Autofill basic auth prompts

[dralley]

For instance, some routers do this, as well as ADP iPay which is my payroll site.

Lastpass can handle this but it doesn't appear that Bit Warden can.

[kspearrin]

@pannal I just tested this in Chrome and Firefox on our local router admin page here and it worked properly. Can you give any information on the website this is a problem on?

[pannal]

@kspearrin turns out I wasn't using it correctly. The password stored was wrong, but there was no indication of BW even trying to use the login upon basic authentication.

[kspearrin]

Anyone able to check in and see what LastPass is doing in their extension now with FF 57?

[jjdelc]

I just installed it to check on nightly, and it looks like they're dropping trying to fill out the auth forms altogether. I am adding credentials but still seeing the prompt empty, not detecting it.

[Attoy]

@kspearrin LastPass can't fill HTTP Authentication, they said that this function was related to the communication between the add-on and the binary component. The new add-on (WebExtension) due to the API limitations cannot communicate anymore with the binary component hence no auto-fill HTTP Authentication (yet?).

[ghost]

Hi, I understand the current situation and I'm okay with Bitwarden only handling a single login for a domain, however, would it be possible to differentiate between subdomains? At work we are running various services at our company domains, so you get domains like webconsole.domain.com, documentserver.domain.com, testingtool.domain.com and one of those uses basic auth prompts. Defining subdomains in the app stopped the prompts autofilling.

[kspearrin]

@hluposti That is being tracked at #77

[ghost]

Oh, sorry about that. I will search next time.

[synotna]

@kspearrin did you notice/consider my suggestion?

Then what about onAuthRequired go to a credential selector page view in the content area? i.e. skip using the browser dialog completely

i.e. use a page to pick which credentials bitwarden uses when it encounters instead of instead of the regular http basic dialog

[kspearrin]

@synotna Not sure if that is possible.

[synotna]

Not sure myself :) Looking at the web extension docs, my thought process was instead of the browser's http basic auth dialog use a https://developer.mozilla.org/en-US/Add-ons/WebExtensions/user_interface/Extension_pages

• if https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/onAuthRequired
• then instead of displaying the http basic auth dialog or sending "the one" credential that is available like now, display a https://developer.mozilla.org/en-US/Add-ons/WebExtensions/user_interface/Extension_pages that lets the user choose the credentials they wish to use or fill in new ones (iirc this is what lastpass uses for their log in page? I switched to bitwarden permanently a few months ago so my memory is rusty!)
• use the chosen credentials for the request
• if it fails, display that page again with appropriate error

[LeoTPSC]

This feature still does not seem to work for me. For example, when I go to my router login page, it does not fill in the credentials automatically or on request. I'm using Chrome.

[Crocmagnon]

Does Bitwarden detect more than one login entry for your router ? If so, that's normal (see this message https://github.com/bitwarden/browser/issues/116#issuecomment-327991012).

[LeoTPSC]

Yes, that is exactly what happens, changed the website detection parameters and it works fine now. Thanks!

[Thranthir]

Hey Guys,

first of all thanks for the cool Program.

I used KeePass before (and still for BasicAuth) with the Plugin Kee for Firefox https://www.kee.pm/.

They solved it with a Window, which appeas instead of the Prompt, where I can choose the needed Credential.

Maybe this can help.

Regards Dean

[gbdlin]

Yes, it is actually possible to implement using new window - browsers will ensure to display this window on top.

[Aspire1Inspire2]

Why is this issue closed? I reportedly still cannot fill in pop-up password window from Firefox 67 on June 10, 2019. Is this issue already resolved?

[SylwesterZarebski]

Did You fulfil requirements of having exactly ONE credential for site with basic auth?

[pandiloko]

I would like to see support for basic auth and multiple credentials. I really like Bitwarden and would like to switch but I do extensive use of basic auth and at this moment Keepassxc is doing a better job at that.

