Existing users are unable to accept invitation to new organization

[mburgess00]

Subject of the issue

I created a new organization and was joined to it as an owner, however, inviting other users that exist on our server fails with an error:
Error decoding JWT

Deployment environment

• vaultwarden version:
  2.25.0

• Install method:
  Docker image

• Clients used:
  Web vault

• Reverse proxy and version:

• MySQL/MariaDB or PostgreSQL version:

• Other relevant details:

Steps to reproduce

Expected behaviour

Link to join org should work

Actual behaviour

Presented with JWT error

Troubleshooting data

Server logs:
2022-01-06 15:43:45[2022-01-06 22:43:45.966][response][INFO] POST /identity/connect/token (login) => 200 OK
2022-01-06 15:43:45[2022-01-06 22:43:45.961][response][INFO] POST /identity/connect/token (login) => 200 OK
2022-01-06 15:43:45[2022-01-06 22:43:45.956][request][INFO] POST /identity/connect/token
2022-01-06 15:43:45[2022-01-06 22:43:45.950][request][INFO] POST /identity/connect/token
2022-01-06 15:43:45[2022-01-06 22:43:45.861][error][ERROR] Error decoding JWT.
2022-01-06 15:43:45[CAUSE] Error(
2022-01-06 15:43:45InvalidSignature,
2022-01-06 15:43:45)
2022-01-06 15:43:45[2022-01-06 22:43:45.861][response][INFO] POST /api/organizations/<_org_id>/users/<_org_user_id>/accept (accept_invite) => 400 Bad Request
2022-01-06 15:43:45[2022-01-06 22:43:45.859][request][INFO] POST /api/organizations/bccad2c2-bc0b-4096-b121-09d30229b883/users/1efc2f8e-1eb2-4e62-a9e5-f657f95573a6/accept
[2022-01-06 22:43:45.859][request][INFO] POST /api/organizations/bccad2c2-bc0b-4096-b121-09d30229b883/users/1efc2f8e-1eb2-4e62-a9e5-f657f95573a6/accept
2022-01-06 15:43:45[2022-01-06 22:43:45.793][error][ERROR] Error decoding JWT.
2022-01-06 15:43:45[CAUSE] Error(
2022-01-06 15:43:45InvalidSignature,
2022-01-06 15:43:45)
2022-01-06 15:43:45[2022-01-06 22:43:45.793][response][INFO] GET /api/organizations/<org_id>/policies/token? (list_policies_token) => 400 Bad Request
2022-01-06 15:43:45[2022-01-06 22:43:45.791][request][INFO] GET /api/organizations/bccad2c2-bc0b-4096-b121-09d30229b883/policies/token?token=eyJ0eXAiOiJKV1QiLCJhbGci
2022-01-06 15:43:45[2022-01-06 22:43:45.707][response][INFO] POST /identity/connect/token (login) => 200 OK
2022-01-06 15:43:45[2022-01-06 22:43:45.707][vaultwarden::api::identity][INFO] User <##user email redacted##> logged in successfully. IP: 10.101.9.88
2022-01-06 15:43:45[2022-01-06 22:43:45.551][request][INFO] POST /identity/connect/token
2022-01-06 15:43:45[2022-01-06 22:43:45.453][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
2022-01-06 15:43:45[2022-01-06 22:43:45.450][request][INFO] POST /api/accounts/prelogin
2022-01-06 15:43:41[2022-01-06 22:43:41.536][error][ERROR] Error decoding JWT.
2022-01-06 15:43:41[CAUSE] Error(
2022-01-06 15:43:41InvalidSignature,
2022-01-06 15:43:41)
2022-01-06 15:43:41[2022-01-06 22:43:41.536][response][INFO] GET /api/organizations/<org_id>/policies/token? (list_policies_token) => 400 Bad Request
2022-01-06 15:43:41[2022-01-06 22:43:41.534][request][INFO] GET /api/organizations/bccad2c2-bc0b-4096-b121-09d30229b883/policies/token?token=eyJ0eXAiOiJKV1QiLCJhbGci
2022-01-06 15:41:48[2022-01-06 22:41:48.971][response][INFO] GET /api/sync?<data..> (sync) => 200 OK
2022-01-06 15:41:48[2022-01-06 22:41:48.968][response][INFO] GET /api/sync?<data..> (sync) => 200 OK
2022-01-06 15:41:48[2022-01-06 22:41:48.797][request][INFO] GET /api/sync?excludeDomains=true
2022-01-06 15:41:48[2022-01-06 22:41:48.762][request][INFO] GET /api/sync?excludeDomains=true
2022-01-06 15:41:48[2022-01-06 22:41:48.743][response][INFO] POST /identity/connect/token (login) => 200 OK
2022-01-06 15:41:48[2022-01-06 22:41:48.734][request][INFO] POST /identity/connect/token
2022-01-06 15:41:48[2022-01-06 22:41:48.689][response][INFO] POST /identity/connect/token (login) => 200 OK
2022-01-06 15:41:48[2022-01-06 22:41:48.680][request][INFO] POST /identity/connect/token
2022-01-06 15:41:48[2022-01-06 22:41:48.591][error][ERROR] Error decoding JWT.
2022-01-06 15:41:48[CAUSE] Error(
2022-01-06 15:41:48InvalidSignature,
2022-01-06 15:41:48)
2022-01-06 15:41:48[2022-01-06 22:41:48.591][response][INFO] POST /api/organizations/<_org_id>/users/<_org_user_id>/accept (accept_invite) => 400 Bad Request
2022-01-06 15:41:48[2022-01-06 22:41:48.585][request][INFO] POST /api/organizations/bccad2c2-bc0b-4096-b121-09d30229b883/users/1efc2f8e-1eb2-4e62-a9e5-f657f95573a6/accept
2022-01-06 15:41:48[2022-01-06 22:41:48.522][error][ERROR] Error decoding JWT.
2022-01-06 15:41:48[CAUSE] Error(
2022-01-06 15:41:48InvalidSignature,
2022-01-06 15:41:48)
2022-01-06 15:41:48[2022-01-06 22:41:48.522][response][INFO] GET /api/organizations/<org_id>/policies/token? (list_policies_token) => 400 Bad Request
2022-01-06 15:41:48[2022-01-06 22:41:48.519][request][INFO] GET /api/organizations/bccad2c2-bc0b-4096-b121-09d30229b883/policies/token?token=<##token redacted##>
2022-01-06 15:41:48[2022-01-06 22:41:48.447][vaultwarden::api::identity][INFO] User <##user email redacted##> logged in successfully. IP: 10.101.8.84
2022-01-06 15:41:48[2022-01-06 22:41:48.447][response][INFO] POST /identity/connect/token (login) => 200 OK
2022-01-06 15:41:48[2022-01-06 22:41:48.365][request][INFO] POST /identity/connect/token
2022-01-06 15:41:48[2022-01-06 22:41:48.258][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
2022-01-06 15:41:48[2022-01-06 22:41:48.255][request][INFO] POST /api/accounts/prelogin
2022-01-06 15:41:42[2022-01-06 22:41:42.848][error][ERROR] Error decoding JWT.
2022-01-06 15:41:42[CAUSE] Error(
2022-01-06 15:41:42InvalidSignature,
2022-01-06 15:41:42)
2022-01-06 15:41:42[2022-01-06 22:41:42.848][response][INFO] GET /api/organizations/<org_id>/policies/token? (list_policies_token) => 400 Bad Request
2022-01-06 15:41:42[2022-01-06 22:41:42.846][request][INFO] GET /api/organizations/bccad2c2-bc0b-4096-b121-09d30229b883/policies/token?token=<##token redacted##>
2022-01-06 15:40:38[2022-01-06 22:40:38.042][response][INFO] GET /api/sync?<data..> (sync) => 200 OK
2022-01-06 15:40:38[2022-01-06 22:40:38.033][response][INFO] GET /api/sync?<data..> (sync) => 200 OK
2022-01-06 15:40:37[2022-01-06 22:40:37.764][request][INFO] GET /api/sync?excludeDomains=true
2022-01-06 15:40:37[2022-01-06 22:40:37.729][request][INFO] GET /api/sync?excludeDomains=true
2022-01-06 15:40:37[2022-01-06 22:40:37.709][response][INFO] POST /identity/connect/token (login) => 200 OK
2022-01-06 15:40:37[2022-01-06 22:40:37.693][request][INFO] POST /identity/connect/token
2022-01-06 15:40:37[2022-01-06 22:40:37.674][response][INFO] POST /identity/connect/token (login) => 200 OK
2022-01-06 15:40:37[2022-01-06 22:40:37.659][request][INFO] POST /identity/connect/token
2022-01-06 15:39:10[2022-01-06 22:39:10.263][start][INFO] Rocket has launched from http://0.0.0.0:80
2022-01-06 15:39:10[2022-01-06 22:39:10.111][vaultwarden][INFO] Public key created correctly.
2022-01-06 15:39:10[2022-01-06 22:39:10.111][vaultwarden][INFO] Private key created correctly.
2022-01-06 15:39:09| Starting Vaultwarden |
2022-01-06 15:39:09| Version 1.23.1 |
2022-01-06 15:39:09|--------------------------------------------------------------------|
2022-01-06 15:39:09| This is an unofficial Bitwarden implementation, DO NOT use the |
2022-01-06 15:39:09| official channels to report bugs/features, regardless of client. |
2022-01-06 15:39:09| Send usage/configuration questions or feature requests to: |
2022-01-06 15:39:09| https://vaultwarden.discourse.group/ |
2022-01-06 15:39:09| Report suspected bugs/issues in the software itself at: |
2022-01-06 15:39:09| https://github.com/dani-garcia/vaultwarden/issues/new |
2022-01-06 15:39:09--------------------------------------------------------------------/
2022-01-06 15:39:09[INFO] No .env file found.
2022-01-06 15:39:09/--------------------------------------------------------------------\

