bitwarden · JaredSnider-Bitwarden · Nov 7, 2025 · Nov 7, 2025 · Nov 10, 2025 · Nov 11, 2025
@@ -19,24 +19,29 @@ wasm = [
     "bitwarden-core/wasm",
     "dep:tsify",
     "dep:wasm-bindgen",
-    "dep:wasm-bindgen-futures"
+    "dep:wasm-bindgen-futures",
 ] # WASM support
 
 # Note: dependencies must be alphabetized to pass the cargo sort check in the CI pipeline.
 [dependencies]
+bitwarden-api-api = { workspace = true }
+bitwarden-api-identity = { workspace = true }
 bitwarden-core = { workspace = true, features = ["internal"] }
+bitwarden-crypto = { workspace = true }
 bitwarden-error = { workspace = true }
 chrono = { workspace = true }
 reqwest = { workspace = true }
+schemars = { workspace = true }
 serde = { workspace = true }
+serde_json = { workspace = true }
+serde_repr = { workspace = true }
 thiserror = { workspace = true }
 tsify = { workspace = true, optional = true }
 wasm-bindgen = { workspace = true, optional = true }
 wasm-bindgen-futures = { workspace = true, optional = true }
 
 [dev-dependencies]
 bitwarden-test = { workspace = true }
-serde_json = { workspace = true }
 tokio = { workspace = true, features = ["rt"] }
 wiremock = "0.6.0"
 

@@ -12,4 +12,5 @@ pub(crate) enum GrantType {
     /// Bitwarden user.
     SendAccess,
     // TODO: Add other grant types as needed.
+    Password,
 }
@@ -2,6 +2,8 @@
 
 mod grant_type;
 mod scope;
+mod two_factor_provider;
 
