server based signin change from CLI v1 to CLI v2

paulpharr
paulpharr
Community Member
edited March 2022 in CLI

We use OP CLI as a connection between our server-based systems and 1Pass admin functionality

Despite the fact that going through the OP CLI on linux is quite different structurally from the typical REST APIs our systems usually deal with, it's pretty transparent, very secure - and works great

In transitioning from CLI v1 to v2 our login process has had to evolve:

from v1:
op signin --raw account_name.1passsword.com

to v2:
op account add --shorthand --address account_name.1passsword.com --email --secret-key --signin --raw

in each case we then provide the password to the subprocess on stdin and retrieve the token from stdout and use it for subsequent calls to op

we originally chose the v1 method to be as lightweight as possible and avoid storing the account configuration on local storage - both to be as robust as possible through provisioning and deployment of our systems and to keep all parts of the transaction setup in server RAM & avoid leaving them on server storage even briefly

I may be wrong, but I believe the v1 signin process above generates the token without storing the account in a local config file

The process we are using for v2 achieves the login, but commits the account data to a local config file and requires a subsequent forget step - or we will just leave the account behind on all our servers

Is there a way to perform a one-time login & get a token for server use without storing anything on local storage as a by-product?

Thanks!

Paul


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Hey, @paulpharr, thank you for reaching out to us.
    The CLI v1 also makes use of the same local configuration. This can be checked the easiest by running the command you provided for CLIv1 with a new account:

    ➜  ~ op signin new-account.1passsword.com --raw
    [ERROR] 2022/03/22 11:34:08 Account not found: new-account.1passsword.com
    

    So, in both versions, unless I'm missing something, signing into an account means committing that account data to the local config. While v1 had a standalone op forget command, v2 achieves the forgetting step by passing the --forget flag to op signout.
    However, I definitely see how operating the CLI in a stateless manner would be a pretty common use-case, so I'll make sure to open up an internal ticket, as well as bring this up with my team.

    Once again, thank you for your feedback, and we are looking forward to hearing more from you!
    Best,
    Horia

This discussion has been closed.