spyhuntergenral
commented
2 months ago You clocks are out of sync, " Browser/Server Time Check: false"
sync you server host and your client computer time, and should fix it
Closed khadanja closed 2 months ago
spyhuntergenral
commented
2 months ago You clocks are out of sync, " Browser/Server Time Check: false"
sync you server host and your client computer time, and should fix it
khadanja
commented
2 months ago time is off by 1 minute, it's always been like that. Not sure how to sync. Host has correct ntp server assigned but still shows 1 minute forward. Host-Tue Apr 16 14:33:22 NZST 2024, Client-The current time is: 14:32:00.97. By the way I can login using other authentication methods only Duo is the issue.
Gerardv514
commented
2 months ago What’s the ntp server that you’re using?
khadanja
commented
2 months ago What’s the ntp server that you’re using? 0.nz.pool.ntp.org Host is RPi running OMV which I believe uses chrony. It was all working fine until few days ago
Gerardv514
commented
2 months ago Can you try setting to pool.ntp.org to see if the time come offset is corrected.
Subject of the issue
Unable to login suddenly. Error shows expired authorization after approving Duo push
Deployment environment
Docker
Your environment (Generated via diagnostics page)
Config (Generated via diagnostics page)
Show Running Config
**Environment settings which are overridden:** SIGNUPS_ALLOWED SIGNUPS_ALLOWED=false ```json { "_duo_akey": "***", "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*****************", "domain_origin": "*****://*****************", "domain_path": "", "domain_set": true, "duo_host": "api-*********duosecurity.com", "duo_ikey": "************", "duo_skey": "***", "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 100000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "******************", "smtp_from_name": "Vaultwarden", "smtp_host": "**************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "******************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ```Steps to reproduce
Log in to vaultwarden using username & password, Send Duo Push, approve Duo push, error. Duo dashboard shows successful authentication. Docker container
Expected behaviour
Log in successfully after Duo push approval
Actual behaviour
Expired Authorization error
Troubleshooting data
Container log- [2024-04-16 01:02:40.781][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2024-04-16 01:02:52.779][request][INFO] POST /identity/connect/token [2024-04-16 01:02:52.949][vaultwarden::api::core::two_factor::duo][ERROR] Expired authorization [2024-04-16 01:02:52.949][response][INFO] (login) POST /identity/connect/token => 400 Bad Request Browser Response- {"ErrorModel":{"Message":"Expired authorization","Object":"error"},"ExceptionMessage":null,"ExceptionStackTrace":null,"InnerExceptionMessage":null,"Message":"Expired authorization","Object":"error","ValidationErrors":{"":["Expired authorization"]},"error":"","error_description":""}