1PasswordX doesn't work with AWS IAM account login

It fills the form with my details, but when I hit submit the page fails with 400

However, if I manually fill in the details it works fine. It also worked fine with the old extension.


1Password Version: 6.8.496
Extension Version: 1.6
OS Version: Windows 10
Sync Type: Not Provided

Comments

  • Even stranger is it works for some IAM accounts and not others...

  • brentybrenty

    Team Member

    @matty666: Thanks for getting in touch! I'm sorry to hear you're having some trouble there. Can you give me the URL where you're experiencing this issue, and let me know the browser version you're using? Thanks in advance! :)

  • Hi @brenty You can sign up for an account and use https://signin.aws.amazon.com, which will redirect you to a regional login page that has three fields, account id or alias, username and password. It seems that when the "account id or alias" field is changed by 1password X it fails to log in correctly, but the field can be prefilled and those form fills complete ok.

  • @brenty I did a little more digging into this... comparing the post requests for the two, and it looks like the issue is that I have a one-time-password configured on my login in 1password, and it's finding a form property mfacode and filling that in, even though the page doesn't ask for my mfa (because it's actually for a different login page, I don't need to use the code all the time)

    Is there a way to tell 1Password not to auto fill the totp mfa code, but fill the rest?

  • brentybrenty

    Team Member

    @matty666: Ah, thank soft the followup! I think you may be onto something there. There isn't a way to tell 1Password not to fill the TOTP code, but it seems odd to me that it would, unless it's not filling the username or password there. Is that the case? I'll find someone who can test this more thoroughly and we'll see what we can do to improve it. Thank you!

  • @brenty: It's filling in the three fields that are there and visible, the account, username and password. There is also a set of fields for mfa, mfacode and next_mfacode that are display: none and the post that is made to the OAuth endpoint to submit the credentials includes these fields. They are normally empty if I manually fill in the credentials, but when 1Password X fills in the page the post contains a value in the mfacode property.

  • brentybrenty

    Team Member

    Thanks for much for the additional details! I've filed an issue for this and we'll see if we can find a workaround, or way to improve 1Password X overall. Cheers! :)

    ref: b5x-336

  • Not sure if I should open a separate thread since my problem is a little different, but I'll try here first.

    1PasswordX is not showing its icon in the AWS MFA field, but if I open the extension menu and choose Fill, it does fill the field correctly.

    1PasswordX 1.7.4 on Firefox 61.0b14 on Ubuntu 18.04 (now using the xim input method as suggested in another thread).

  • brentybrenty

    Team Member

    1PasswordX is not showing its icon in the AWS MFA field, but if I open the extension menu and choose Fill, it does fill the field correctly.

    @dserodio: Indeed, that's expected currently, but we have some big changes coming that should help streamline things. Keep an eye out for updates! :)

  • Were these big changes incorporated yet, @brenty? I'm still seeing the behavior exhibited by @dserodio. I'm using 1Password X v1.12.3 in Chrome 70.

  • brentybrenty

    Team Member

    @atraver: I'm not sure we're talking about the same thing. This is what dserodio said:

    1PasswordX is not showing its icon in the AWS MFA field, but if I open the extension menu and choose Fill, it does fill the field correctly.

    In summary, it works; there's just no icon. Have you tried filling? Please be specific about what steps you're taking and what is (or is not) happening in your case. Thanks!

    ref: x/b5x#350

  • Thanks for the quick turnaround. The problem is exactly as you quoted, which you subsequently mentioned would be streamlined through "big changes."

    The issue is this:
    1. Navigate to the AWS login page
    2. 1Password X offers to fill in the input fields with my login information, and the 1Password X icon is shown inside the active input field
    3. I submit the form and am taken to a 2-factor authentication (MFA) page
    4. The MFA page's input field does not show a 1Password X icon, nor is my temporary MFA code automatically filled in
    5. After opening 1Password X and selecting my AWS credentials, the MFA code is filled in

    This is one step too many (i.e., the MFA code should be automatically filled when I submit the initial form in step 3), and I suspect what @deserodio was getting at, based on the reply. Normally I wouldn't think twice about this -- I love that 1Password generally handles MFA for me! -- except there are other sites I use (apologies that none are springing to mind right now) where 1Password X does exactly this: after submitting my initial credentials, 1Password X has automatically filled in the input with a temporary code on the subsequent MFA page.

    I'm sure there's a reason specific to AWS as to why this isn't working as I'd expect it to, but it seems odd that it works seamlessly on some sites, filling in the MFA code automatically once the page loads. On AWS, although 1Password X knows how to fill in the MFA code (because as you mention, it happily fills it in when I select the entry through the 1Password X extension), yet it doesn't populate the input field for me automatically.

  • brentybrenty

    Team Member

    @atraver: I appreciate the details. It seems there's some confusion here.