[BlackDex]

Please post the Support String which you can generate via the /admin/diagnostics page.

[mburgess00]

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.23.1
• Web-vault version: v2.25.0
• Running within Docker: false (Base: Debian)
• Environment settings overridden: false
• Uses a reverse proxy: true
• IP Header check: false (X-Forwarded-For)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: PostgreSQL
• Database version: PostgreSQL 10.14 on x86_64-pc-linux-gnu, compiled by x86_64-unknown-linux-gnu-gcc (GCC) 4.9.4, 64-bit
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_ip_header_enabled": true,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "**********://***********:************************@***********.********************.*********.***.*********.***/***********",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*****.*********.***",
  "domain_origin": "*****://*****.*********.***",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 5 * * * *",
  "emergency_request_timeout_schedule": "0 5 * * * *",
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_org_name": "Hillman RDS",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "************.***",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "***********@************.***",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "****.********.***",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "******",
  "templates_folder": "data/templates",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

[BlackDex]

It seems to work for me.
At least on the testing tagged image.

Could you check if the mail was expired? The expire time is 5 day's.
Also, if you have changed the rsa generated keys used to encode the JWT tokens, decoding them will not work.

[mburgess00]

Thanks for the reply. The mail had been sent moments before the link was clicked so I'm sure it wasn't expired. The only thing I could think with the rsa generated keys is that we are running two instances of the container in AWS ECS in a fault-tolerant configuration. Would it be possible that the containers have their own keys? If so is there a way to inject/store the key outside of the container?

[BlackDex]

Those keys are stored on the volume and if the files do not exists they are generated. So, if you store the same files for both instances it should work.
Though Vaultwarden isn't really HA capable. Some items will not work correctly.

• attachments are stored per container
• send files are stored per container
• web-sockets for update notifications aren't shared and it could even report unauthenticated during the session if they switch between container.

The first two could be solved with sharing that via a S3 bucket maybe, that would also solve the storage of the rsa keys.

[mburgess00]

Okay, that's great clarification, thank you!

[mburgess00]

I confirmed going down to a single instance fixed this so thank you very much for the help!