Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

swagger authentication with oauth2 scope "api.organization" fails #4162

Open
1 task done
fgierlinger opened this issue Jun 6, 2024 · 2 comments
Open
1 task done
Labels

Comments

@fgierlinger
Copy link

fgierlinger commented Jun 6, 2024

Steps To Reproduce

  1. Go to 'https://bitwarden.mycompany.com/api/docs'
  2. Click on 'Authorize'
  3. Fill OAuth2 credentials (client_id, client_secret)
  4. Select the single available scope "api.organization"
  5. Click on authorize

Expected Result

The authentication with oauth2 credentials success on self hosted instances.

Actual Result

The authentication with oauth2 credentials on self hosted instances fails with the error "Auth ErrorError: Bad Request, error: invalid_grant".

Screenshots or Videos

image

Additional Context

I tried to reproduce the error with curl and could pin it down to a wrong oauth2 scope. Here is the request that fails with the api.organization scope.

$ curl -X POST https://bitwarden.mycompany.com/identity/connect/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'scope=api.organization' \
-d 'grant_type=client_credentials&client_id=<user>&client_secret=<secret>
{"error":"invalid_scope"}

Changing the scope to api succeeds

$ curl -X POST https://bitwarden.mycompany.com/identity/connect/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&client_id=<user>&client_secret=<secret>'
{"error":"invalid_grant","ErrorModel":{"Message":"No device information provided.","Object":"error"}}

$ curl -X POST https://bitwarden.mycompany.com/identity/connect/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'scope=api' \
-d 'grant_type=client_credentials&client_id=<user>&client_secret=<secret>" \
-d 'deviceName=firefox&twoFactorCode=0&deviceIdentifier=0&deviceType=0'
{"access_token":"...", ...}

A similar issue has also already been raised in the bitwarden elastic integration elastic/integrations#10022

Build Version

2024.5.0

Environment

Self-Hosted

Environment Details

  • Operating System: Red Hat Enterprise Linux 8.10
  • Environment: Docker

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
@fgierlinger fgierlinger added the bug label Jun 6, 2024
@cbbit
Copy link

cbbit commented Jun 6, 2024

Hi there,

Thank you for your report!

I have flagged this to our engineering team.

If you wish to add any further information/screenshots/recordings etc., please feel free to do so at any time - our engineering team will be happy to review these.

Thanks once again!

@fgierlinger
Copy link
Author

@cbbit Any updates on this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants