Basic Authentication / HTAccess / HTTP Auth [will work using Open and Fill in 1Password X]

12345679»

Comments

  • ingulsrud
    ingulsrud
    Community Member

    @brenty Thanks, appreciate the tip, it works as you described in both browsers, although the 1Password X Chrome extension installation disabled the (desktop app required) extension, while the Firefox install did not. Is this merely a user experience choice, or are there functional implications to enabling the X and non-X extensions simultaneously?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @ingulsrud: Ah, good observation, and good question! There is no harm in having and using both, but it can be confusing from a user experience perspective so we generally recommend sticking with one or the other. I'm guessing that you would be just fine with both though. Folks who know what HTTPauth is and care enough to ask for it tend to fall at the more advanced end of the technical spectrum. ;)

  • ingulsrud
    ingulsrud
    Community Member

    @brenty Gotcha, that puts it in perspective.

  • AGAlumB
    AGAlumB
    1Password Alumni

    :) :+1:

  • c__
    c__
    Community Member

    @brenty : Ahh, I wish this wasn't buried at page 8 of this thread.

    However, it may interest you to know that there is basic (pun intended) support for this in 1Password X: if you do Open and Fill from the 1Password X browser toolbar button, it will submit the login credentials via HTTPauth when loading the page. Cheers!

    And the modal authentication dialogue doesn't block toolbar interaction? I thought it did, but could be misremembering. I'm glad to hear it should work, but obviously it isn't particularly discoverable (or wasn't for me).

    Thanks!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ahh, I wish this wasn't buried at page 8 of this thread.

    @c__: Sorry. This is a really old discussion, and a lot has changed.

    And the modal authentication dialogue doesn't block toolbar interaction? I thought it did, but could be misremembering. I'm glad to hear it should work, but obviously it isn't particularly discoverable (or wasn't for me).

    You probably can't fill if you are already at the HTTP auth prompt. That's why I mentioned to "Open and Fill from the 1Password X browser toolbar button, it will submit the login credentials via HTTPauth when loading the page."

    1Password X doesn't actually "fill" in this case at all due to how extensions work, but rather submits the credentials with the request for the page. I hope this helps. Be sure to let me know if you have any other questions! :)

  • c__
    c__
    Community Member

    Sorry. This is a really old discussion, and a lot has changed.

    Oh, I can absolutely understand that. I just wish some sort of published documentation was a little more front-and-center when you search for "http basic authentication" on the support forum. Instead you get a handful of (mostly years-old) threads in unrelated products (Mac, Win, non-X extension, ...), and some of the answers are buried deep in the threads, but not quite at the end.

    You probably can't fill if you are already at the HTTP auth prompt.

    @brenty Oh, ok. Sorry! I think I rushed (mis)reading that and came to the wrong conclusion about what was supported. Mea culpa. I had an opportunity to try and fill an (existing) HTTP auth prompt dialog today, and data points:

    1. In Chrome 71, I was able to click on the 1Pass toolchar icon while the auth modal dialogue was raised, but
    2. Clicking "Fill" did not appear to fill credentials, nor did it appear to send the requested credentials
    3. It did appear to force the page to be reloaded

    That's why I mentioned to "Open and Fill from the 1Password X browser toolbar button, it will submit the login credentials via HTTPauth when loading the page."

    Unfortunately, I don't see "open and fill" on the 1password X toolbar button; just "fill." Maybe I'm using it wrong? 😂

    1Password X doesn't actually "fill" in this case at all due to how extensions work, but rather submits the credentials with the request for the page. I hope this helps. Be sure to let me know if you have any other questions! :)

    Sure, that's pretty reasonable and hopefully works for most sites. My remaining question is just: where do I find "open and fill?" 😂

    Additional data re: reload-fill; I tried again with chrome debugger open and Network logging enabled:

    1. The server response doesn't actually seem to return a 401 status code or send a WWW-Authenticate? Hmm
    2. The client request doesn't send an Authorization header.
    3. I'm not sure this is basic auth anymore. It doesn't seem to be an ordinary JS dialogue, because I don't think those are allowed to render on top of Chrome's UI.
    4. Ok, I think maybe Chrome just hides incomplete basic auth responses? A query to an "/AuthProofGenerator" shows as "pending" with no response headers.
    5. Yeah, that's it. I copied the AuthProofGenerator URI as a curl command, ran it, and got the expected HTTP/1.1 401 Unauthorized / WWW-Authenticate: Basic realm="Default Realm". USAA's homepage javascript redirects or loads the basic auth page (maybe hidden iframe); Chrome debugger just doesn't really render it well.

