HTTP Basic Auth

Hi all,

HTTP Basic Auth for the Windows and Mac apps has been discussed in the forums as lot. However, this extension is new and it might therefore be the right time to revisit it again.

On the open web, HTTP Basic Auth is almost never used. However, many infrastructure components with web interfaces (mostly lower end enterprise switches and routers) still use it extensively. Having HTTP Basic Auth support in 1p would make the job of many enterprise IT admins a lot simpler.

Is there any change you might add it?

Regards
Andreas


1Password Version: Not Provided
Extension Version: 0.8.6
OS Version: Linux
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited September 2017

    @RoadRunnR71: You're right that it isn't seeing a lot of use overall, but that some folks depend on HTTP Auth still — and that this might be a good opportunity to take a look at if it's something we can/should do in the new extension. I can't say more than that at this stage since we still have plenty of work to do here, but thanks for bringing this up! :)

    ref: b5x-46

  • _42_
    _42_
    Community Member

    I also would like this ability. This doesn't even seem possible in the non-beta extension right now.

    In the meantime...

    If you consider your bookmark URLs secure enough, you could add cleartext auth information to your browser bookmarks, e.g. https://username:password@your-server.com/

  • AGAlumB
    AGAlumB
    1Password Alumni

    42: I definitely wouldn't recommend that, as the URLs are transmitted in the clear in order to establish the connection to the server, so having your login credentials as part of that is incredibly insecure.

    I can't make any promises at this stage as we've got plenty else to do that will benefit more users, but HTTP Auth is something we'll consider for the future. Thanks for letting us know it's a feature you'd like us to develop!

  • [Deleted User]
    [Deleted User]
    Community Member

    We still use basic auth on some internal applications for it's simplicity to set up.

    Has this really not come near the the top of the to-do list in all these years?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @lmcm: We added some support for this in the 1.0 release. Have you tried it? The keyboard shortcut and 1Password icon cannot be injected into the modal username/password dialog, but either Go & Fill from the 1Password X menu or selecting the login to fill there at the login prompt should work. Let me know! :)

  • [Deleted User]
    [Deleted User]
    Community Member

    @brenty: haha, whoops. Didn't see that I was in the 1Password X forum. Very excited for this being a feature there though, thanks!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ah, no worries. Happy to help! :)

  • ericb80
    ericb80
    Community Member

    Hi all. I am not sure how I Can make this feature to work. Could you maybe give some more detailed instructions? Thanks!

  • AGAlumB
    AGAlumB
    1Password Alumni

    @ericb80: With 1Password X, when you're at an HTTP Auth prompt, just open the 1Password X menu from the browser toolbar and select the login to fill it. :)

  • ericb80
    ericb80
    Community Member

    Thanks @brenty I just noticed that I am still using 1Password 6, which apparently does not support this.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @ericb80: Sorry for the confusion there! While the native 1Password apps have their own desktop extension which cannot (yet?) fill HTTP Auth prompts, 1Password X is available in Firefox and Chrome to anyone with a 1Password.com membership — which also includes 1Password 7. Definitely check it out. :)

  • jenlau
    jenlau
    Community Member

    @brenty : Sorry, i don´t understand that. If the HTTP Auth prompts in Firefox, i´m not able to click anywhere accept the promt windows itself. What i´m doing wrong?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @jenlau: As far as I can tell, Firefox blocks the UI completely with a modal dialog for these prompts, so there's no way for you to interact with 1Password X or any other extension, and no way for extensions to interact with that prompt. It is, however, possible in Chrome.

  • beyer
    beyer
    1Password Alumni
    edited August 2018

    @jenlau: As far as I know there's no way for us to display 1Password X while the "Authentication Required" prompt is open like we can on Chrome. However, we can automatically authenticate HTTP authentication prompts when you use Go & Fill.

    To do so, from another website, activate 1Password X, search for a login item containing a username, password, and website that uses HTTP authentication, and click the Go button. This will open the website in a new tab and automatically authenticate using HTTP auth (skipping the "Authentication Required" prompt).

