpful if the desktop app showed an error message when an error like that happens instead of a loading spinner forever, but the error was on our end and this thread can probably be closed.

Warm regards,

Luna Nova

4

I’m also having the same issue on our selfhosted setup, the desktop application tries to load FIDO2 WebAuthn and is stuck there while loading:

image

Can someone elaborate what configuration is needed within the nginx options for frame-options and content-security-policy?

I tried configuring it like this but it still doesen’t work:

add_header Content-Security-Policy "frame-ancestors *.domain.xyz";
add_header X-Frame-Options "ALLOW-FROM *.domain.xyz";

EDIT: I should also add that FIDO2 WebAuthn works without problems when logging in via the browser.