    The problem is exactly as you quoted, which you subsequently mentioned would be streamlined through "big changes."
    The issue is this:
    1. Navigate to the AWS login page
    2. 1Password X offers to fill in the input fields with my login information, and the 1Password X icon is shown inside the active input field
    3. I submit the form and am taken to a 2-factor authentication (MFA) page
    4. The MFA page's input field does not show a 1Password X icon, nor is my temporary MFA code automatically filled in
    5. After opening 1Password X and selecting my AWS credentials, the MFA code is filled in

    To be clear, everything you're describing is expected, except, as dserodio mentioned already, the icon does not show inline on the second step. 1Password X is filling when you tell it to. It should not be filling otherwise.

    This is one step too many (i.e., the MFA code should be automatically filled when I submit the initial form in step 3), and I suspect what @deserodio was getting at, based on the reply. Normally I wouldn't think twice about this -- I love that 1Password generally handles MFA for me! -- except there are other sites I use (apologies that none are springing to mind right now) where 1Password X does exactly this: after submitting my initial credentials, 1Password X has automatically filled in the input with a temporary code on the subsequent MFA page.

    What you're thinking of is something like Google, where there is a single page that 1Password X can fill all credentials into when you tell it to fill -- the difference being that the password and TOTP fields are present but hidden initially in that case, which can make it seem otherwise.

    I'm sure there's a reason specific to AWS as to why this isn't working as I'd expect it to, but it seems odd that it works seamlessly on some sites, filling in the MFA code automatically once the page loads. On AWS, although 1Password X knows how to fill in the MFA code (because as you mention, it happily fills it in when I select the entry through the 1Password X extension), yet it doesn't populate the input field for me automatically.

    I understand where you're coming from, and we'll see if we can work around it, but we need to be careful when it comes to having 1Password do something without user interaction. Websites can also be designed maliciously to change after the fact to try to collect information, after all. That's what's happening with AWS, and there's probably good reason to be okay with that; but we don't want to be automating things only to have that exploited. Thanks for your feedback on this.

  • Gotcha. I tried to find a site that exhibited the behavior I'm talking about, and thought I'd found it in GitHub. I signed out of my account and the first time I logged back in using 1Password X, I was redirected to the MFA page (https://github.com/sessions/two-factor) with my TOTP already filled out (and the 1Password icon in the input field to boot). The URLs were different, so in theory it could have been a client-side page refresh with a hidden TOTP field on the original login page (https://github.com/login) like you suggested, but I'm not exactly sure.

    The weird part, however, was that the second time I ran through the process to try to grab a video of it happening, the TOTP wasn't auto-filled on the MFA page, and the icon wasn't there, either. So clearly it's sporadic, but I'm curious under what circumstances these things do and do not work.

  • brentybrenty

    Team Member

    @atraver: I hear you. I wish there was a standard for this stuff or something! Okay, well there sort of is, but almost no websites follow it. I can dream, can't I? ;) Anyway, I agree that it can be a bit confusing. TOTP filling is still fairly new in 1Password, and it's something we'll continue to iterate on. We just want to make sure that we do more good than harm when we're having 1Password fill sensitive information into websites. But we'll continue to make progress thanks to feedback from you and other awesome 1Password users. Cheers! :)

  • I haven't nailed it yet, but sometimes 1PasswordX shows the button and autofills AWS TOTP and sometimes it doesn't :|

  • brentybrenty

    Team Member

    What browser version are you using? Maybe there's some odd interaction with the site there.

  • I'm using Firefox 63.0.3 on Linux. When I logged in to AWS Console today, 1PasswordX filled the TOTP automatically.

  • brentybrenty

    Team Member

    I don't even know what to say. :lol: That's good news, I guess. We'll see how it goes!

  • edited December 9

    This is an ongoing issue for me and not resolved. It did work some months ago, but it doesn't now. So if any of those changes are concerned, these are not going well for me ...

    Browser here (currently): Version 70.0.3538.110 (Official Build) Built on Ubuntu , running on Ubuntu 18.04 (64-bit)

    Would be great to see this solved as currently I need to enable that icon first w/ the pop-menu, then I can use it. Before that the field is not even recognized as one 1password can actually fill (e.g. no fly-out-under w/ actions neither).

  • brentybrenty

    Team Member

    @LaDudeSurchoix: Can you please be specific about what you're having trouble with? There seems to have been some confusion about how this works. Please try using the mouse or keyboard to bring up the 1Password toolbar menu and select the login to fill, and let me know what is or is not happening the way you expect. Thanks! :)

  • edited December 10

    @brenty: Sure a picture makes it much more clear:

    Large: https://i.imgur.com/VXwdep5.png

    It would be great when instead of seeing (2) it would be directly as (4) as it was before.

  • ag_sebastianag_sebastian

    Team Member
    edited December 10

    Hi @LaDudeSurchoix!

    Thanks so much for the screenshot and the report. I'll jump in for Brenty as I was able to reproduce the issue you're seeing. It seems like 1Password doesn't properly detect the field as a fillable field, at least until you manually invoke it. I've added the additional report to the existing bug.

    ref: b5x-350

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file