server icon indicating copy to clipboard operation
server copied to clipboard
verified publisher icon bitwarden

swagger authentication with oauth2 scope "api.organization" fails

Open fgierlinger opened this issue 1 year ago • 1 comments

Steps To Reproduce

  1. Go to 'https://bitwarden.mycompany.com/api/docs'
  2. Click on 'Authorize'
  3. Fill OAuth2 credentials (client_id, client_secret)
  4. Select the single available scope "api.organization"
  5. Click on authorize

Expected Result

The authentication with oauth2 credentials success on self hosted instances.

Actual Result

The authentication with oauth2 credentials on self hosted instances fails with the error "Auth ErrorError: Bad Request, error: invalid_grant".

Screenshots or Videos

image

Additional Context

I tried to reproduce the error with curl and could pin it down to a wrong oauth2 scope. Here is the request that fails with the api.organization scope.

$ curl -X POST https://bitwarden.mycompany.com/identity/connect/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'scope=api.organization' \
-d 'grant_type=client_credentials&client_id=<user>&client_secret=<secret>
{"error":"invalid_scope"}

Changing the scope to api succeeds

$ curl -X POST https://bitwarden.mycompany.com/identity/connect/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'scope=api' \
-d 'grant_type=client_credentials&client_id=<user>&client_secret=<secret>'
{"error":"invalid_grant","ErrorModel":{"Message":"No device information provided.","Object":"error"}}

$ curl -X POST https://bitwarden.mycompany.com/identity/connect/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'scope=api' \
-d 'grant_type=client_credentials&scope=api&client_id=<user>&client_secret=<secret>" \
-d 'deviceName=firefox&twoFactorCode=0&deviceIdentifier=0&deviceType=0'
{"access_token":"...", ...}

A similar issue has also already been raised in the bitwarden elastic integration https://github.com/elastic/integrations/issues/10022

Build Version

2024.5.0

Environment

Self-Hosted

Environment Details

  • Operating System: Red Hat Enterprise Linux 8.10
  • Environment: Docker

Issue Tracking Info

  • [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

fgierlinger avatar Jun 06 '24 14:06 fgierlinger

Hi there,

Thank you for your report!

I have flagged this to our engineering team.

If you wish to add any further information/screenshots/recordings etc., please feel free to do so at any time - our engineering team will be happy to review these.

Thanks once again!

cbbit avatar Jun 06 '24 16:06 cbbit

@cbbit Any updates on this issue?

fgierlinger avatar Nov 25 '24 13:11 fgierlinger

Hey @fgierlinger - Sorry for the delay in getting back to you! The api.organization scope is correct. However, it looks like you're trying to use a user scoped API key, which is why you're seeing the authorization error. You'll need to follow the steps outlined here to retrieve your Organization's API key to use that instead. If you're still having a problem, feel free to contact our Customer Success team.

I'm going to close this issue. Thank you! 👍

vincentsalucci avatar Jun 05 '25 17:06 vincentsalucci