Skip user confirmation

Hello,

we are using bitwarden in a professional environment with ldap synchronisation. All users that get access to bitwarden are synchronised via an LDAP-Group and the self-registration is disabled in bitwarden directly (globalSettings__disableUserRegistration=true).

When a new user logs into bitwarden because of the registration mail that is sent, there is no access to the organization. The access to an organization must be manually confirmed.

Is it possible to disable or automate that step, so that all registered users are automatically added to the organization?

Regards,
Hashlog

1 Like

What we’ve figured out so far, is that when users are beeing confirmed over the web GUI, the following endpoint is being called:

https://<self-hosted-url>/api/organizations/e4ee..e9f/users/b666..89b/confirm

If I interpret this request correctly, there seems to be an undocumented API for the organization actions. While digging through the source code I found the the API definition in the OrganizationUsersController.cs file. The requests made with curl with the bearer token received in the web interface work with this API call, the bearer token received with the organization credentials don’t.

Can anybody point me out to the documentation of the /api/organization endpoint or tell me how to request the correct Bearer Token?

Hi, did you manage to find out and automate the confirmation process?

Hey folks!

You’ll need to use a two-step approach. The API in the web vault can’t bit “hit” via a standard web request without being “inside” a vault.

So, to accomplish this, you’ll use the Bitwarden API to GET a list of users, which will return user info like so:

      "object": "list",
      "data": [
        {
          "object": "member",
          "id": "539a36c5-e0d2-4cf9-979e-51ecf5cf6593",
          "userId": "48b47ee1-493e-4c67-aef7-014996c40eca",
          "name": "John Smith",
          "email": "[email protected]",
          "twoFactorEnabled": true,
          "status": 0,
          "collections": [
            {
              "id": "bfbc8338-e329-4dc0-b0c9-317c2ebf1a09",
              "readOnly": true
            }
          ],
          "type": 0,
          "accessAll": true,
          "externalId": "external_id_123456"
        }
      ],
      "continuationToken": "string"
    }

Using the status ( I believe they are 0 = invited, 1 = accepted, 2 = confirmed) - you’ll grab a list of users where status == 1, and then use the CLI tool to confirm them.

Can you please provide detailed steps or example of actual code to perform this?

Using the CLI you can perform both actions, actually:

#!/bin/bash
​
read -p 'Organization Id: ' organization_id
session_key="$(bw unlock --raw)"
org_members="$(bw list --session $session_key org-members --organizationid $organization_id | jq -c '.[] | select( .status == 1 )' | jq -c '.id' | tr -d '"')"
for member_id in ${org_members[@]} ; do
	bw confirm --session $session_key org-member $member_id --organizationid $organization_id
done

Wow, that is great. How can we pass a script into the CLI? In our case we would use a scheduled task from windows to call the script.

Sorry for the delay here - just trying to clarify what you’re asking for. You’d include the CLI commands in the script that you run as far as I understand.

Let me know if I missed the intent :slight_smile: