server
server copied to clipboard
swagger authentication with oauth2 scope "api.organization" fails
Steps To Reproduce
- Go to 'https://bitwarden.mycompany.com/api/docs'
- Click on 'Authorize'
- Fill OAuth2 credentials (client_id, client_secret)
- Select the single available scope "api.organization"
- Click on authorize
Expected Result
The authentication with oauth2 credentials success on self hosted instances.
Actual Result
The authentication with oauth2 credentials on self hosted instances fails with the error "Auth ErrorError: Bad Request, error: invalid_grant".
Screenshots or Videos
Additional Context
I tried to reproduce the error with curl and could pin it down to a wrong oauth2 scope. Here is the request that fails with the api.organization scope.
$ curl -X POST https://bitwarden.mycompany.com/identity/connect/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'scope=api.organization' \
-d 'grant_type=client_credentials&client_id=<user>&client_secret=<secret>
{"error":"invalid_scope"}
Changing the scope to api succeeds
$ curl -X POST https://bitwarden.mycompany.com/identity/connect/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'scope=api' \
-d 'grant_type=client_credentials&client_id=<user>&client_secret=<secret>'
{"error":"invalid_grant","ErrorModel":{"Message":"No device information provided.","Object":"error"}}
$ curl -X POST https://bitwarden.mycompany.com/identity/connect/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'scope=api' \
-d 'grant_type=client_credentials&scope=api&client_id=<user>&client_secret=<secret>" \
-d 'deviceName=firefox&twoFactorCode=0&deviceIdentifier=0&deviceType=0'
{"access_token":"...", ...}
A similar issue has also already been raised in the bitwarden elastic integration https://github.com/elastic/integrations/issues/10022
Build Version
2024.5.0
Environment
Self-Hosted
Environment Details
- Operating System: Red Hat Enterprise Linux 8.10
- Environment: Docker
Issue Tracking Info
- [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.