search

bitwarden / server

Bitwarden infrastructure/backend (API, database, Docker, etc).
https://bitwarden.com
Other
14.74k stars 1.23k forks source link

swagger authentication with oauth2 scope "api.organization" fails #4162

Open fgierlinger opened 1 month ago

fgierlinger commented 1 month ago

Steps To Reproduce

  1. Go to 'https://bitwarden.mycompany.com/api/docs'
  2. Click on 'Authorize'
  3. Fill OAuth2 credentials (client_id, client_secret)
  4. Select the single available scope "api.organization"
  5. Click on authorize

Expected Result

The authentication with oauth2 credentials success on self hosted instances.

Actual Result

The authentication with oauth2 credentials on self hosted instances fails with the error "Auth ErrorError: Bad Request, error: invalid_grant".

Screenshots or Videos

image

Additional Context

I tried to reproduce the error with curl and could pin it down to a wrong oauth2 scope. Here is the request that fails with the api.organization scope.

$ curl -X POST https://bitwarden.mycompany.com/identity/connect/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'scope=api.organization' \
-d 'grant_type=client_credentials&client_id=<user>&client_secret=<secret>
{"error":"invalid_scope"}

Changing the scope to api succeeds

$ curl -X POST https://bitwarden.mycompany.com/identity/connect/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'scope=api' \
-d 'grant_type=client_credentials&client_id=<user>&client_secret=<secret>'
{"error":"invalid_grant","ErrorModel":{"Message":"No device information provided.","Object":"error"}}

$ curl -X POST https://bitwarden.mycompany.com/identity/connect/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'scope=api' \
-d 'grant_type=client_credentials&scope=api&client_id=<user>&client_secret=<secret>" \
-d 'deviceName=firefox&twoFactorCode=0&deviceIdentifier=0&deviceType=0'
{"access_token":"...", ...}

A similar issue has also already been raised in the bitwarden elastic integration https://github.com/elastic/integrations/issues/10022

Build Version

2024.5.0

Environment

Self-Hosted

Environment Details

Issue Tracking Info

cbbit commented 1 month ago

Hi there,

Thank you for your report!

I have flagged this to our engineering team.

If you wish to add any further information/screenshots/recordings etc., please feel free to do so at any time - our engineering team will be happy to review these.

Thanks once again!