Request for password-manager autoconnect for Bitwarden Desktop

Similarly to 1Password, Bitwarden Desktop makes use of libsecret to store session authentication tokens. (Specifically, session tokens for authenticating to the server). Note: This is not for storing user vault data, or keys that can unlock vault data. The intent is not to store passwords from the application into the keyring. Instead, it is to - instead of writing auth tokens to disk - storing them in the keyring.

I am aware that other apps (unsandboxed or with password-manager plug) can read this data, since the keyring is user-session scoped. This is for tokens that are currently stored to disk in plaintext as a fallback mechanism Auth - PM-7392 & PM-7436 - Token Service - Desktop - Add disk fallback for secure storage failures by JaredSnider-Bitwarden · Pull Request #8913 · bitwarden/clients · GitHub.

Thank you.

From what I’m told, libsecret should automatically perform sandbox mediation on a new enough versions of the XDG portals that renders this obsolete, as the API’s should transparently change to allow your snap to see its own secrets but not other apps secrets. (Although other apps can still see yours, assuming they’re not also sandboxed).

I’ve not entirely confident how this works in practise but I’d love to know because I think the Joplin V3.1 release I need to package imminently has updates that might allow the same mechanism to work. So assuming no one chimes in sooner, I might be able to offer some advice on that soon.

1 Like

Hey @quexten @James-Carroll

@James-Carroll is right and libsecret should handle it seamlessly in newer releases and maybe disk store is better than auto-connecting the password-manager as a fallback for old releases where secret portal is not available. You can find a showcase example in showcase libsecret interaction with the gnome-keyring when run from a snap · GitHub

Thanks

1 Like

Makes sense. Not sure about the libsecret version, since the snap base image is still somewhat old. I’m thinking about just dropping libsecret and switching to oo7 anyways, which should use the secrets portal, which as I understand is supported out of the box in snap (and flatpak)?

Feel free to discard the request for the autoconnect, and thank you for the feeback!