Skip to content

Are 1password shell plugins promoting bad security behavior #617

Description

@pulasthibandara

op CLI version

all

Goal or desired behavior

For platforms that support short-lived access tokens through their own CLI tools (ex: gh/aws), the 1password plugin accepting potentially long-lived access token potentially degrades security posture of these tools. For a user unaware of the difference, this is a potential risk.

Examples:

  • Aws: aws sso login --sso-session <account-name> creates short lived tokens
  • Github: gh auth login craete a token for the shell and stores in system keychain

Current behavior

1password requests the user to create a token (potentially not-expiring due to the steps involved in the manual propcess).

Relevant log output

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions