How do I locate the refresh token?

Hey there! So, I’m in the process of making a simple Bitwarden manager application for GitHub, and I’m having trouble with locating the refresh token. When I check the data.json file for the desktop app, the refresh token is present as null, and it looks like the access token is hashed somehow.

However, when using a proxy, I can see that Bitwarden does in fact use a refresh token to fetch a new access token. How is this possible if I can’t find it? Am I missing something?

Seems to be a popular topic these days. Check out this thread for a similar discussion:

Yeah, it looks like all of the session storage is happening in data.json, I’m just having trouble figuring out where the refresh token is stored since I know it’s used frequently.

There is a field of the form user_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_token_refreshToken in the data.json — is this not what you’re looking for?

That is what I’m looking for, but the value of this item is null for some odd reason. Seems like there’s a different place it’s stored.

As discussed in the other thread, the token may alternatively be stored in the process memory, or in secure storage (e.g., a credential store).

It’s most likely not going to be stored in the process memory since it still invokes these requests after clearing my memory (restarting, etc). It could perhaps be in secure storage.

Another super weird thing I’ve noticed is that it looks like accessToken is encrypted.

Yes, the 2. prefix signifies AES-encryption.

I decided to rebuild the electron app with Visual Studio Code, and it looks like all of the requests are being invoked from the secure storage. I’ll keep you updated if I figure it out. Thanks again!

For anybody staying up to date on this post, I’ll go ahead and explain what the solution is:

The Bitwarden Desktop app uses secure storage, which stores credentials with Keytar (credential storage) just like grb explained it. They most likely do this to make it harder for attackers to gain access to your credentials.