search

1Password / connect

Access your 1Password secrets using a 1Password Connect Server
https://developer.1password.com/docs/connect
149 stars 28 forks source link

op cli + 1password connect 141 vault limit on create token #74

Open hortonew opened 9 months ago

hortonew commented 9 months ago

Works: op connect token create "token_with_141_vaults" --server "your_server_id" --expires-in 1h --vault vault1 --vault vault2 ... --vault vault141

Doesn't work: op connect token create "token_with_142_vaults" --server "your_server_id" --expires-in 1h --vault vault1 --vault vault2 ... --vault vault142

Error

[ERROR] 2023/10/03 10:58:37 failed to RegisterToken: "Validation: (400) (Bad Request), The structure of request was invalid.

Tested on versions of op cli from v2.6.0 through the latest v2.21.0 and it's been a problem consistently for the past year.

edif2008 commented 5 months ago

Hey @hortonew,

What you're encountering here is that your request would generate a Connect token that is over the allowed maximum size. In general a Connect token can have permissions up to 100 vaults. This limit is in place to ensure that the size of the token isn't too large, specifically 8KB. This is based on the recommended size of JWT tokens:

Note that if you send JWT tokens through HTTP headers, you should try to prevent them from getting too big. Some servers don't accept more than 8 KB in headers.

With 141 vaults or more, your Connect token would be over 8KB, which you would no longer be able to use when interacting with Connect due to it being too large.

An alternative solution to this is to create separate tokens that access subsets of the vaults the Connect server can access.