Missing password hash
jonathanmohamed opened this issue · 2 comments
jonathanmohamed commented
I can login with SSO (Gitlab or G Workspace), but when I try to set a master password it says [ERROR] Missing password hash.
I'm not sure if it's a bug or error on my part.
Apologies if this isn't a bug, couldn't find an email or contact info for you.
error log
vaultwarden2 | [2024-03-14 14:05:56.285][response][INFO] (login) POST /identity/connect/token => 200 OK
vaultwarden2 | [2024-03-14 14:05:56.318][request][INFO] GET /api/config
vaultwarden2 | [2024-03-14 14:05:56.319][response][INFO] (config) GET /api/config => 200 OK
vaultwarden2 | [2024-03-14 14:05:56.366][request][INFO] POST /identity/connect/token
vaultwarden2 | [2024-03-14 14:05:56.771][response][INFO] (login) POST /identity/connect/token => 200 OK
vaultwarden2 | [2024-03-14 14:05:56.797][request][INFO] GET /api/sync?excludeDomains=true
vaultwarden2 | [2024-03-14 14:05:56.802][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
vaultwarden2 | [2024-03-14 14:05:56.843][request][INFO] GET /api/organizations/undefined/auto-enroll-status
vaultwarden2 | [2024-03-14 14:05:56.846][request][INFO] GET /api/config
vaultwarden2 | [2024-03-14 14:05:56.847][response][INFO] (config) GET /api/config => 200 OK
vaultwarden2 | [2024-03-14 14:05:56.849][response][INFO] (get_auto_enroll_status) GET /api/organizations/<identifier>/auto-enroll-status => 200 OK
vaultwarden2 | [2024-03-14 14:05:56.877][request][INFO] GET /api/organizations/null/policies/master-password
vaultwarden2 | [2024-03-14 14:05:56.879][response][INFO] (get_policy_master_password) GET /api/organizations/<org_id>/policies/master-password => 200 OK
vaultwarden2 | [2024-03-14 14:06:03.643][request][INFO] POST /api/accounts/set-password
vaultwarden2 | [2024-03-14 14:06:03.643][vaultwarden::api::core::accounts][ERROR] Missing password hash
vaultwarden2 | [2024-03-14 14:06:03.644][response][INFO] (post_set_password) POST /api/accounts/set-password => 422 Unprocessable Entity
debug log
### Your environment (Generated via diagnostics page)
* Vaultwarden version: v1.30.5-3
* Web-vault version: voidc_experimental-v2024.1.2-6
* OS/Arch: linux/x86_64
* Running within a container: true (Base: Debian)
* Environment settings overridden: false
* Uses a reverse proxy: true
* IP Header check: false (X-Forwarded-For)
* Internet access: true
* Internet access via a proxy: false
* DNS Check: true
* Browser/Server Time Check: true
* Server/NTP Time Check: true
* Domain Configuration Check: true
* HTTPS Check: true
* Database type: SQLite
* Database version: 3.44.0
* Clients used:
* Reverse proxy and version:
* Other relevant information:
### Config (Generated via diagnostics page)
<details><summary>Show Running Config</summary>
**Environment settings which are overridden:**
```json
{
"_duo_akey": null,
"_enable_duo": true,
"_enable_email_2fa": true,
"_enable_smtp": true,
"_enable_yubico": true,
"_icon_service_csp": "",
"_icon_service_url": "",
"_ip_header_enabled": true,
"_smtp_img_src": "cid:",
"admin_ratelimit_max_burst": 3,
"admin_ratelimit_seconds": 300,
"admin_session_lifetime": 20,
"admin_token": "***",
"allowed_iframe_ancestors": "",
"attachments_folder": "data/attachments",
"auth_request_purge_schedule": "30 * * * * *",
"authenticator_disable_time_drift": false,
"data_folder": "data",
"database_conn_init": "",
"database_max_conns": 10,
"database_timeout": 30,
"database_url": "***************",
"db_connection_retries": 15,
"disable_2fa_remember": false,
"disable_admin_token": false,
"disable_icon_download": false,
"domain": "*****://*****************",
"domain_origin": "*****://*****************",
"domain_path": "",
"domain_set": true,
"duo_host": null,
"duo_ikey": null,
"duo_skey": null,
"email_attempts_limit": 3,
"email_change_allowed": true,
"email_expiration_time": 600,
"email_token_size": 6,
"emergency_access_allowed": true,
"emergency_notification_reminder_schedule": "0 3 * * * *",
"emergency_request_timeout_schedule": "0 7 * * * *",
"enable_db_wal": true,
"event_cleanup_schedule": "0 10 0 * * *",
