Questions Regarding 1Password Integration with 3rd Party Apps

Taverick

We’ve been researching your app’s ability to integrate with other 3rd party apps, and believe this integration may fill a need that we’ll soon have for an iPad app that we’re currently developing. Before wholeheartedly assuming this integration will fulfill our needs though, I’d like to run our scenarios/requirements by you guys to get an absolute answer to our notion.

The iPad app that we’re developing will require a web-based login to be made from within our app to an online, web-based resource. This web-based login will automatically occur once every morning (upon the initial startup of the app on any given day), and periodically throughout the day (when session auto-timeouts occur due to our app being idle for X-amount of minutes, and the establishment of new sessions once activity resumes within our app). These connections to this online resource will be made via the passing/providing of typical user account credentials (e.g. 1 username and 1 password) from your onboard 1Password app to our custom app – which will then be used by our app to login. These user account credentials will be changed every X-number of days (by us, for various security/compliance-related reasons), and need to be automatically passed from your app to ours (or provided by your app to ours) behind the scenes when needed/prompted - with no physical human interaction whatsoever - in order for a successful connection between our iPad app and the online resource to be made.

To streamline the management of these ever-changing account credentials, we’re considering utilizing 1Password’s integration capabilities to pass these user account credentials (whatever they may be at that moment of time) from your onboard iPad app (which will reside on the same iPads our app will reside on) to our customized app, thus allowing our app to automatically log into the online resource. This way we can centrally-manage these account credentials via our 1Password online vault(s), and give ourselves full control over which (and when) instances of our custom app are able to connect to the online resource.

With that being said, allow me to run 2 questions/scenarios by you all for further clarity and insight on this matter:

1. Can we possibly integrate your 1Password app with our custom iPad app in such a way that will allow us to specify which user account credentials to pass, and automatically pass that user account credentials from our 1Password vault(s) to our iPad app when prompted/needed in a behind-the-scenes fashion, without any human interaction at all?

   Once our app is in a certain mode, we’re planning on not even surfacing these corresponding username/password login text fields on our app’s
   interface (until its reset and taken out of this particular mode), so this will surely need to be an automated, hands-free operation (while the app is in
   this mode).

2. Which of the 2 following scenarios would be the best route to take to implement what we’re striving to accomplish in the most simplistic, secure, and cost-effective manner..?

   A. Have our custom app receive, or get the needed user account credentials passed to it from an onboard instance of your 1Password app – to allow us to centrally-manage these user account credentials via our online 1Password vault(s)?
   B. Have our custom app receive the needed user account credentials from each facilitating iPad’s keychain, and centrally-manage these user account credentials via synching our 1Password online vault(s) with each iPad’s iCloud account?

   We’ve done some researched on Scenario B’s noted capability, but haven’t yet invested a great deal of time researching and investigating it, so I
   thought I’d just throw it out there on the table as well…

NOTE/FYI: Our custom app will primarily reside on enterprise-owned and managed (to a certain degree) iPads, thus allowing us to entertain the option of having onboard instances of your 1Password app on such iPads.

We greatly value and appreciate any feedback provided back to us on this matter…

Rad

Hi @Taverick,

Thanks so much for taking the time to write in and for explaining your requirements :+1:

The 1Password App Extension API uses the NSExtension (NSExtensionItem, NSItemProvider) Apple APIs which require human interaction via the share sheet. This means that the 1Password Extension can not be invoked without explicit interactions from the user.

If you absolutely need the automatic login implementation, we recommend that you opt for scenario 2B where you’d use the iOS Keychain. However, if you guys decide to go this route, you may need to find a way to sync the frequently updated credentials with all of you iPads’ iCloud accounts because the iOS keychain cannot access your 1Password data.

Personally, I like that idea of the credentials being constantly updated. This should be handled pretty well by a shared secondary vault in 1Password. To use the 1Password extension and its API, you need to go through the share sheet. Meaning that your implementation should be similar to Use Case #4: Web View Login Support, showcased in ACME Browser.

I hope that this helps :smile:

Cheers!

Taverick

I see... Well would it be possible to have each instance of our custom app receive the needed user account credentials directly from 1Password online vault/profiles via some sort of web-based query, web service/soap call, or API call - thus removing the middle man entirely? If this was somehow doable via us entering in the necessary credentials within our app (at an administrative screen that will in turn store this information somewhere within our app’s code or in the facilitating iPad’s keychain), and use this information to securely query our 1Password online vault/profiles and receive back the necessary credentials, it will be great. We’ll even settle for querying via the user account’s username (which again can be stored somewhere in our app’s code or in each facilitating iPad’s keychain), and only receiving back the corresponding password.

Please advise, and thanks again for the feedback!

Rad

Hi @Taverick,

Thanks for getting back to us :+1:

I see... Well would it be possible to have each instance of our custom app receive the needed user account credentials directly from 1Password online vault/profiles via some sort of web-based query, web service/soap call, or API call - thus removing the middle man entirely?

This is not possible because we do not have a web service API for 1Password and that's because we do not (never) store your data on our servers. You own your 1Password data and we do not have access to it in anyway. For more information, please refer to the How does 1Password keep my data safe? article from our Knowledge Base.

Please let me know if you have any other questions :wink:

Best,