BUG: cli auth prompt immediately dismissed with Apple Watch [macOS]

maxcbc
maxcbc
Community Member
edited June 2023 in CLI

Hiya,

I'm having an issue as of this morning using the 1password cli integration with the 1p8 mac beta.
It launches the prompt for me to authorise an action, but its immediately dismissed (i see it flicker), and I get the following error:
authorization prompt dismissed, please try again


1Password Version: 80700002
Extension Version: Not Provided
OS Version: 12.3

Comments

  • rob
    rob
    edited April 2022

    Hey, @maxcbc! I'm sorry for the huge delay here. Are you still having this issue? I've reached out to the right team to see if we can get you an answer if so.

  • Hey!

    We have made a few improvements to the authorization process recently. So if you are still having this issue, could you try out the latest beta release? You can read here how you can switch.

    Let me know if that resolves it.

    Joris

  • woakas
    woakas
    Community Member

    Hi, I have the same error, the version that I'm using for 1password-cli is 2.0.2, and for 1password 8.7.0~90.BETA

    In the console shows the follow messages

    INFO  2022-04-22T10:33:34.432 tokio-runtime-worker(ThreadId(5)) [1P:native-messaging/op-native-core-integration/src/lib.rs:307] Extension connection accepted.
    WARN  2022-04-22T10:33:34.448 op_executor:invocation_loop(ThreadId(14)) [1P:foundation/op-sys-info/src/process_information/linux.rs:394] no top-level parent was found for pid 172170
    ERROR 2022-04-22T10:33:34.464 tokio-runtime-worker(ThreadId(5)) [1P:native-messaging/op-native-core-integration/src/connection_handler.rs:60] message from b5x was None: EndConnection
    ERROR 2022-04-22T10:33:34.464 tokio-runtime-worker(ThreadId(5)) [1P:native-messaging/op-native-core-integration/src/connection_handler.rs:31] Dropping connection with b5x due to error handling incoming message: EndConnection
    ERROR 2022-04-22T10:33:34.464 tokio-runtime-worker(ThreadId(5)) [1P:native-messaging/op-native-core-integration/src/connection_handler.rs:63] failed to receive message from b5x: Io(Os { code: 104, kind: ConnectionReset, message: "Connection reset by peer" })
    ERROR 2022-04-22T10:33:34.464 tokio-runtime-worker(ThreadId(5)) [1P:native-messaging/op-native-core-integration/src/connection_handler.rs:31] Dropping connection with b5x due to error handling incoming message: EndConnection
    ERROR 2022-04-22T10:33:34.464 tokio-runtime-worker(ThreadId(4)) [1P:native-messaging/op-native-core-integration/src/connection_handler.rs:63] failed to receive message from b5x: Io(Os { code: 104, kind: ConnectionReset, message: "Connection reset by peer" })
    ERROR 2022-04-22T10:33:34.464 tokio-runtime-worker(ThreadId(4)) [1P:native-messaging/op-native-core-integration/src/connection_handler.rs:31] Dropping connection with b5x due to error handling incoming message: EndConnection
    
  • Hey! That does not look right. Could you tell which OS/distribution you are using?

  • kpitt
    kpitt
    Community Member

    Same problem here. Happens when biometric unlock is enabled. If I disable biometric unlock, I instead get "You are not currently signed in".

    1Password for Mac 8.7.1
    1Password CLI 2.4.1
    MacBook Pro, Intel i9
    macOS 12.3.1

  • kpitt
    kpitt
    Community Member

    I'm not sure what changed, but for some reason it seems to be working now, at least for the moment. Here's what I've done since my previous post, as best I can recall:

    1. Disabled biometric unlock and signed in manually with eval $(op signin).
    2. Successfully ran a couple of op commands.
    3. Tried turning biometric unlock back on after having successfully signed in the old-school way, but it didn't seem to work right away.
    4. Turned biometric unlock off again.
    5. Closed the terminal where I had tested manual sign-in and went back to other tasks.
    6. A few hours later, I decided to give it one more try before closing up shop for the day, so I turned biometric unlock back on one more time.

    It was at this point that I ran an authenticated op command and the authentication prompt actually stayed on-screen and allowed me to unlock with my Apple Watch. I then went to the 1Password app, explicitly locked it from the menu, then closed the 1Password window. When I went back to the terminal window and tried the command again, it prompted again for authentication as expected, and again the prompt remained on-screen and allowed me to unlock.

  • jamesstidard
    jamesstidard
    Community Member

    Hi,

    I'm also experiencing the same thing. For me my Apple Watch auth prompt closes itself. I'f I'm not wearing my watch, it won't ask via fingerprint (when available) will instead just take a password or give me a "allow" option for ssh access.

    Happy to post a log in here, if someone can let me know that's no sensitive information in it, and that it'll be useful.

    Here's a gif:

  • Thank you both for reporting back with more details. We have seen some similar reports when using Apple Watch. To see if these cases are indeed similar:

    • When you are running into this problem, is your Mac in clamshell mode by any chance?
    • And when you run into this problem, are you still able to unlock macOS itself with the Apple Watch?