    So maybe that explains why 1password's reload-and-auth isn't working here? The top level page is returning 200, it's a just some weird javascript crap (npm-axios, maybe) attempting to load the basic auth page? Anyway, if it helps, here's a presumably full list of NPM libraries they're using: https://www.usaa.com/web/usaa.npm.ent-pubhome-member-app/standard/licenses.txt

    Thank you again, @brenty!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Oh, I can absolutely understand that. I just wish some sort of published documentation was a little more front-and-center when you search for "http basic authentication" on the support forum. Instead you get a handful of (mostly years-old) threads in unrelated products (Mac, Win, non-X extension, ...), and some of the answers are buried deep in the threads, but not quite at the end.

    @c__: It's certainly something we can consider. It just doesn't come up very often, and there's a lot of other stuff that needs documenting. Thank you for your feedback on this though!

    Oh, ok. Sorry! I think I rushed (mis)reading that and came to the wrong conclusion about what was supported. Mea culpa.

    No need to apologize. It's definitely confusing, probably owing to the legacy nature of this stuff, which web browsers themselves seem to support only grudgingly (I'd say the same about 1Password X, but I know that Beyer cared enough about this feature to figure out a clever way to build kit himself).

    I had an opportunity to try and fill an (existing) HTTP auth prompt dialog today, and data points:
    1) In Chrome 71, I was able to click on the 1Pass toolchar icon while the auth modal dialogue was raised, but
    2) Clicking "Fill" did not appear to fill credentials, nor did it appear to send the requested credentials

    Correct. Since there isn't a mechanism to actually "fill" in the prompt, it must be submitted with the HTTP request.

    3) It did appear to force the page to be reloaded

    I did forget to mention this detail though. He did a great job on that. :)

    Sure, that's pretty reasonable and hopefully works for most sites. My remaining question is just: where do I find "open and fill?" 😂

    Ah, sorry again. "Open and Fill" is what we call the thing where you select a Login in the extension. Doing that opens the saved URL (unless you're already on that page) and then fills the credentials there. I wish there was a good way to communicate this. Sorry for not doing a better job!

    Additional data re: reload-fill; I tried again with chrome debugger open and Network logging enabled:
    1. The server response doesn't actually seem to return a 401 status code or send a WWW-Authenticate? Hmm
    2. The client request doesn't send an Authorization header.
    3. I'm not sure this is basic auth anymore. It doesn't seem to be an ordinary JS dialogue, because I don't think those are allowed to render on top of Chrome's UI.
    4. Ok, I think maybe Chrome just hides incomplete basic auth responses? A query to an "/AuthProofGenerator" shows as "pending" with no response headers.
    5. Yeah, that's it. I copied the AuthProofGenerator URI as a curl command, ran it, and got the expected HTTP/1.1 401 Unauthorized / WWW-Authenticate: Basic realm="Default Realm". USAA's homepage javascript redirects or loads the basic auth page (maybe hidden iframe); Chrome debugger just doesn't really render it well.

    Okay, you lost me a bit there. I'll ask @beyer to chime in here, as he knows all the details of the implementation. Thanks for bearing with me!

    So maybe that explains why 1password's reload-and-auth isn't working here? The top level page is returning 200, it's a just some weird javascript crap (npm-axios, maybe) attempting to load the basic auth page? Anyway, if it helps, here's a presumably full list of NPM libraries they're using: https://www.usaa.com/web/usaa.npm.ent-pubhome-member-app/standard/licenses.txt

    I think you may be right, but again, I'll defer to Beyer on this one. I got confused earlier because I thought you meant that it did work, but it sounds like that's not the case.

    Thank you again, @brenty!

    Likewise! We'll get back to you on this. :)

  • c__
    c__
    Community Member

    @brenty ,

    Ah, sorry again. "Open and Fill" is what we call the thing where you select a Login in the extension. Doing that opens the saved URL (unless you're already on that page) and then fills the credentials there. I wish there was a good way to communicate this. Sorry for not doing a better job!

