Identity Container reporting error during login

[OneBluePumpkin]

Since 2025.11.1 (also in 2025.12.0) I'm receiving below crit/fatal error during the login. Also, the Settings - Subscription does not work anymore: When clicking on it, it just opens the home page - no error is shown anywhere (only during login in logs).

The interesting part being: When using the original containers (without BitBetter-patch), the same error occurs. But it might still be possible that BitBetter or the way license activation works is causing this.

What I found out: It seems that when having a organization with a full license imported via BitBetter, and the user being part of it, the user does also have Premium automatically. In this case, Bitwarden seems to want to hide the Subscription page but doesn't when the user already has a prior license imported.

I'm wondering if it's possible to somehow remove a license from a user. I don't think official Bitwarden support would appreciate this issue to be raised with them...

The error during login:

# docker logs identity-server
crit: Duende.IdentityServer.Hosting.IdentityServerMiddleware[0]
      => SpanId:xxx, TraceId:xxx, ParentId:0000000000000000 => ConnectionId:xxx => RequestPath:/identity/connect/token RequestId:xxx:xxx => IpAddress:xxx UserAgent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36 DeviceType:9 Origin:9 ClientVersion:2025.12.0
      Unhandled exception: '"' is invalid after a single JSON value. Expected end of data. Path: $ | LineNumber: 15 | BytePositionInLine: 1.
      System.Text.Json.JsonException: '"' is invalid after a single JSON value. Expected end of data. Path: $ | LineNumber: 15 | BytePositionInLine: 1.
       ---> System.Text.Json.JsonReaderException: '"' is invalid after a single JSON value. Expected end of data. LineNumber: 15 | BytePositionInLine: 1.
         at System.Text.Json.ThrowHelper.ThrowJsonReaderException(Utf8JsonReader& json, ExceptionResource resource, Byte nextByte, ReadOnlySpan`1 bytes)
         at System.Text.Json.Utf8JsonReader.ConsumeNextToken(Byte marker)
         at System.Text.Json.Utf8JsonReader.ReadSingleSegment()
         at System.Text.Json.Utf8JsonReader.Read()
         at System.Text.Json.Serialization.JsonConverter`1.ReadCore(Utf8JsonReader& reader, JsonSerializerOptions options, ReadStack& state)
         --- End of inner exception stack trace ---
         at System.Text.Json.ThrowHelper.ReThrowWithPath(ReadStack& state, JsonReaderException ex)
         at System.Text.Json.Serialization.JsonConverter`1.ReadCore(Utf8JsonReader& reader, JsonSerializerOptions options, ReadStack& state)
         at System.Text.Json.JsonSerializer.ReadFromSpan[TValue](ReadOnlySpan`1 utf8Json, JsonTypeInfo`1 jsonTypeInfo, Nullable`1 actualByteCount)
         at System.Text.Json.JsonSerializer.ReadFromSpan[TValue](ReadOnlySpan`1 json, JsonTypeInfo`1 jsonTypeInfo)
         at Bit.Core.Billing.Services.LicensingService.ReadUserLicense(User user) in /source/src/Core/Billing/Services/Implementations/LicensingService.cs:line 288
         at Bit.Core.Billing.Services.LicensingService.ProcessUserValidationAsync(User user) in /source/src/Core/Billing/Services/Implementations/LicensingService.cs:line 214
         at Bit.Core.Billing.Services.LicensingService.ValidateUserPremiumAsync(User user) in /source/src/Core/Billing/Services/Implementations/LicensingService.cs:line 209
         at Bit.Identity.IdentityServer.ProfileService.GetProfileDataAsync(ProfileDataRequestContext context) in /source/src/Identity/IdentityServer/ProfileService.cs:line 62
         at Duende.IdentityServer.Services.DefaultClaimsService.GetAccessTokenClaimsAsync(ClaimsPrincipal subject, ResourceValidationResult resourceResult, ValidatedRequest request) in /_/identity-server/src/IdentityServer/Services/Default/DefaultClaimsService.cs:line 211
         at Duende.IdentityServer.Services.DefaultTokenService.CreateAccessTokenAsync(TokenCreationRequest request) in /_/identity-server/src/IdentityServer/Services/Default/DefaultTokenService.cs:line 180
         at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessRefreshTokenRequestAsync(TokenRequestValidationResult request) in /_/identity-server/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 200
         at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessAsync(TokenRequestValidationResult request) in /_/identity-server/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 101
         at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) in /_/identity-server/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 143
         at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) in /_/identity-server/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 81
         at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/identity-server/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 109
fail: Microsoft.AspNetCore.Server.Kestrel[13]
