Authorization prompt dismissed error [Linux]

Options
System
System
in CLI
This discussion was created from comments split from: BUG: cli auth prompt immediately dismissed with Apple Watch [macOS].

Comments

  • markboston
    markboston
    Community Member
    Options

    hate to revive a dead thread but im also having this issue on linux. however mine might be a bit different im running i3 and while i did have the 1password window taking up most of the screen it may be posting this somewhere off since its not expecting to be running on this setup.

    if this could be dealt with in the next version that would be great. by that i mean making 1password aware that not everyone uses a stacking windows manager. and it seems weird to me that a cli program needs to be authenticated by a for lack of a term window program.

  • eigrad
    eigrad
    Community Member
    Options

    Same thing with Linux and tiling wm (qtile). Under Gnome it works.

    Strange - when I run 1password app first time in desktop session it successfully uses the system dialog to unlock itself (but still asks for the 1password unlock password in 1password gui, not sure is it intended?), but then when using op via aws plugin it doesn't show system dialog and reports the mentioned error "authorization prompt dismissed, please try again".

  • gig
    gig
    Community Member
    Options

    another linux + tiling wm testimony here. @eigrad's post pointed me in the right direction, and I noticed it worked under xfce but not i3wm.

    my issue was that i3wm just wasn't running any sort of authentication agent, so the onepassword cli couldn't prompt me for my password in the first place. xfce uses polkit-gnome-authentication-agent-1, so by making sure that process was running in i3 (you might have to install it, on my machine it lives in /usr/libexec/), I now get authentication prompts and can successfully use the cli

  • 1passj1282
    1passj1282
    Community Member
    edited May 2023
    Options

    Sway user on Linux checking in. First, I was very surprised that I needed to install the 1Password GUI program in order to authenticate the CLI app, but I conceded. Then I had to install polkit-dumb-agent-git to get past this error. Now, op prompts for my root password (why?!) in order to do its thing. Also, this is only remembered per-terminal and I have to op login for any new terminal.

    Why is the UX for this so difficult? There are other CLI tools out there (ex: the Google Cloud CLI) which are a breeze to authenticate and use.

    Even signing in via a browser is difficult (login page -> have a team account? -> enter your domain -> enter your email -> sign in with microsoft -> [microsoft flow] -> confirm login via last browser, copy code -> provide code to new browser.) That's 8 steps, excluding the Microsoft flow. I get that security is important but this is unnecessarily difficult. Counter example: Cloudflare's login page. It asks for a simple email address and password, and if the email address that you enter is protected by SSO the "login" button changes to a "login with SSO" button and grays out the password field. 1Password has introduced a lot of unnecessary friction all throughout their products.

  • Joris_1P
    Joris_1P
    edited June 2023
    Options

    Hey @markboston @eigrad @gig @1passj1282,

    Thanks all for writing in. I am sorry you were or are still having issues with biometric unlock for the CLI. Since the original thread mostly contained reports about a similar problem when using an Apple Watch on macOS, I am splitting of your comments into a separate thread for Linux. That allows us to give it the attention it deserves.

    In case you are still having issues, would you mind share some diagnostics details with us? I'd like to ask you to create a diagnostics report:

    Sending Diagnostics Reports (Linux)

    Attach the diagnostics to an email message addressed to support+forum@1password.com.

    With your email please include:

    You should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here. Thanks very much!

  • dkoch84
    dkoch84
    Community Member
    edited June 2023
    Options

    I'm an Archlinux user using herbstluftwm, for others not using a desktop environment, this might be helpful. The way I worked around this was to first ensure a polkit agent was running (/usr/lib/polkit-kde-authentication-agent-1 in my case, there's a gnome equivilent). Thanks to 1passj1282 for the tip there!

    Once you have this running, you will get a password prompt. This is still annoying because it happens in every terminal, not just once. Kinda pointless if you already unlocked the GUI App. So what you can do here is take that Action ID ("com.1password.1Password.authorizeCLI") and create a custom polkit rule to not require your password. For me, I find this to be acceptible because this only works if I've already unlocked the GUI.

    The Arch wiki entry on Polkit explains the rest here, but here's my specific solution.

    I'm part of the "wheel" group, so that suffices for me, but you can replace that with any suitable group. I placed the rule in /etc/polkit-1/rules.d/49-nopasswd_op.rules

    /* /etc/polkit-1/rules.d/49-nopasswd_op.rules
*  Allow members of the wheel group to connect the op cli with the 1password app 
*/
polkit.addRule(function(action, subject) {
    if (action.id == "com.1password.1Password.authorizeCLI" &&  subject.isInGroup("wheel")) {
        return polkit.Result.YES;
    }
});

    Logout/reboot and now once the 1Password GUI App is unlocked, the cli authorizes without prompt.

    [edit by @Joris_1P:] Please note that this will also allow the 1Password app to be unlocked without a password by using the CLI (see comment below).

  • Joris_1P
    Joris_1P
    edited June 2023
    Options

    Hey @dkoch84,

    Thanks for sharing your experience. I will make a note for our team to look into the existing instructions for how to set up the prerequisites on Linux if you do not yet have PolKit. I think we can make some improvements there.

    With regards to your experience with having to enter your password for every terminal session: I do get your frustration. Because of the high level of privilege granted to the CLI, we limit the scope of authorization to a single terminal session, just like sudo does.

    I really appreciate the Arch mentality to just go fix this yourself! The provided snippet does indeed short-circuit the prompt. However, I also want to place a warning: this can also be used to unlock the 1Password app without any password. If you run a CLI command while the 1Password app is locked, the app will also get unlocked. I've added a note to your post to highlight this, I hope you're okay with that :)

    This does lead to a similar option that could be worth looking into: PolKit uses PAM (Pluggable Authentication Modules) to actually handle authentication. If you don't have any biometrics configured, the default user password module will be used by default. It is possible to override this to a variety of other plugins that you might find easier to use, but can still provide a decent level of protection:

    • pam_u2f which allows you to confirm the prompt by tapping the button of a Yubikey or another U2F token (setup guide).
    • pam_duo which allows you to confirm the prompt by confirming on your mobile phone (setup guide; I have not yet tried this myself)

    After setting up a PAM module, you'd have to add it to the top of /etc/pam.d/polkit-1 as auth sufficient pam_u2f.so cue or auth sufficient pam_duo.so.

    Let me know if that is of any help.

    Joris

This discussion has been closed.