API always says unauthorized

tidloc · June 4, 2024, 1:31pm

I’m encountering this issue: authorization works, I get a token.
But then even simple (non-public) GET requests with that token get me an Unauthorized error and in the Logs I see “Error decoding JWT”, but when pasted the token into a decoder It seems valid.

Using Version 1.30.5 as docker container, most recent version as I checked just now, no firewalls/proxies or anything funny, I request directly from the host of the container. Using the API key of the org I try to get the details of.

code snippet of my ruby script, maybe someone sees imediately what’s the issue:

token_res = HTTParty.post( 'http://127.0.0.1/identity/connect/token, 
   headers: { 'Content-Type' => 'application/x-www-form-urlencoded'},
   body: '<scope, client_id,...>' )
vw_token = token_res.parsed_response["access_token"] # printing this token, it seems to be fine.

details = HTTParty.get( 'http://127.0.0.1/api/organizations/<org-id>/collections/details', 
   headers: { 'Authorization' => "Bearer #{vw_token}" } )
puts details

BlackDex · June 4, 2024, 1:49pm

The token has a limited valid duration. So if it takes to long the token will be invalid.

Also, not sure if you use the exact same instance and same rsa keys. Also, sometimes partially JWT’s can be decoded.

tidloc · June 4, 2024, 1:50pm

yeah I know of the time limit, but I guess the 3600 is in seconds, so that would give me an hour and I send the get in the same second I get the token itself…

BlackDex · June 4, 2024, 3:35pm

Also not all endpoints are accessible by using all credential type’s. Vaultwarden doesn’t support the public API for example. And only allows the organisation API token for the directory connector. Not for accessing all other endpoints.

If you use a personal API token it will probably work.

tidloc · June 5, 2024, 3:28pm

I’m aware the APIs aren’t the same, that’s why I looked int he vaultwarden repo itself to find the endpoints…good thing they are commented there, w/o knowledge of rust I wouldn’t have fount them outherwise I think

kk, I will try on Friday whether a token received with user credentials works and will update on my findings.

I tried the directory connector, but simply gave up on it and wanted to write my own script. (it worked for like two days, then with no changes suddenly logs me out without throwing errors when I start the sync, test works fine, even using a backup from the first day doesn’t help)

BlackDex · June 5, 2024, 4:03pm

The API is based upon the Bitwarden Client API.
Our documentation is as good as there’s haha.

tidloc · June 7, 2024, 12:54pm

ok it does work when using username+password instead of the api credentials…
is there any plan on making endpoints of an organization available to organization API access?

BlackDex · June 7, 2024, 5:23pm

I’m not sure how this currently is with Bitwarden it self. If they support this already, then we might need to add this. Else someone just needs to create the public API endpoints available for Vaultwarden. Which currently isn’t high on my todo list at least.

Topic		Replies	Views
Unable login via all methods Help	8	3222	August 2, 2024
Help Needed with Automating User Invitations via Vaultwarden API Help	1	48	October 7, 2024
Cannot access the admin page and cannot get more users Help	4	808	February 1, 2023
My Vaultwarden randmly "died" and doesnt work properly anymore Help	14	1847	June 12, 2023
Admin token does not work, even with correct argon2 token Help	2	1116	March 11, 2023

API always says unauthorized

Related topics