      => SpanId:xxx, TraceId:xxx, ParentId:0000000000000000 => ConnectionId:xxx => RequestPath:/identity/connect/token RequestId:xxx:xxx
      Connection id "xxx", Request id "xxx:xxx": An unhandled exception was thrown by the application.
      System.Text.Json.JsonException: '"' is invalid after a single JSON value. Expected end of data. Path: $ | LineNumber: 15 | BytePositionInLine: 1.
       ---> System.Text.Json.JsonReaderException: '"' is invalid after a single JSON value. Expected end of data. LineNumber: 15 | BytePositionInLine: 1.
         at System.Text.Json.ThrowHelper.ThrowJsonReaderException(Utf8JsonReader& json, ExceptionResource resource, Byte nextByte, ReadOnlySpan`1 bytes)
         at System.Text.Json.Utf8JsonReader.ConsumeNextToken(Byte marker)
         at System.Text.Json.Utf8JsonReader.ReadSingleSegment()
         at System.Text.Json.Utf8JsonReader.Read()
         at System.Text.Json.Serialization.JsonConverter`1.ReadCore(Utf8JsonReader& reader, JsonSerializerOptions options, ReadStack& state)
         --- End of inner exception stack trace ---
         at System.Text.Json.ThrowHelper.ReThrowWithPath(ReadStack& state, JsonReaderException ex)
         at System.Text.Json.Serialization.JsonConverter`1.ReadCore(Utf8JsonReader& reader, JsonSerializerOptions options, ReadStack& state)
         at System.Text.Json.JsonSerializer.ReadFromSpan[TValue](ReadOnlySpan`1 utf8Json, JsonTypeInfo`1 jsonTypeInfo, Nullable`1 actualByteCount)
         at System.Text.Json.JsonSerializer.ReadFromSpan[TValue](ReadOnlySpan`1 json, JsonTypeInfo`1 jsonTypeInfo)
         at Bit.Core.Billing.Services.LicensingService.ReadUserLicense(User user) in /source/src/Core/Billing/Services/Implementations/LicensingService.cs:line 288
         at Bit.Core.Billing.Services.LicensingService.ProcessUserValidationAsync(User user) in /source/src/Core/Billing/Services/Implementations/LicensingService.cs:line 214
         at Bit.Core.Billing.Services.LicensingService.ValidateUserPremiumAsync(User user) in /source/src/Core/Billing/Services/Implementations/LicensingService.cs:line 209
         at Bit.Identity.IdentityServer.ProfileService.GetProfileDataAsync(ProfileDataRequestContext context) in /source/src/Identity/IdentityServer/ProfileService.cs:line 62
         at Duende.IdentityServer.Services.DefaultClaimsService.GetAccessTokenClaimsAsync(ClaimsPrincipal subject, ResourceValidationResult resourceResult, ValidatedRequest request) in /_/identity-server/src/IdentityServer/Services/Default/DefaultClaimsService.cs:line 211
         at Duende.IdentityServer.Services.DefaultTokenService.CreateAccessTokenAsync(TokenCreationRequest request) in /_/identity-server/src/IdentityServer/Services/Default/DefaultTokenService.cs:line 180
         at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessRefreshTokenRequestAsync(TokenRequestValidationResult request) in /_/identity-server/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 200
         at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessAsync(TokenRequestValidationResult request) in /_/identity-server/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 101
         at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) in /_/identity-server/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 143
         at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) in /_/identity-server/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 81
         at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/identity-server/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 109
         at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/identity-server/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 131
         at Duende.IdentityServer.Hosting.MutualTlsEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes) in /_/identity-server/src/IdentityServer/Hosting/MutualTlsEndpointMiddleware.cs:line 120
         at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
         at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/identity-server/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 51
         at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/identity-server/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 27
         at Bit.Core.Utilities.CurrentContextMiddleware.Invoke(HttpContext httpContext, ICurrentContext currentContext, GlobalSettings globalSettings) in /source/src/Core/Utilities/CurrentContextMiddleware.cs:line 19
         at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
         at Microsoft.AspNetCore.Builder.Extensions.UsePathBaseMiddleware.InvokeCore(HttpContext context, PathString matchedPath, PathString remainingPath)
         at Bit.Identity.Startup.<>c__DisplayClass10_1.<<Configure>b__2>d.MoveNext() in /source/src/Identity/Startup.cs:line 187
      --- End of stack trace from previous location ---
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)

