Allow login with token only

[hagaram]

Hi, I'm trying to use the chrome extension (that you very much for it), but I'm not able to login using token only. The auth method drop down doesnt work for me neither in Vivaldi (chromium) nor Firefox.

Either way I found the available options here: https://github.com/mulbc/vaultPass/blob/a52c2b9e4fed8e0330874f61ff19199c9e64d07d/options.html#L54

And I cant seem to find token login option mentioned here https://github.com/mulbc/vaultPass/issues/21#issuecomment-1303774319

Could you please help with loging in with token if it is implemented? Or would you please consider implementing it. It would be vey helpful.

Thank you very much!

[mulbc]

The auth method selection is not a dropdown, but more like a freetext field with "suggestions". You can view all suggestions by deleting all text in the field and pressing space in the field: This is weird - why do we do this? --> Because Vault admins can mount the secrets at any "mount point". So what you need to enter here might differ.

For the token login method - browse (with your browser tab, outside of the extension) to your Vault instance, login with any method you like. Now while your tab is on the Vault page, open up the Extention, go to options and click the "Get Token from Vault" button. This ignores all other fields and logs you into Vault immediately with the Token you gained when you logged into Vault earlier. (#magic)

[hagaram]

@mulbc Thank you very much for answering and helping.

This is not quite what Im looking for. What I'm trying to achieve is to use different token/approle - anything really - with policy, which would explicitly allow access only to specific kv2 mount. But not my main userpass (keycloak will be implemented in the next few months, which might not work..even tough I see okta).
Thats why I'm trying to use token as its universal. What I'm trying to avoid is creating another account just for this.

In this mount, only secrets we would agree on in team would be stored --> so for example, if the browser plugin gets 'hacked', or chrome somehow tries to "steal" something - it won't be such an issue. oken would be ideal IMHO, because if my account gets deleted Yes, I agree, that its paranoid, but thats what our team agreed on as a whole.

What I can think of is log in with my regular account and then swap token somewhere in plugin settings for a less powerfull one.

[mulbc]

Being Paranoid in security can be a good thing as long as it doesn't get in the way too much ;)

IMO the problem is with this last sentence:

What I can think of is log in with my regular account and then swap token somewhere in plugin settings for a less powerfull one.

Can you explain to me how this "token swap" would work in detail? Like how you would do this outside of the extension?

[hagaram]

What I had in mind would be (ugly) workaround such as this:

1. login to vault via plugins settings page or use extension "Get token" functionality.
2. In the second step generate token manually in Vault with indended policy I would like to use for vaultpass extension.
3. Replace token string somewhere on file system level,where particular browser saves its data.

Last step assumes that the browser extension saves the settings somewhere - which might not be correct.