I think they hold the GET request until you click on the icon and select one of the stored credentials. That way you don't even see the pop-up and can have multiple creds. Of course if you only have one you are automatically logged in. Does it seem a feasible solution to implement for you?

Anyway keep up the good job!

[Crocmagnon]

If you want to hold the request you need to have a flag telling that some perticular request will ask for basic auth, which doesn't seem very obvious to implement.

[pandiloko]

You got me there. I don't really know how do they exactly do it. I kind of explained how it feels like. If I open a new tab with the developer tools enabled and try top open a protected site, the GET request just hangs up there without any data transfer going on until I click on the icon. Perhaps they do some kind of internal wget --spider to test for a 401 server response. A look at the code should clarify this but I mean: it should be doable.

[synotna]

Hey @kspearrin should we open a separate issue to support http basic auth choosing from multiple credentials?

I have a basic proof of concept working with https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Extension_pages

If you would not implement yourself, would you accept an MR for it?

What would your preferred UX be?

My idea would a sort of custom bitwarden styled http basic auth page with the option to fill in username/password yourself, or choose from the credentials that are found

[kspearrin]

Sure, we can give that a try. For now, just make the UX very basic with links to usersnames to click.

[luckman212]

Hey @synotna any luck on this?

[synotna]

Over the Xmas break I managed to get an extremely rudimentary proof of concept working - an empty webextension that implemented my idea: onAuthRequired opened a tab or popup with a list of buttons that represented creds, hitting button sent the creds to the waiting tab

I followed https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/onAuthRequired "Provide credentials asynchronously"

I tried to port it to bitwarden but as I have no idea what I'm doing with frontend stack (angular etc) I didn't get very far before I ran out of time...

Unfortunately the device I had all of this on was wiped last week 😣

[Pirateguybrush]

Any chance of an update on this feature please?

[pandiloko]

So I have some sites which need Basic Auth with multiple users. Mainly for development for testing projects or managing some web applications. Not having support in Bitwarden was a deal-breaker for me but I have finally found a workaround.

Since in my case there aren't sooo many sites and users I associated manually each user login to a specific URL with exact match, e.g.:

• example.com/admin.php is associated with admin / adminpass
• example.com/profile.php is associated with user1 / user1pass
• etc.

And each URL is saved in the Bookmarks Toolbar with the username so depending on which bookmark link I use bitwarden picks one user or the other.

I use Firefox Multi-Account Containers extension to login with multiple users in different colored tabs at the same time (as I always have done with keepassxc) and Bitwarden is able to log me in with multiple users with this little trick. So I have been able to completely migrate everything to Bitwarden and don't miss anything.

I hope this helps someone.

[rodfersou]

you should have a flag in the password list to indicate which one should be used for basic auth... no need to guess anything.

[rodfersou]

@pandiloko your workaround worked for me! thanks for the suggestion!

[bpsib]

@pandiloko Can you explain your workaround clearer? I can't understand it.

EDIT: Just added my router login to Bitwarden and it's working. I was straight in without the login prompt when I went to it on another device. Your workaround is just for multiple users for the same site in addition to what already works.

[pandiloko]

@bpsib glad you already figured it out. Yes, my workaround is for multiple users in the same basic-auth protected application or web site. Although this is valid for any kind of authentication.

Just in case: the "trick" is to add each user and set the URL match to "exact" with a specific URL. It doesn't matter which one as long as each user has a unique URL. You save then those URLs in your bookmarks (indicating the user so it is easier to identify). For example for wordpress site you could use:

• example.com/wp-admin/edit.php - editor
• example.com/wp-admin/options-general.php - admin
• example.com/ - commenter

So if you want to change wordpress settings you use the second link and Bitwarden will match the URL and log you in with admin. If you want to comment with and unprivileged user, you select the last link and will be logged in as commenter. And so on.

Of course this approach makes the most sense if used together with Firefox's Multi-Account Containers extension:

https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/

[Nypheena]

kee for keepass works very good for basic auth prompts even supports multiple choice, maybe check how they did it.