"events_days_retain": null,
"experimental_client_feature_flags": "fido2-vault-credentials",
"extended_logging": true,
"helo_name": null,
"hibp_api_key": null,
"icon_blacklist_non_global_ips": true,
"icon_blacklist_regex": null,
"icon_cache_folder": "data/icon_cache",
"icon_cache_negttl": 259200,
"icon_cache_ttl": 2592000,
"icon_download_timeout": 10,
"icon_redirect_code": 302,
"icon_service": "internal",
"incomplete_2fa_schedule": "30 * * * * *",
"incomplete_2fa_time_limit": 3,
"invitation_expiration_hours": 120,
"invitation_org_name": "Vaultwarden",
"invitations_allowed": true,
"ip_header": "X-Real-IP",
"job_poll_interval_ms": 30000,
"log_file": "/data/warden.log",
"log_level": "info",
"log_level_override": "",
"log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
"login_ratelimit_max_burst": 10,
"login_ratelimit_seconds": 60,
"org_attachment_limit": null,
"org_creation_users": "",
"org_events_enabled": false,
"org_groups_enabled": false,
"password_hints_allowed": true,
"password_iterations": 600000,
"purge_incomplete_sso_nonce": "0 20 0 * * *",
"push_enabled": false,
"push_identity_uri": "https://identity.bitwarden.com",
"push_installation_id": "***",
"push_installation_key": "***",
"push_relay_uri": "https://push.bitwarden.com",
"reload_templates": false,
"require_device_email": false,
"rsa_key_filename": "data/rsa_key",
"send_purge_schedule": "0 5 * * * *",
"sendmail_command": null,
"sends_allowed": true,
"sends_folder": "data/sends",
"show_password_hint": false,
"signups_allowed": true,
"signups_domains_whitelist": "",
"signups_verify": false,
"signups_verify_resend_limit": 6,
"signups_verify_resend_time": 3600,
"smtp_accept_invalid_certs": false,
"smtp_accept_invalid_hostnames": false,
"smtp_auth_mechanism": null,
"smtp_debug": false,
"smtp_embed_images": true,
"smtp_explicit_tls": null,
"smtp_from": "***************************",
"smtp_from_name": "Vaultwarden",
"smtp_host": "**************",
"smtp_password": "***",
"smtp_port": 465,
"smtp_security": "force_tls",
"smtp_ssl": null,
"smtp_timeout": 15,
"smtp_username": "***************************",
"sso_audience_trusted": null,
"sso_auth_only_not_session": false,
"sso_authority": "https://gitlab.com",
"sso_authorize_extra_params": "",
"sso_callback_path": "https://xyx.xyz/identity/connect/oidc-signin",
"sso_client_cache_expiration": 0,
"sso_client_id": "2a4f9c3ad932d947e759b745a9c679eba6a07f31b3057fe7020d3301d6d45103",
"sso_client_secret": "***",
"sso_debug_tokens": false,
"sso_enabled": true,
"sso_experimental_no_master_pwd": false,
"sso_master_password_policy": null,
"sso_only": true,
"sso_organizations_invite": false,
"sso_organizations_token_path": "/groups",
"sso_pkce": true,
"sso_roles_default_to_user": true,
"sso_roles_enabled": false,
"sso_roles_token_path": "/resource_access/2a4f9c3ad932d947e759b745a9c679eba6a07f31b3057fe7020d3301d6d45103/roles",
"sso_scopes": "email profile",
"sso_signups_match_email": true,
"templates_folder": "data/templates",
"tmp_folder": "data/tmp",
"trash_auto_delete_days": null,
"trash_purge_schedule": "0 5 0 * * *",
"use_sendmail": false,
"use_syslog": false,
"user_attachment_limit": null,
"user_send_limit": null,
"web_vault_enabled": true,
"web_vault_folder": "web-vault/",
"websocket_address": "0.0.0.0",
"websocket_enabled": true,
"websocket_port": 3012,
"yubico_client_id": null,
"yubico_secret_key": null,
"yubico_server": null
}
Timshel commented
Hey,
No worry it's the method I prefer :).
I think the issue you have is that you are using the experimental frontend, which is made to stop sending the password hash to the server, but you don't have the matching sso_experimental_no_master_pwd config activated so the server is still waiting for one.
I would not recommend using this feature, I worked on it only for a short time as a prototype, and it's far from finished / polished, but I released it to see if people were interested.
In general, I would recommend running with SSO_FRONTEND='override'
jonathanmohamed commented
I see, thank you for the proposed solution. It's working fine now.