    So what I observe is that just selecting a login does not cause the browser to go to another page. Depending on whether your browser tab is already at that domain or not, 1PasswordX will show "Fill" or "Go," respectively. "Go" does seem to go to the page, but it isn't clear to me if it also fills? Is that what you meant by Open and fill?

    I got confused earlier because I thought you meant that it did work, but it sounds like that's not the case.

    I can't tell what's supposed to work and what isn't 🙃. "Fill" while the current tab is on usaa.com does not work. That might be operator error! But if so, I need some more instructions on what I should try and how it should work. Thanks, @brenty!

  • AGAlumB
    AGAlumB
    1Password Alumni

    So what I observe is that just selecting a login does not cause the browser to go to another page. Depending on whether your browser tab is already at that domain or not, 1PasswordX will show "Fill" or "Go," respectively. "Go" does seem to go to the page, but it isn't clear to me if it also fills? Is that what you meant by Open and fill?

    @c__: The right term escapes me, but what I mean is that you can either double-click with the mouse or press Enter on the keyboard to do the Open and Fill action.

    I can't tell what's supposed to work and what isn't 🙃. "Fill" while the current tab is on usaa.com does not work. That might be operator error! But if so, I need some more instructions on what I should try and how it should work. Thanks, @brenty!

    Can you give me the specific URL? I'll be happy to test it.

  • c__
    c__
    Community Member

    @brenty the specific URL is https://www.usaa.com/?akredirect=true , but the basic auth may only come up if you already have some session cookies set, unfortunately. FWIW, neither the double-click nor Enter action work.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @c__: Ohh. Hmm. That's a really unique situation then. If I'm understanding you correctly, you have to manually bring up the HTTP Auth prompt after visiting the page. Is that right? If so, a possible workaround may be to inspect the session to find the URL involved in the HTTP Auth request and use that as the URL in your Login in 1Password. That would allow you to use Open and Fill:

    1. Open 1Password X (while on a different website) using the mouse or keyboard -- Ctrl Shift X
    2. Search for the Login
    3. Select it and choose "Fill"

    That should have 1Password X open that URL and submit the credentials as part of the request.

    However, if I misinterpreted your comments and you don't have to manually bring up the HTTP Auth prompt, your can forget the annoying part that followed and just use those steps to Open and Fill with 1Password X, without needing to try to find some magical URL. Let me know either way. :)

  • c__
    c__
    Community Member

    @brenty ,

    Ohh. Hmm. That's a really unique situation then.

    Oh yeah, no disagreement there. I don't know what they were thinking. :-)

    If I'm understanding you correctly, you have to manually bring up the HTTP Auth prompt after visiting the page. Is that right?

    Not quite; the HTTP auth prompt comes up automatically, rather than manually.

    If so, a possible workaround may be to inspect the session to find the URL involved in the HTTP Auth request

    It's https://www.usaa.com/inet/ent_ltpa_exchange/v3/AuthProofGenerator . But I don't know if that works for login, or if it makes sense to hardcode it. I will give it a shot.

    It didn't work. With "website" set to https://www.usaa.com/inet/ent_ltpa_exchange/v3/AuthProofGenerator or the ordinary bare usaa.com, "fill" / "go" / double-click doesn't get around the HTTP basic auth.

    However, if I misinterpreted your comments and you don't have to manually bring up the HTTP Auth prompt, your can forget the annoying part that followed and just use those steps to Open and Fill with 1Password X, without needing to try to find some magical URL.

    That process doesn't seem to work either :-].

    I have a workaround — clicking "cancel" on the HTTP basic auth drops me back to an ordinary login form. But it'd be nice if fill worked, of course :-).

    Thanks,
    C

  • AGAlumB
    AGAlumB
    1Password Alumni

    Not quite; the HTTP auth prompt comes up automatically, rather than manually.

    @c__: Ah, okay. Then it sounds like you ultimately are looking for the URL that is being used for the (I guess) redirect to HTTP Auth. If you can figure out what that is, you can probably get 1Password to take you right there...though I wouldn't put money on it since who knows what other weird stuff they're doing. ;)

    I have a workaround — clicking "cancel" on the HTTP basic auth drops me back to an ordinary login form. But it'd be nice if fill worked, of course :-).

    But I didn't realize that was an option for you! If you can clear the cookie, maybe it will just let you sign in there every time. THat is crazy! :lol:

This discussion has been closed.