iOS 12 AutoFill and Associated Domains

nidawson
nidawson
Community Member
in iOS

Hi,

I've tagged our app's fields where usernames and passwords are requested but I've encountered an issue on our production version of the app. 1Password refuses to show accounts for anything other than the associated domain for the app. I've attached a screenshot as an example.

This is a problem in our app as we support linking external accounts which are not associated with our domain. Can a "see all accounts" or similar button be added? This is how iCloud keychain deals with this scenario. Would love to see this fixed!

Thanks

1Password Version: 7.2.1
Extension Version: Not Provided
OS Version: iOS 12.0.1
Sync Type: Not Provided

Comments

  • ag_andrew
    ag_andrew

    Hi @nidawson,

    When linking to external accounts, are you presenting the external accounts login screen natively, or inside a WebView? In my testing, native fields present the AutoFill extension with the Associated Domain, whereas WebViews present the extension with the domain of the current page in the WebView.

    As for a button that shows all your items, it's something we've talked about but right now we limit filling to the domain presented to the AutoFill extension, in the same way that 1Password itself won't automatically fill credentials into a page whose URL doesn't match that of the item you're trying to fill.

  • nidawson
    nidawson
    Community Member

    Hey,

    It is indeed a native view with properly tagged UITextField content types. It works perfectly on our staging versions of the app but not on our production. The only difference between the two is Associated Domains for universal deep links is setup correctly for the production version.

    I believe the extension protocol 1Password implements takes this identifier with a URL: https://developer.apple.com/documentation/authenticationservices/ascredentialserviceidentifier If that's the case Apple must read the applinks: directives in Associated Domains to provide the URL. I can't remove these though to allow all passwords to show or I'd break our universal links.

    Another scenario to consider is a developer may not even have setup their own universal links for their domain but instead use something like Adjust campaign tracking which relies on implementing their subdomains as Associated Domains. They'd then only see credentials for adj.st domains instead of acme.com.au - https://docs.adjust.com/en/universal-links/

    I'd encourage the "Show All" button for the second scenario if nothing else :)

  • Ben
    Ben
    edited October 2018

    There may be some good logic in your argument — I’ll leave it to @ag_andrew and the rest of the development team to determine that. The primary argument, historically, against a “show all” button is phishing. The reason 1Password doesn’t show all logins and allow any login to be filled anywhere is because we don’t want apps or websites to be able to present themselves (for example) as “lpassword.com” (“Lpassword.com”) and have folks fill their “1password.com” (“one password.com”) credentials there.

    Ben

This discussion has been closed.