It would be great if bitwarden.com supported Discourse SSO. Given that bitwarden.com already knows my email address (required for subscription) one would suppose it would be trivial for it to also store a ‘community (or SSO) password’ (assuming one would be necessary).
Doesn’t seem counter intuitive to me:
Facebook, Google, Yahoo, Twitter and GitHub are all authentication providers, meaning that you can “Log in with [provider]” on websites that support them. Logging in to a website with an authentication provider means that this provider will share some data about you with the service that wants to log you in.
I wouldn’t trust any service that wants me to log in with my password manager…
So hypothetical situation to think about. There is an not-publicly-known vulnerability in Discourse, which allows an adversary to gain full access to the host which also allows said advisory to impersonate any user. With such an ability, this adversary could now potentially gain access to your vault.
While having two separate logins, one for the vault and another for the community forums might be a small annoyance, I think it is a far better idea than someone gaining access to your vault.
Server checks username and password if they match.
They match, so server generates a session token (or cookie) and sends it to the User.
The User sends this token with every request to remind the Server that this User is in a logged in state.
User takes a pbkdf2 hash with 5000 iterations of their password as key and their normalized email address as a salt. This is the decryption key. It is not sent, but stored in memory for now.
User hashes the decryption key along with the email one more time, this hash is called the identifier.
User sends the Server the identifier.
Server sends back the “Protected Key”.
The User uses the “decryption key” to decrypt the “Protected Key”. This reveals the “master key”.
The User uses the master key to decrypt all items in their vault. It requests the items based on the identifier, decrypts them real fast, and shows them to the user.
When you “lock” Bitwarden it deletes the master key but keeps the Protected key, email, and all the encrypted data saved. When you re-enter your password to unlock it , it re-decrypts the Protected key.
Also, Bitwarden’s servers don’t even know which email address (user) is requesting the encrypted data… it only sees the identifier. (Which you could only know if you know the username and password.
In order to add some sort of OAuth2 based single-sign-on feature Bitwarden would have to decrease privacy of accounts so that it can associate identifiers with email addresses.
Not impossible… but yeah, not desirable either.
tl;dr Bitwarden “looks” like it’s logging in… but it isn’t.
Not the same at all, with SSO Discourse wouldn’t have access to my credentials (reducing my exposure).
So you would rather increase exposure of your password vault in order to decrease your exposure of your community account…
Rather than leaving the password vault as is and adding one new random string that is unrelated to your password vault or any of the other passwords contained in it, and exposing that new completely random unrelated string.