    I hope that helps! I have a few login items set up to do this and I do find it quite helpful once I got used to simply using Go & Fill.

    -Beyer

  • nosy_decibel
    nosy_decibel
    Community Member

    This is right, but for the wrong reason:

    42: I definitely wouldn't recommend that, as the URLs are transmitted in the clear in order to establish the connection to the server, so having your login credentials as part of that is incredibly insecure.

    Using a bookmark like https://username:password@your-server.com/path/to/resource will not send the username and password, but rather make them available to the web browser to use in case the response asks for authentication (HTTP 401). However, saving as a bookmark will likely save the password in cleartext on your local drive (bad!).

    I just tried creating a new login via 1Password, and then I manually added a website that included username and password as above. I was able to use 1Password's "Open and Fill", and it authenticated me to the site without issue. This workaround should be available to any version of 1Password.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @nosy_decibel: You're right, I should have made that clearer in my earlier comments. Thanks for the clarification! :)

    And I'm also glad you chimed in here as it gives me an opportunity to elaborate on how 1Password X's HTTP Basic Auth filling works. Spoiler: It doesn't fill anything! ;)

    When you invoke 1Password X to “fill” a login at an HTTP Basic Auth prompt, it reloads the page and sends the username and password as part of the HTTP header. So it technically doesn’t “fill" anything at all, just submits a request to the server with the credentials. The reason why we can’t just automatically do this for you on page load is that, for security and privacy, we always want 1Password to give up sensitive information only due to use interaction. Beyer really nailed this feature though. Cheers! :chuffed:

  • alanhoyle
    alanhoyle
    Community Member

    I'm glad that I finally discovered this page and found out that I could work-around the lack of HTTP Basic Auth support with the "Go and Fill" feature or by selecting "Go" in the 1PasswordX drop-down.

    Thanks! I wish there was a way that this could have been documented more prominently as it's been an annoyance of mine for some time.

    Thank you!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for letting us know! I'm glad you found it useful. It doesn't come up much since most sites use regular(-ish) HTML login forms nowadays, but something we can consider. Cheers! :)

  • pauschuu
    pauschuu
    Community Member
    edited May 2019

    Please consider having a look at the KeePassXC Browser Extension. They have an option called

    "Automatically fill in HTTP Basic Auth dialogs and submit them."

    And that works like a charm. Setting this option means you'll never see an HTTP basic auth dialogue ever again, if you have the credentials stored. Something like this in 1password X would be amazing.

    Thanks.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @pauschuu: Yeah we're not going to do that. 1Password only fills anything when the user tells it to. That's a great solution...for getting your login credentials sent to someone malicious as part of a person in the middle attack, without you even doing a thing. On the other hand, 1Password X is able to submit login credentials for a Basic Auth request when you tell it to, as Beyer mentioned last year. Cheers! :)

  • TheRealX
    TheRealX
    Community Member
    edited July 2019

    As a web developer working with WPEngine this is a real blocker (basic auth is the only option to access sites under development with them).

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @TheRealX,

    If you have a 1Password account you may want to check out 1Password X. It supports basic auth when performing an open-and-fill command so that might help. 1Password X started off life as a standalone extension to add support for the likes of Linux and ChromeOS, platforms where we don't have a native client so for now at least it does require a 1Password account. If that's something of interest to you our support page Get to know 1Password X is a good starting point.

  • TheRealX
    TheRealX
    Community Member

    Thanks @littlebobbytables, that's what I've ended up doing. It works okay, but seems to authenticate and then just hang, only loading the full page after a refresh (on Chrome).

  • davidolrik
    davidolrik
    Community Member

    You might be able to use this onAuthRequired to provide the credentials asynchronously, i.e. interactively when seeing the dialog, and not only using "open-and-fill".

    Source: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/onAuthRequired

This discussion has been closed.