 pub(crate) use grant_type::GrantType;
-pub(crate) use scope::Scope;
+pub(crate) use scope::{Scope, scopes_to_string};
+pub(crate) use two_factor_provider::TwoFactorProvider;
@@ -4,10 +4,35 @@ use serde::{Deserialize, Serialize};
 /// Scopes define the specific permissions an access token grants to the client.
 /// They are requested by the client during token acquisition and enforced by the
 /// resource server when the token is used.
-#[derive(Serialize, Deserialize, Debug)]
+#[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq)]
 pub(crate) enum Scope {
+    /// The scope for accessing the Bitwarden API as a Bitwarden user.
+    #[serde(rename = "api")]
+    Api,
+    /// The scope for obtaining Bitwarden user scoped refresh tokens that allow offline access.
+    #[serde(rename = "offline_access")]
+    OfflineAccess,
     /// The scope for accessing send resources outside the context of a Bitwarden user.
     #[serde(rename = "api.send.access")]
     ApiSendAccess,
-    // TODO: Add other scopes as needed.
+}
+
+impl Scope {
+    /// Returns the string representation of the scope as used in OAuth 2.0 requests.
+    pub(crate) fn as_str(&self) -> &'static str {
+        match self {
+            Scope::Api => "api",
+            Scope::OfflineAccess => "offline_access",
+            Scope::ApiSendAccess => "api.send.access",
+        }
+    }
+}
+
+/// Converts a slice of scopes into a space-separated string suitable for OAuth 2.0 requests.
+pub(crate) fn scopes_to_string(scopes: &[Scope]) -> String {
+    scopes
+        .iter()
+        .map(|s| s.as_str())
+        .collect::<Vec<_>>()
+        .join(" ")
 }
@@ -0,0 +1,20 @@
+use schemars::JsonSchema;
+use serde_repr::{Deserialize_repr, Serialize_repr};
+
+// TODO: this isn't likely to be only limited to API usage... so maybe move to a more general
+// location?
+
+/// Represents the two-factor authentication providers supported by Bitwarden.
+#[allow(missing_docs)]
+#[derive(Serialize_repr, Deserialize_repr, PartialEq, Debug, JsonSchema, Clone)]
+#[repr(u8)]
+pub enum TwoFactorProvider {
+    Authenticator = 0,
+    Email = 1,
+    Duo = 2,
+    Yubikey = 3,
+    U2f = 4,
+    Remember = 5,
+    OrganizationDuo = 6,
+    WebAuthn = 7,
+}
@@ -0,0 +1,4 @@
+//! Request models for Identity API endpoints that cannot be auto-generated
+//! (e.g., connect/token endpoints) and are shared across multiple clients.
+//!
+//! For standard controller endpoints, use the `bitwarden-api-identity` crate.
@@ -0,0 +1,4 @@
+//! Response models for Identity API endpoints that cannot be auto-generated
+//! (e.g., connect/token endpoint) and are shared across multiple clients.
+//!
+//! For standard controller endpoints, use the `bitwarden-api-identity` crate.
@@ -0,0 +1,54 @@
+use bitwarden_core::DeviceType;
+
+/// Custom headers used in login requests to the connect/token endpoint
+/// - distinct from standard HTTP headers available in `reqwest::header`.
+#[derive(Debug, Clone)]
+pub enum LoginRequestHeader {
+    /// The "Device-Type" header indicates the type of device making the request.
+    DeviceType(DeviceType),
+}
+
+impl LoginRequestHeader {
+    /// Returns the header name as a string.
+    pub fn header_name(&self) -> &'static str {
+        match self {
+            Self::DeviceType(_) => "Device-Type",
+        }
+    }
+
+    /// Returns the header value as a string.
+    pub fn header_value(&self) -> String {
+        match self {
+            Self::DeviceType(device_type) => (*device_type as u8).to_string(),
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_device_type_header_name() {
+        let header = LoginRequestHeader::DeviceType(DeviceType::SDK);
+        assert_eq!(header.header_name(), "Device-Type");
+    }
+
+    #[test]
+    fn test_device_type_header_value() {
+        let header = LoginRequestHeader::DeviceType(DeviceType::SDK);
+        assert_eq!(header.header_value(), "21");
+    }
+
+    #[test]
+    fn test_device_type_header_value_android() {
+        let header = LoginRequestHeader::DeviceType(DeviceType::Android);
+        assert_eq!(header.header_value(), "0");
+    }
+
+    #[test]
+    fn test_device_type_header_value_mac_os_cli() {
+        let header = LoginRequestHeader::DeviceType(DeviceType::MacOsCLI);
+        assert_eq!(header.header_value(), "24");
+    }
+}
@@ -0,0 +1,8 @@
+//! API related modules for Identity endpoints
+pub(crate) mod login_request_header;
+pub(crate) mod request;
+pub(crate) mod response;
+
+/// Common send function for login requests
+mod send_login_request;
+pub(crate) use send_login_request::send_login_request;
@@ -0,0 +1,89 @@
+use std::fmt::Debug;
+
+use bitwarden_core::DeviceType;
+use serde::{Deserialize, Serialize, de::DeserializeOwned};
+
+use crate::api::enums::{GrantType, Scope, TwoFactorProvider, scopes_to_string};
+
+/// Standard scopes for user token requests: "api offline_access"
+pub(crate) const STANDARD_USER_SCOPES: &[Scope] = &[Scope::Api, Scope::OfflineAccess];
+
+/// The common payload properties to send to the /connect/token endpoint to obtain
+/// tokens for a BW user.
+#[derive(Serialize, Deserialize, Debug)]
+#[serde(bound = "T: Serialize + DeserializeOwned + Debug")] // Ensure T meets trait bounds
+pub(crate) struct LoginApiRequest<T: Serialize + DeserializeOwned + Debug> {
+    // Standard OAuth2 fields
+    /// The client ID for the SDK consuming client.
+    /// Note: snake_case is intentional to match the API expectations.
+    pub client_id: String,
+
+    /// The grant type for the token request.
+    /// Note: snake_case is intentional to match the API expectations.
+    pub grant_type: GrantType,
+
+    /// The space-separated scopes for the token request (e.g., "api offline_access").
+    pub scope: String,
+
+    // Custom fields BW uses for user token requests
+    /// The device type making the request.
+    #[serde(rename = "deviceType")]
+    pub device_type: DeviceType,
+
+    /// The identifier of the device.
+    #[serde(rename = "deviceIdentifier")]
+    pub device_identifier: String,
+
+    /// The name of the device.
+    #[serde(rename = "deviceName")]
+    pub device_name: String,
+
+    /// The push notification registration token for mobile devices.
+    #[serde(rename = "devicePushToken")]
+    pub device_push_token: Option<String>,
+
+    // Two-factor authentication fields
+    /// The two-factor authentication token.
+    #[serde(rename = "twoFactorToken")]
+    pub two_factor_token: Option<String>,
+
+    /// The two-factor authentication provider.
+    #[serde(rename = "twoFactorProvider")]
+    pub two_factor_provider: Option<TwoFactorProvider>,
+
+    /// Whether to remember two-factor authentication on this device.
+    #[serde(rename = "twoFactorRemember")]
+    pub two_factor_remember: Option<bool>,
+
+    // Specific login mechanism fields will go here (e.g., password, SSO, etc)
+    #[serde(flatten)]
+    pub login_mechanism_fields: T,
+}
+
+impl<T: Serialize + DeserializeOwned + Debug> LoginApiRequest<T> {
+    /// Creates a new UserLoginApiRequest with standard scopes ("api offline_access").
+    /// The scope can be overridden after construction if needed for specific auth flows.
+    pub(crate) fn new(
+        client_id: String,
+        grant_type: GrantType,
+        device_type: DeviceType,
+        device_identifier: String,
+        device_name: String,
+        device_push_token: Option<String>,
+        login_mechanism_fields: T,
+    ) -> Self {
+        Self {
+            client_id,
+            grant_type,
+            scope: scopes_to_string(STANDARD_USER_SCOPES),
+            device_type,
+            device_identifier,
+            device_name,
+            device_push_token,
+            two_factor_token: None,
+            two_factor_provider: None,
+            two_factor_remember: None,
+            login_mechanism_fields,
+        }
+    }
+}
@@ -0,0 +1,7 @@
+//! Request models for Identity API endpoints that cannot be auto-generated
+//! (e.g., connect/token endpoints) and are shared across multiple features within the identity
+//! client
+//!
+//! For standard controller endpoints, use the `bitwarden-api-identity` crate.
+mod login_api_request;
+pub(crate) use login_api_request::LoginApiRequest;