[h44z]

Looks like there’s an issue with the license. Can you try regenerating it and test if the error still occurs with the new license?

[OneBluePumpkin]

Even if I re-generate it, I can't import it. The "Subscription" menu item doesn't let me access the respective menu to change the license. Interestingly, the premium status is still up and recognized.

Also, the licenses in organizations do still work fine and their respective "Subscription"-menu works.

[OneBluePumpkin]

I'm pretty confident it's related to how premium status is handled since 2025.11. In some Bitwarden Community threads I've found explanation that Bitwarden wanted to hide the Subscription menu if the user already receives premium through the organization and avoid users buying premium twice.

Also in the organization license setting UsersGetPremium is enabled:

BitBetter/src/licenseGen/Program.cs

Line 422 in 31a08b7

set("UsersGetPremium", true);

For the edge-case of having user-specific enabled premium, it would be needed to disable the premium status for the user.

Looks like disabling premium doesn't seem to be so complicated... The code also just seems to set Premium = 0 (as it's data-type bit in database) and PremiumExpirationDate to the current UTC date.

    private async Task DisablePremiumAsync(User user, ILicense license, string reason)
    {
        _logger.LogInformation(Core.Constants.BypassFiltersEventId, null,
            "User {0}({1}) has an invalid license and premium is being disabled. Reason: {2}",
            user.Id, user.Email, reason);


        user.Premium = false;
        user.PremiumExpirationDate = license?.Expires ?? DateTime.UtcNow;
        user.RevisionDate = DateTime.UtcNow;
        await _userRepository.ReplaceAsync(user);


        await _mailService.SendLicenseExpiredAsync(new List<string> { user.Email });
    }

Source: https://github.com/bitwarden/server/blob/4f7e76dac75b066d234a883631667f6e8215ccd4/src/Core/Billing/Services/Implementations/LicensingService.cs#L237-L249

But not sure what's the best approach. Manual database change? Any IP? Adding some BitBetter-specific code to do it automatically? (I'd assume Bitwarden would avoid this on their backend too)

[OneBluePumpkin]

To disable premium via database query:

source /opt/bitwarden/bwdata/env/mssql.override.env
docker exec bitwarden-mssql sh -c "/opt/mssql-tools/bin/sqlcmd -y0 -r1 -U sa -P \"${SA_PASSWORD}\" -d vault -Q \"UPDATE [dbo].[User] SET Premium=0, PremiumExpirationDate=SYSUTCDATETIME(), RevisionDate=SYSUTCDATETIME() WHERE Premium=1 AND Email=N'user@example.com';\""

[h44z]

But if you are already a member of an organization with a premium license, why would you need an extra license for that user specifically?

[OneBluePumpkin]

Yep. That's the point. Earlier than 2025.11.0 this was possible: having a user license and organization license. I did at first only use the user account without any organization and migrated later to a organization.

And this now caused issues of the "Subscription" menu.

[GieltjE]

If they are now mutualy exclusive we should maybe add some notes to the documentation and the generator?