Can't login with DUO 2fa

Question

Can't login with DUO 2fa

CamilleScholtz opened this issue 4 years ago · comments

I double checked to see if using the 6 digit phrase worked on the bitwarden website, and it does. But when using it with bitw I get the following error every time:

error: could not login via two-factor: Bad Request: {"error":"invalid_grant","error_description":"invalid_username_or_password","ErrorModel":{"Object":"error","Message":"Two-step token is invalid. Try again.","ValidationErrors":null,"ExceptionMessage":null,"ExceptionStackTrace":null,"InnerExceptionMessage":null}}

Daniel Martí · Answer 1 · Sat Apr 18 2020 08:36:11 GMT+0800 (China Standard Time)

Hm - we do have one end-to-end test with 2fa and bitwarden.com, but it's only using one of the 2fa methods.

Unfortunately, as per https://help.bitwarden.com/article/setup-two-step-login/, DUO seems to be a paid 2fa method, and I don't currently own a paid account. I don't know how to go from here without having to pay for one just to debug this.

I'd also like to add a test for this once fixed, but I also don't want to require a paid account to run the tests. Right now, the tests with the real server do use real accounts, but they are dummy free accounts with static contents.

Perhaps you can help me gather more information with your paid account? For example, adding debug prints to double check that the response makes sense. You could also try using their official command line client, and seeing what response it sends when it works.

Daniel Martí · Answer 2 · Thu Nov 26 2020 18:48:00 GMT+0800 (China Standard Time)

Now that #12 is fixed, could you try again? I still have no way to test Duo 2fa, though.

Camille Scholtz · Answer 3 · Sat Dec 26 2020 04:18:20 GMT+0800 (China Standard Time)

Still an error... I'll try some fixes myself this evening.

unsupported two factor auth provider 2:
error: could not login via two-factor: Bad Request: {"error":"invalid_grant","error_description":"invalid_username_or_password","ErrorModel":{"Message":"Two-step token is invalid. Try again.","Object":"error"}}

Camille Scholtz · Answer 4 · Sat Dec 26 2020 07:45:53 GMT+0800 (China Standard Time)

spend the evening debugging and could not figure it out. The thing is that on the web interface duo shows a kind of popup where you can choose your verification method (SMS, push notification, using a number), I think that is where it goes wrong.

Camille Scholtz · Answer 5 · Sat Dec 26 2020 08:09:40 GMT+0800 (China Standard Time)

Just tried the official cli, which prints No providers available for this client., seems like Duo might only be supported on web.

Related issue: bitwarden/cli#39

Daniel Martí · Answer 6 · Mon Dec 28 2020 01:06:14 GMT+0800 (China Standard Time)

Ah, so it seems like this requires extra code to at least talk to the Duo API. It appears like this would require bitw to be an authorized api client, so it might mean it can never work out of the box without some sort of registered app token.

I'm still happy to review patches if someone wants to look into this. The cli issue link above is probably the best place to start. My situation is the same as before - I don't have access to the Duo 2FA method, so I don't currently plan on implementing this.