Edge/Chrome prompting for proxy password

rtfmoz

Hello! I love your product, really do! I am just struggling with an aspect I cannot seem to solve. We have Automatic Proxy Configuration by PAC file in the organisation. This is defined under Network Preferences -> Advanced -> Proxies in macOS. The PAC file essentially tells us which proxy to use to get to resources inside our and outside our organisation. The issue is I keep getting prompted for proxy passwords! No I can install an extension to handle this (apparently) but my question is why can't 1password deal with this? I mean its the password manager. I just installed the latest beta in the hope it would have a solution however the problem still exists. I know the proxies use NTLM authentication but since the Mac's do not support this they fall back to basic auth.

I have plenty of experience with cntlm and the pacntlm variant. Launchd configuration and 30 years in IT integration. So If you need me to provide dumps or anything else to assist with pinpointing the issue, you only have to ask. I have installed the 1Password troubleshooting tool if you need it.

---

1Password Version: 7.7.1.BETA-7 (70701007)
Extension Version: 1.23.0
OS Version: 10.15.7
Sync Type: 1Password
Referrer: forum-search:edge prompting for proxy authentication

ag_yaron

Hey @rtfmoz ,

I'm not quite clear on where you require to enter your proxy passwords. If you get a proxy prompt from Mac OS, then the only way to autofill that is using the drag & drop method from the 1Password desktop app. Simply grab your username/password with your mouse and drag it from 1Password into the fields of the prompt.

If you're getting basic auth prompts in your browser, you can also use drag & drop via 1Password in the browser or the desktop app, but you can also open and fill the credentials directly from 1Password in the browser, which will log you in without showing the basic auth prompt.

The reason for this is that 1Password can only autofill HTML pages, and only because it has an extension for this task installed in your browser. We cannot (yet) autofill in 3rd party apps/prompts or in anything that is not an HTML page from which we can read each field's type and designation.

Does that answer your questions?

rtfmoz

Not really.

I can install Proxy Auto Auth and it entirely solves the problem. The code is apparently available here https://gist.github.com/advait/1b657c683dc8e30b6de7c0e17baabd16

Want to chat your developers?? Put in support for proxy requests please. Sure i can use this extension but if you think about it... should I have to? Seems strange its not in there already. If you are concerned about security, which is fair then prompt the user, is this a valid proxy and have them confirm for you. Trust me when I say they will know. Proxy prompts are repetitive and annoying. If your concerned about impersonation then link them to the current network profile.

In fact network awareness would be quite a useful feature for scope of password security. If you think about it, I only need work passwords when i am on the work networks. So detecting I switched and switching password sets automatically would really give you an edge on the competition.

Regards

Kevin

oliverdunk

Hi @rtfmoz,

I work on the development team behind the 1Password extension, and Yaron asked if I could take a look at this.

We actually implement something very similar to the code there in our own extension. In your case, it sounds like by the time you go looking for 1Password the proxy prompt is already open - so you'd want to open 1Password using the icon in your browser's toolbar. You should then be able to find the desired item and choose the "Autofill" option. I'm pretty sure this is what Yaron was trying to say as well.

If this doesn't help, it would be great to know some more about what's happening - are you unable to open 1Password, perhaps, or does pressing "Autofill" do nothing? This is a completely understandable use case and we want to support it to the best of our ability :)

rtfmoz

Thank you kindly for the reply, it is most appreciated. While I understand 1Password's strong stance on not automatically filling passwords, a proxy has to be the exception. The requests can clearly be identified as proxy auth with details.isProxy? and should be handled in the background with 1Password. I can't select the username or password field to trigger suggestion for a login, and selecting 1Password gives me a generic menu, with no option to save anything. If you would like me to capture the flow in edge or chrome developer mode please let me know and i will be more than happy to upload the results for you to investigate further. As I said I have dealt with HTTP traffic for many years as an F5 Application Delivery specialist so I am happy to spend the time to give you as much diagnostic information as you need.

ag_yaron

Hey @rtfmoz ,
Thank you kindly for the additional details and feedback!

When dealing with basic auth prompts from the browser (whether they're from a proxy or from an actual login of a server/website), you'll need to manually create a login item for that URL/IP address in your 1Password, like so:

1. Open your browser and click the 1Password icon on the top right to unlock it.
2. Click the big PLUS icon to reveal 1Password's menu and select "Login" from the list of options.
3. In the new tab that opens you'll be able to build your own login item. Give it a name, put in the proxy's username and password, and the website's/IP's URL.
4. Click on Save at the bottom to save the changes.
5. Now whenever you need to log into that proxy, click the 1Password icon on the top right of your browser, select that login and click on "Go". 1Password will take you there and log you in.

We will explore your suggestions and see if this is something we can safely autofill without user interaction, although user interaction is definitely one of our most important security measures, so thanks again for bringing this up!

rtfmoz

Cool, thank you kindly. I will do as you suggest. Please consider my request regarding proxy auto fill. It’s not a endpoint password but a midpoint or access password that’s prompted by the browser when hitting an authenticating proxy. Really appreciate all the kind suggestions. Can you add such suggestions to your knowledge base as I went there first and didn’t find anything when I put in proxy.

ag_yaron

That's a good point @rtfmoz . We should document the basic auth prompts feature!
Thanks again for all the helpful feedback.

rtfmoz

Since I dont see a knowledge base article on proxy yet, mind if I ask something. If you prefer I can start a new question?

• When specifying hosts for a login entry how does it need to match?

  • Can I specify just a hostname? Or do I need to include the http:// or https:// component?
  • Can I specify just a hostname? Or do I need to include a port if one is shown in the proxy auth request?
  • Should I be using proxy:// ?

• Essentially whats the guide for making sure 1Password matches the incoming proxy request.

• Does 1Password Browser work fine with latest Edge beta? (I just started using it yesterday)

ag_yaron

Hey @rtfmoz

1Password mostly cares about the domain name. It should work whether or not you state a protocol (http/https) and whether or not you state a port number.
However, if there's https in the login item but the website is http, 1Password won't autofill it for security reasons, so make sure that's not the case for you.

In URLs that have subdomains, 1Password can provide better suggestions by matching the subdomain as well, but this is not the case here as far as I can tell.

proxy:// will not work.