    @jamesstidard, logs are definitely helpful! The logs do not contain any secrets like your account password and we go out of our way to make sure there is as little sensitive information in there as possible.

    About 1Password diagnostics information

    You can send a diagnostics report by following these instructions:

    Sending Diagnostics Reports (Mac)

    Attach the diagnostics to an email message addressed to support+forum@1password.com.

    With your email please include:

    • A link to this thread: https://1password.community/discussion/128135/bug-cli-auth-prompt-immediately-dismissed
    • Your forum username

    You should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here. Thanks very much!

  • jamesstidard
    jamesstidard
    Community Member

    I've not been wearing my watch while working because of this, just put it on to try and get you the details love, but it's working again now. Will report back with stuff above if it breaks again.

    Thanks.

  • Thank you @jamesstidard! We'll be here to take any further information you should have on this if the issue returns.

  • afroman
    afroman
    Community Member

    I think I have reproduced this correctly. It seems that this happens with the biometric macOS unlock is disabled and requires it's periodic manual password entry unlock to "re-enable TouchID". I have experienced this in clamshell mode.

  • afroman
    afroman
    Community Member

    ^ Diagnostics output: [#KYX-41567-836]

  • Thank you for submitting that diagnostics file, @afroman! That will be of great value in our search for the cause of the problem.

    Just to make sure that I am correctly recording your findings, when you say that it "happens with the biometric macOS unlock is disabled" do you mean:

    a. TouchID is disabled in macOS system settings
    b. TouchID is disabled in the Security settings of the 1Password app
    c. TouchID is temporarily disabled by macOS (for example because of a few failed attempts) and it will start working again after you have entered your macOS system password once (for example after locking your Mac)
    d. Something different

    We have seen some similar reports for option c. If that is also the case for you, locking and unlocking your Mac has shown to be a successful workaround for the problem.

    In the meantime, we are continuing our investigation to the root cause of the issue. Thanks again for helping us out with that 🙌

  • afroman
    afroman
    Community Member

    Hi @Joris_1P !

    Option c is what I'm seeing. In my case, it's the biometric (touch/watch) timeout (172800 seconds).

  • mike0x41
    mike0x41
    Community Member

    I have an interesting variant of this bug:

    I have biometric lock enabled but my laptop is closed and i'm connected to an external monitor (therefore biometric lock isn't available) - not a problem when using the Quick Access shortcut to open 1Password, but looks like 1Password being unlocked isn't enough for first run of the op item get command and it's failing on the immediately dismissed biometric authorization prompt

    op --version: 2.14.0
    os: mac os 13.2
    macbook pro m2

  • Thanks for sharing that, @mike0x41! To get the full picture clear: are you using an Apple Watch by any chance?

  • mike0x41
    mike0x41
    Community Member

    @Joris_1P yes! 😆

  • drewipson
    drewipson
    Community Member

    @Joris_1P I wanted to upvote this thread. I got an apple watch yesterday and enabled "Allow Apple Watch to unlock Mac" in system settings. I immediately started having issues with my ssh-keys and ssh-agent. Once I turned it off, everything started working. 😅

  • Hi @mike0x41 and @drewipson:

    Would each of you mind sharing some diagnostics details with us? I'd like to ask you both to create a diagnostics report from your Mac:

    Sending Diagnostics Reports (Mac)

    Attach the diagnostics to an email message addressed to support+forum@1password.com.

    With your email please include:

    • A link to this thread: https://1password.community/discussion/128135/bug-cli-auth-prompt-immediately-dismissed#latest
    • Your forum username: mike0x41 / drewipson

    You should receive an automated reply from our BitBot assistant with a Support ID number.  Please post that number here.  Thanks very much!

  • Thanks @mike0x41

    We've got your report.

    ref: DCG-58227-949

  • REBELinBLUE
    REBELinBLUE
    Community Member

    Did anyone manage to solve this? Having it intermittent and it's driving me mad as the only way to solve it is to reboot

  • jos2
    jos2
    Community Member
    edited August 2023

    Hi! I thought I'd bump this thread, as this just started happening to me recently. Two potential factors from the thread so far that match my case: I am operating my Mac in clamshell mode, and I do have 'Unlock my Mac with Apple Watch' enabled. When the problem occurs, I've found extracting my Mac, opening it, and running op signin in the CLI will work: I get the TouchID prompt, answer it, and things work...until I close the clamshell again, at which point it's no dice. Happy to generate diagnostics if needed; hopefully this is a fixable problem!

  • Thanks for bringing this to our attention. I'm sorry that you're running into this. We are currently working on an major update for the authorization prompts that might solve this problem.

    I'll report back when that update is available on the nightly or beta releases of the app, so you can give it a try.

  • Hey all! The latest nightly release of the 1Password app contain the major update to the authorization prompts I talked about earlier this week. The new prompts not only look prettier (if you ask me), but I expect them to solve the reported issue as well.

    You can try out the nightly release by following these steps, but selecting "Nightly" instead of "Beta" as the release channel. Alternatively, these will be available in the beta release sometime soon.

    If you give it a try, let me know if this resolves the issue!

This discussion has been closed.