search

doy / rbw

unofficial bitwarden cli
https://git.tozt.net/rbw
Other
581 stars 83 forks source link

Support for SSO? #118

Closed fiskhest closed 3 weeks ago

fiskhest commented 1 year ago

I'm an enforced SSO user of bitwarden, and when I try to login I get:

rbw list: failed to log in to bitwarden instance: api request returned error: 400

I have previously done a rbw register with my API credentials.

A quick search for sso in this repository yields no hits, so I just wanted to verify if the utility has support for sso or not before I dive further?

doy commented 12 months ago

sso is not currently supported, but i would be happy to review prs implementing it.

peon-pasado-zeitnot commented 10 months ago

I would like to share some additional information about current SSO state that maybe helpful.

I wasn't aware that SSO is not supported so I spend some time on debugging the issue using trial and error message before I find out this issue and learned that SSO is not supported. But since I didn't know that I almost made it working ;)

tl; dr; I initially thought that the problem is with 2FA not SSO. Since I disabled 2FA for testing I (my account ;) ) was removed from organisation. The plot twist is that I managed to logging using rbw after reenabling 2FA and being added back to the organisation.

longer version: I tried to losing with rbw from 3 diferent 'fresh' (not registered in BW) systems: my Intel Macbook, Debian VM, M2 Macbook, always ending up with error 400 with out any additional information. My account was in organization with SSO and 2FA enabled. I know my master password and OTP codes ware correct since I was getting difrent error messages when I was deliberately entering wrong credentials.

The interesting thing happened when I was doped out from the organisation due to disabling 2FA for testing. Then I managed to login. After enabling 2FA and being added to organisation I couldn't login again. But after running rbw purge and religion I managed to access my vault. My guess it that there was no error 400 at this stage since my device was already registered in BW (since my api key didn't changed). Other possible explanation is that rbw purge deletes only password database but lefts some configuration data and this allows to get int the flow that doesn't trigger this error.