Server: why bitwarden use password flow?

Created on 21 Jun 2019  路  5Comments  路  Source: bitwarden/server

Some experts say that using password flow is unsafe

https://tools.ietf.org/html/rfc6749#section-10.7

why bitwarden use password flow?

Most helpful comment

Hi @kspearrin

The Scott author has a article about use password flow

https://www.scottbrady91.com/OAuth/Why-the-Resource-Owner-Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for-Modern-Applications

Isso n茫o funcionaria. Precisamos de sess玫es de longo prazo nos clientes do Bitwarden. Os usu谩rios n茫o querem autentica莽茫o com o servidor toda vez que usam o aplicativo.
Use silent refresh

https://www.scottbrady91.com/OpenID-Connect/Silent-Refresh-Refreshing-Access-Tokens-when-using-the-Implicit-Flow

All 5 comments

Which option do you propose?

@kspearrin bitwarden project has identity project

why do not use implict flow?

The implicit flow requests tokens without explicit client authentication, instead using the redirect URI to verify the client identity. Because of this, refresh tokens are not allowed, nor is this flow suitable for long lived access tokens. From the client application's point of view, this is the simplest to implement, as there is only one round trip to the OpenID Connect Provider.

https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Flows

This wouldn't work. We need long term sessions in Bitwarden clients. Users don't want to auth with the server every time they use the app.

Hi @kspearrin

The Scott author has a article about use password flow

https://www.scottbrady91.com/OAuth/Why-the-Resource-Owner-Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for-Modern-Applications

Isso n茫o funcionaria. Precisamos de sess玫es de longo prazo nos clientes do Bitwarden. Os usu谩rios n茫o querem autentica莽茫o com o servidor toda vez que usam o aplicativo.
Use silent refresh

https://www.scottbrady91.com/OpenID-Connect/Silent-Refresh-Refreshing-Access-Tokens-when-using-the-Implicit-Flow

@kspearrin

Auth Code Flow + PKCE(PROOF Key for Code Exchange) is default in asp.net 3.X

Was this page helpful?
0 / 5 - 0 ratings

Related issues

theontho picture theontho  路  4Comments

chasgames picture chasgames  路  4Comments

pannal picture pannal  路  5Comments

jasonkuehl picture jasonkuehl  路  3Comments

Palf994 picture Palf994  路  3Comments