HTTP Basic Auth

Hi all,

HTTP Basic Auth for the Windows and Mac apps has been discussed in the forums as lot. However, this extension is new and it might therefore be the right time to revisit it again.

On the open web, HTTP Basic Auth is almost never used. However, many infrastructure components with web interfaces (mostly lower end enterprise switches and routers) still use it extensively. Having HTTP Basic Auth support in 1p would make the job of many enterprise IT admins a lot simpler.

Is there any change you might add it?

Regards
Andreas


1Password Version: Not Provided
Extension Version: 0.8.6
OS Version: Linux
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member
    edited September 2017

    @RoadRunnR71: You're right that it isn't seeing a lot of use overall, but that some folks depend on HTTP Auth still — and that this might be a good opportunity to take a look at if it's something we can/should do in the new extension. I can't say more than that at this stage since we still have plenty of work to do here, but thanks for bringing this up! :)

    ref: b5x-46

  • I also would like this ability. This doesn't even seem possible in the non-beta extension right now.

    In the meantime...

    If you consider your bookmark URLs secure enough, you could add cleartext auth information to your browser bookmarks, e.g. https://username:[email protected]/

  • brentybrenty

    Team Member

    42: I definitely wouldn't recommend that, as the URLs are transmitted in the clear in order to establish the connection to the server, so having your login credentials as part of that is incredibly insecure.

    I can't make any promises at this stage as we've got plenty else to do that will benefit more users, but HTTP Auth is something we'll consider for the future. Thanks for letting us know it's a feature you'd like us to develop!

  • We still use basic auth on some internal applications for it's simplicity to set up.

    Has this really not come near the the top of the to-do list in all these years?

  • brentybrenty

    Team Member

    @lmcm: We added some support for this in the 1.0 release. Have you tried it? The keyboard shortcut and 1Password icon cannot be injected into the modal username/password dialog, but either Go & Fill from the 1Password X menu or selecting the login to fill there at the login prompt should work. Let me know! :)

  • @brenty: haha, whoops. Didn't see that I was in the 1Password X forum. Very excited for this being a feature there though, thanks!

  • brentybrenty

    Team Member

    Ah, no worries. Happy to help! :)

  • Hi all. I am not sure how I Can make this feature to work. Could you maybe give some more detailed instructions? Thanks!

  • brentybrenty

    Team Member

    @ericb80: With 1Password X, when you're at an HTTP Auth prompt, just open the 1Password X menu from the browser toolbar and select the login to fill it. :)

  • Thanks @brenty I just noticed that I am still using 1Password 6, which apparently does not support this.

  • brentybrenty

    Team Member

    @ericb80: Sorry for the confusion there! While the native 1Password apps have their own desktop extension which cannot (yet?) fill HTTP Auth prompts, 1Password X is available in Firefox and Chrome to anyone with a 1Password.com membership — which also includes 1Password 7. Definitely check it out. :)

  • @brenty : Sorry, i don´t understand that. If the HTTP Auth prompts in Firefox, i´m not able to click anywhere accept the promt windows itself. What i´m doing wrong?

  • brentybrenty

    Team Member

    @jenlau: As far as I can tell, Firefox blocks the UI completely with a modal dialog for these prompts, so there's no way for you to interact with 1Password X or any other extension, and no way for extensions to interact with that prompt. It is, however, possible in Chrome.

  • beyerbeyer

    Team Member
    edited August 24

    @jenlau: As far as I know there's no way for us to display 1Password X while the "Authentication Required" prompt is open like we can on Chrome. However, we can automatically authenticate HTTP authentication prompts when you use Go & Fill.

    To do so, from another website, activate 1Password X, search for a login item containing a username, password, and website that uses HTTP authentication, and click the Go button. This will open the website in a new tab and automatically authenticate using HTTP auth (skipping the "Authentication Required" prompt).

    I hope that helps! I have a few login items set up to do this and I do find it quite helpful once I got used to simply using Go & Fill.

    -Beyer

  • This is right, but for the wrong reason:

    42: I definitely wouldn't recommend that, as the URLs are transmitted in the clear in order to establish the connection to the server, so having your login credentials as part of that is incredibly insecure.

    Using a bookmark like https://username:[email protected]/path/to/resource will not send the username and password, but rather make them available to the web browser to use in case the response asks for authentication (HTTP 401). However, saving as a bookmark will likely save the password in cleartext on your local drive (bad!).

    I just tried creating a new login via 1Password, and then I manually added a website that included username and password as above. I was able to use 1Password's "Open and Fill", and it authenticated me to the site without issue. This workaround should be available to any version of 1Password.

  • brentybrenty

    Team Member

    @nosy_decibel: You're right, I should have made that clearer in my earlier comments. Thanks for the clarification! :)

    And I'm also glad you chimed in here as it gives me an opportunity to elaborate on how 1Password X's HTTP Basic Auth filling works. Spoiler: It doesn't fill anything! ;)

    When you invoke 1Password X to “fill” a login at an HTTP Basic Auth prompt, it reloads the page and sends the username and password as part of the HTTP header. So it technically doesn’t “fill" anything at all, just submits a request to the server with the credentials. The reason why we can’t just automatically do this for you on page load is that, for security and privacy, we always want 1Password to give up sensitive information only due to use interaction. Beyer really nailed this feature though. Cheers! :chuffed:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file