Bitwarden CLI fails with an Auth-Email header invalid

We use a bitwarden python plugin to fetch password for our infrastructure as code system through Ansible.

The plugin uses the official Node bitwarden CLI.

Since a few days, when trying to do a bw login, we receive the following error :

{“response”:{“error”:“invalid_grant”,“error_description”:“Auth-Email header invalid.”},“statusCode”:400}"}

OS : CentOS 8
Node : v10.24.0
bw : @bitwarden/[email protected]

I’ve been seeing this as well using bw login for the last few weeks. I figured I’d broken something but I’m seeing it on two independently maintained systems.

bw v.1.16.0
Linux 5.14.13 (Arch Linux, stock kernel)

I’ve had a reply from Bitwarden, a solution might be to use Personal API Key for CLI Authentication | Bitwarden Help & Support

In our case, we insert the BW_CLIENTID and BW_CLIENTSECRET in the python subprocess environment, with the --apikey option at startup.

We’re not done yet, but it seems to work. It still requires the master password to unlock though, so calling it an “api key” is a bit of a stretch really.

What’s strange is that it seems to depend on the user and platform, so I suppose there is some kind of algorithm behin that accept some cli connection whitout a captcha.

@nahili you’re correct. All CLI activity was being flagged as needing a captcha, but we put in some additional rules to allow ‘known’ devices to pass without it.

The API key is means to connect/authenticate, but the master password will always be needed to decrypt (unlock)

This is all great feedback though - we continue to work to make things easier for automation :+1: