bitwarden
Missing Basic authentication in REST authentication documentation
The documentation states, that 4 parameters need to be passed to get the Bearer Token: grant_type, scope, client_id, client_secret. When providing those 4 parameters to the API in a self-hosted setup, the server responds only with {"error":"invalid_client"}.
When I was inspecting the request that is made in the API-Documentation (
$ curl -X POST "http://localhost:8080/identity/connect/token" -H 'Content-Type: application/x-www-form-urlencoded' -d "grant_type=client_credentials&scope=api.organization&client_id=organization.my-org-id&secret=sup3rs3cr3t"
{"error":"invalid_client"}
$
$ curl -X POST "http://localhost:8080/identity/connect/token" -H 'Content-Type: application/x-www-form-urlencoded' -d "grant_type=client_credentials&scope=api.organization" --user "organization:my-org-id:sup3rs3cr3t"
{"access_token":"<access-token>","expires_in":3600,"token_type":"Bearer","scope":"api.organization"}
I couldn't find where the source for the API documentation is stored. Could you please update the documentation to the correct API call (via Basic Authentication).
The API documentation isn't very helpful as it only documents how to access the organization API and furthermore, authentication for self hosted instances is not documented.
All you really need is: grant_type, username, password, scope and client_id in your request.
For example:
--data-raw 'grant_type=password&username=<EMAIL>&password=<PASSWORD_HASH>&scope=api&client_id=web'
The email and password hash have to be urlencoded and the password hash itself is basically two rounds of pbkdf2_hmac hashing where the secret and salt used are either the email, master password or an intermediate key derived from the two.
Take a look at the code here: https://github.com/birlorg/bitwarden-cli/blob/trunk/python/bitwarden/client.py#L63
I found this repo after I implemented it myself 🤦♂️.
