1Password Connect provider does not support native item IDs in remoteRef.key

[chadxz]

Problem

The 1Password Connect provider only resolves remoteRef.key by
item title or by RFC 4122 UUIDs (the Connect server's own ID
format). It does not support 1Password's native 26-character
item IDs (e.g., gdpvdudxrico74msloimk7qjna).

The root cause is in findItem() at
providers/v1/onepassword/onepassword.go:513. The method uses
strfmt.IsUUID(name) to decide whether to look up by ID or by
title. This check only matches RFC 4122 UUIDs
(687adbe7-e6d2-4059-9a62-dbb95d291143), which are the format
the Connect server generates internally. 1Password's native
item IDs are 26-character base32 strings, so IsUUID returns
false and the code falls through to GetItemsByTitle(), which
treats the ID as a title search and fails with:

key not found in 1Password Vaults: gdpvdudxrico74msloimk7qjna
in: map[My Vault:1]

The item exists and is accessible via the 1Password Connect API
when queried directly by ID. The Connect API's GetItem method
accepts both formats, but the code never reaches that call for
native IDs because strfmt.IsUUID gates it.

Two ID systems

1Password uses two distinct ID formats:

• Connect server UUIDs -- standard RFC 4122 format (e.g.,
  687adbe7-e6d2-4059-9a62-dbb95d291143), generated by the
  Connect server. The existing IsUUID check handles these
  correctly.
• Native item IDs -- 26-character base32 strings (e.g.,
  gdpvdudxrico74msloimk7qjna), used by the 1Password app UI,
  op:// references, and the "Copy Secret Reference" feature.
  These are not recognized by the current code.

Real-world impact

1Password's "Copy Secret Reference" feature generates op://
references like:

op://My Vault/gdpvdudxrico74msloimk7qjna/private key

It uses the native item ID instead of the title whenever the
title contains special characters (e.g., parentheses). Teams
that follow a workflow of copying secret references from
1Password will hit this for a subset of their items, with no
obvious indication of why some work and others don't.

Steps to reproduce

1. Create a 1Password item with special characters in the title
   (e.g., My App (Production))
2. Use "Copy Secret Reference" in 1Password -- it produces a
   reference using the native item ID rather than the title
3. Use that ID as remoteRef.key in an ExternalSecret with the
   1Password Connect provider
4. The sync fails with key not found

Expected behavior

remoteRef.key should accept item titles, Connect server UUIDs,
and 1Password native item IDs, consistent with how the 1Password
Connect API and op:// references work.

Environment

• external-secrets v1.2.0
• 1Password Connect provider
• SecretStore with 1Password Connect backend

---

Happy to submit a PR with a fix if this is something the project is interested in supporting.

[Skarlso]

Hello! :)

The 1Password Connect provider is no longer maintained I'm afraid. Could you try switching to 1Password SDK please? 🙇

[chadxz]

Is not possible for me to use that and honestly I don't know how anyone can. 1Password rate limits result in errors syncing passwords as soon as I have a non-trivial number of them in the cluster.

I have seen this reported in other tickets as well.

Is it really the stance of the maintainers of this project that it will be discontinued? If so, I should plan to migrate away.

[Skarlso]

Is not possible for me to use that and honestly I don't know how anyone can. 1Password rate limits result in errors syncing passwords as soon as I have a non-trivial number of them in the cluster.

This has been fixed with the latest release.

[Skarlso]

Is it really the stance of the maintainers of this project that it will be discontinued? If so, I should plan to migrate away.

No, but I will not update it. :) If you have a fix, feel free to introduce it. :)

[Skarlso]

That said, 2.1.0 significantly improved the usage of 1Password SDK provider including serious caching. You can see some benchmarks here: #5894 (comment)

[chadxz]

Yeah I went looking for the release you mentioned and found this. I'm glad to see improvement has been made on this. The original 1Password SDK provider burned some goodwill I had, and we switched over to the 1Password Connect provider a few months back, which has been solid for us since, but I recently ran into this edge case I'm reporting here.

I'm open to possibly migrating back to the 1Password SDK provider, but not right now. I've got other priorities I'd rather focus on. I will happily submit a fix to this issue, though.

P.S. Thank you for your support in helping to maintain external secrets operator. 🙌

[Skarlso]

Ah see. I'm sorry that happened. It is in alpha for that reason.

You could try pinging the maintainers for the connect provider that are listed in our stability doc. But they haven't been very responsive. :/.

[Skarlso]

@snarlysodboxer ping. :)

[Skarlso]

Or @Simspace ping. :)