More details on the keyring integration and API support

fcelda
fcelda
Community Member

Hey.

Thank you for the nice and shiny Linux desktop application. There are a few features mentioned in the announcement of the stable version that got my attention but I couldn't find out any details. Please, can you shed some light on it?

I'm wondering what GNOME Keyring and KDE Wallet support means. Does it mean the 1Password data are stored in the keyring/wallet? What is the benefit? Or did I completely misunderstood?

The other features I'm interested in is DBUS API support and Command line API. Is there a documentation for these APIs? I do see that I can lock 1Password via the com.onepassword.OnePassword.Lock DBUS method or with 1password --lock but I couldn't find any other functionality exposed by these APIs. Ideally, I would like to retrieve passwords or TOTP codes from the command line.

Thank you.


1Password Version: 8.0.34
Extension Version: Not Provided
OS Version: Linux, Fedora 34
Sync Type: Not Provided

Comments

  • Hey @fcelda!

    Great questions! I've been waiting for someone to ask about some of these details. :chuffed:

    1Password integrates with GNOME Keyring and KDE Wallet primarily to store MFA secrets so you don't have to authenticate each time you unlock.

    The DBus API currently has two functions: Lock, which you build into your own custom lock scripts, and Unlock, which is exposed through Polkit when you use system authentication. The command-line API has a couple more commands such as --toggle to show and hide the UI.

    For direct access to data within 1Password, we also provide a command-line tool which might meet your needs.

    Now that these system hooks are in place, we're excited to do more with them as we continue to update the app. What else might you like to see in the command-line API, the DBus API, or desktop wallet integration?

  • fcelda
    fcelda
    Community Member

    Thank you for the answers, @Mitch.

    1Password integrates with GNOME Keyring and KDE Wallet primarily to store MFA secrets so you don't have to authenticate each time you unlock.

    If I understand it correctly, logging in on the machine will unlock the desktop keyring which allows 1Password vaults to unlock as well. Is that correct? Do you have any recommendation about the login password then? It sounds to me that the login password might become the weakest thing protecting the 1Password database.

    For direct access to data within 1Password, we also provide a command-line tool which might meet your needs.

    I'm aware of the CLI tool but it doesn't work well for my use case on desktop. The tool requires running op signin essentially in each terminal session before it can be used to retrieve content of the vault. I would really like something with the same functionality but use the 1Password desktop application as a backend.

  • Hi @fcelda

    If I understand it correctly, logging in on the machine will unlock the desktop keyring which allows 1Password vaults to unlock as well

    If you have 2FA enabled for your 1Password account, the 2FA token that proves your application has been authenticated will be stored in the keyring - this means you won't have to provide your 2FA code each time the app is unlocked. However, you will still be required to provide your Master Password each time you wish to unlock the app.

    One notable exception to this is if the System Authentication setting is enabled - after 1Password is unlocked with your Master Password, you can then use your system's available authentication methods to unlock 1Password on subsequent unlocks, including your system's login password. When your device is shut down, the keys that support this unlock method are dropped, so 1Password will require your Master Password each time your device is turned on.

    I would really like something with the same functionality but use the 1Password desktop application as a backend.

    Thanks for this feedback! I can definitely understand how this would be handy. Could you tell me a bit more about how you would envision this functioning? I'll be happy to pass along your thoughts to the Development team.

  • tengl
    tengl
    Community Member

    I would like to use the CLI but it is a bit annoying to type the password again when the app is already unlocked. I use 1Password all the time and I use the system authentication feature as well, the app is unlocked most of the time.

    I have some scripts where it could be useful to use the 1Password CLI. It would be awesome if the CLI could use the same token as the desktop app and browser plugins. An example:

    1. Sign in using app and master password.
    2. Run a script that sign in op signin example
    3. And then gets an item op get item xyz

    Step 2 would use the token in the keyring and continue execution.

    For the case where step 1 is skipped, op signin example would ask for the master password or the system login password, whichever is required. Unlocking with op signin example would of course store a token in the keyring so that the 1Password app is unlocked as well.

    Right now, I can't even use two terminals without logging in to both when using the CLI.

  • Thanks for sharing, @tengl. The original vision for the CLI revolved primarily around systems that would not have the desktop app installed, and so integration with it wasn't included in the original roadmap. As things have evolved we're seeing more use cases outside the original scope. We'll certainly consider how we can best support those uses. :)

    Ben

  • tengl
    tengl
    Community Member

    Sure, I understand. I haven't used the CLI much yet.

    Integration with the keyring would benefit the CLI as well since you can use the same token for multiple terminal instances without having to copy and paste the token.

  • Sounds good @tengl! Thanks so much for bringing this feedback to us, it's very helpful! :smile:

This discussion has been closed.