1Password 8's new Universal Autofill works well - but there are still some circumstances where I find it helpful to use KM to type 1P passwords. And that's now much easier with the new 1Password CLI.
The subroutine below retrieves and types a password, TOTP, or any other field from 1Password. It's much more reliable (and far quicker) than my previous macro which used keyboard navigation in 1Password 7 Mini. It types rather than pastes the password for both security and compatibility with non-standard password dialogs.
As ever, constructive criticism is very much welcomed
I haven't worked through all of the options and error handling yet, but it's been working well for me for the last week or so.
(And apologies if someone else has already posted something like this; I've seen references to the CLI being used but not to a macro.)
You'll need to:
Install the 1Password op CLI tool (I found I needed to install it using the "Manual" method - which only required the download and installation of a standard macOS package - as I don't permit my normal user account to run sudo, which their Brew method requires).
To retrieve TOTP codes, you'll also need to install the jq JSON Query command-line tool. I used Homebrew for this: brew install jq.
Download the main "Type a password from 1Password" subroutine macro below and import into Keyboard Maestro.
If your Mac has an Apple Silicon (M1) CPU, swap the path to jq in the "Sign into 1Password and find the OTP..." step to /opt/homebrew/Cellar/jq/1.6/bin/jq (or equivalent), as Rob describes below.
Check/fix the default Account in the "Parse parameters" step. I use "my.1password.eu" but you may need to change that to "my.1password.com" or "my.1password.ca". That's the only account-specific item in this macro; everything else is supplied as parameters to the subroutine.
Test with something like the second and third macros below, substituting for the name of one of the items in your 1Password vault. Note that only the Vault and Item name/ID have to be specified (and you could of course change that if you only have a single vault) - plus the Type for a TOTP item.
If you have any problems with the name of an item (or you think it might get renamed over time) use its persistent Item ID rather than its name. It can be found using the op item list | grep NAME command or using Edit > Copy Private Link (then isolating the part after the i= in the query string).
If you run into problems, consult the KM log: tail -f ~/Library/Logs/Keyboard\ Maestro/Engine.log and try to run the equivalent op commands (substituting for account, vault, item etc) on the command line.
Here are two test macros (you'll need to add a trigger and adjust the names of the Vault and Item to suit your own items), showing the optional Description (which will trigger a notification when present) and specifying a "TOTP" Type...
Does this require Biometric Unlock (rather than it being optional for Watch users), and therefore also require 1Password 8? Otherwise I'm not sure how to pass in the account's master password, since a KM "Execute Script" action isn't interactive.
Still on v7 myself and trying to avoid bouncing a Terminal window and grabbing the creds with commands in that, so would love to know if you solved this!
Sorry for the late reply, Nige - I was away when you posted.
No, biometric unlock isn't required; you can still use the password to unlock.
However, I believe that the CLI itself (which this macro uses) only comes with 1Password v8.
Whilst I'd recommend moving to v8 (and using Universal Autofill where possible), I do have old macros for typing a password/TOTP from 1Password v7, but they're far more temperamental! Let me know if they'd help you and I'll upload them... (though I suspect there are several alternatives already in prior forum posts).
I'm wondering if turning on biometric is what enables you to use the local account, rather than the 1Pass master password?
v8 requires Catalina, and a couple of my machines are limited to 10.13 or 14 for either hardware or software reasons (nothing to do with my aversion to Electron apps, honest!). v7 requires you to authenticate to get a 30-minute session token, and that requires an interactive session...
I've got a nice bounce-through-Terminal going which I might post when I'm happy with the results. It may not be specifically useful, but might have a couple of tricks people could use in their own projects.
A quick test suggests they've changed the CLI's commands/returns -- you'll need to include --reveal in any command that's retrieving (at least) a password. So if you have:
op item get MySecretService --fields label=password
...you need to change it to
op item get MySecretService --reveal --fields label-password
Hopefully @coordinated will update the macro above, otherwise I'll see what I can achieve with some amateur poking around...
After-poke edit:
I think there is only change needed in the "Type a password from 1Password" subroutine. Add --reveal to the shell script of the "Sign into 1Password and find the right password..." action. Full script:
I hadn't noticed, as apparently I manually installed the CLI package when it first came out, and 1Password doesn't warn when it's out of date. brew install now done
It works, but I've had to disable the ‘Check that 1Password is installed’ subroutine because it's not available.
2024-08-20 15:02:25 Execute a Subroutine action failed to find the macro to execute. Macro cancelled (while executing ***Check that 1Password is installed***).