[cli] export org not working? #21
Comments
|
Hey, For a standard user the The Organization export (In the Admin console) in the web client is calling the same endpoint as the CLI, so the same restriction will apply.
Never used the CLI, but I'm guessing the
Is this the case for the web client too ? Which provider are you using ? |
And this is not what I see. I can export with Web Tools menu from normal users, BUT it seems only the items where the user has "Manage Collection" permission, if the user has only "Edit items" it is not exported. So this is at least what I see.
No this is only with the cli, the web ui is working OK as far as I can see. I am testing with local rauthy 0.28.1 currently. |
Oh I have to correct myself, it is failing for the web ui, too. The refresh token that oidcwarden is complaining about is beeing decoded OK with:
|
|
Update: For some reason oidcwarden has a problem with the refresh token. maybe it doesn't support EdDSA. UPDATE: Line 26 in 149d0c1 Line 102 in 149d0c1 There is also this hint, so I just disable it: But maybe it would be better to handle the error instead of failing to login or support all algorithms? |
|
Thanks for the investigation :). I'll have to check it because there is something strange, the JWT with the Additionally, I do try to decode the |
|
Hey Sorry should have had a closer look earlier :(. As I expected the issue is not around the use of I don't think it's a good idea to try to change the Luckily the issue was raised and an env setting allow bypassing the issue: |
|
Oh great you identified it already, many thanks! No problem, I am fighting with so many stuff around the whole topic and other stuff at the same time that I did not find the time to check it myself, so I am more than happy that you found how to get it working. Will try it 👍 |
|
Seems to work! :)
|
Is anybody able to export an org vault with the cli?
With web ui with the same user (no admin) it is working at least partially, not the full org vault is exported, credentials in folders got not exported.
I would expect it to be the same.
So either I need to be admin or not.
src:
https://bitwarden.com/help/export-your-data/#tab-cli-2er90bORbbPnqOiFdfz6vW
Using the current one (Windows 11):
bw-windows-2025.2.0.zip
Login with cli is possible, but ONLY if I set "sso_auth_only_not_session" to TRUE.
If set to false I get:
message: 'Unable to refresh login credentials: Impossible to read refresh_token: Error decoding JWT'Unlocking and listing orgs is also working fine.
But as soon as I try to export, the session seems to get invalidated.
Steps:
after this no more calls are possible, session is not valid anymore.
and the same error in oidcwarden trace:
Your environment (Generated via diagnostics page)
Config & Details (Generated via diagnostics page)
Show Config & Details
Config:
{ "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*****************", "domain_origin": "*****://*****************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": false, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials,autofill-overlay,autofill-v2,browser-fileless-import", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": false, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "log.txt", "log_level": "trace", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": true, "organization_invite_auto_accept": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": true, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "************************", "smtp_from_name": "Vaultwarden", "smtp_host": "************", "smtp_password": null, "smtp_port": 25, "smtp_security": "off", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": true, "sso_authority": "https://win10pro.lab:8443/auth/v1", "sso_authorize_extra_params": "", "sso_callback_path": "https://win10pro.lab:8000/identity/connect/oidc-signin", "sso_client_cache_expiration": 0, "sso_client_id": "11111222222", "sso_client_secret": "***", "sso_debug_force_fail_auth_code": false, "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": true, "sso_organizations_all_collections": true, "sso_organizations_id_mapping": "", "sso_organizations_invite": false, "sso_organizations_revocation": false, "sso_organizations_token_path": "/groups", "sso_pkce": true, "sso_roles_default_to_user": true, "sso_roles_enabled": false, "sso_roles_token_path": "/resource_access/11111222222/roles", "sso_scopes": "email profile offline_access", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null }The text was updated successfully, but these errors were encountered: