3

I’m building a Chrome extension that:

  1. Fetches data from a Google API (e.g. Drive)
  2. From the client, POSTs a different set of data to an API endpoint I control, over HTTPS

In the client, using the chrome.identity API, I’m able to successfully retrieve a short-lived access token (using the implicit flow) that I can use to fetch data from Google APIs. When the token expires, I’m able to silently fetch another in the background. This portion works fine.

Separately, for use case #2 above, I’d like to ensure only the target Google user can successfully POST data. For this purpose, I was considering utilizing the Google Sign-In JavaScript library, retrieving an ID token on successful auth and passing that ID token to my API for server-side validation, as noted here.

The Google Sign-In JavaScript library doesn’t appear to work in Chrome extensions. I was seeing the same error as the author of that issue (“Uncaught gapi.auth2.ExternallyVisibleError: Invalid cookiePolicy”) when trying to implement a Sign-In button within the extension.

I would like to avoid managing any portion of the OAuth / OpenID Connect flow in a custom way. However, using the chrome.identity.launchWebAuthFlow method, I am able to retrieve an ID token, by directing the user to the Google OAuth endpoint using response_type=id_token, adding the correct scopes (“openid” and “email”, for instance) and passing a nonce, like this:

https://accounts.google.com/o/oauth2/v2/auth?
client_id=[client_id]&
response_type=id_token&
scope=scope=openid%20email&
redirect_uri=https://<app-id>.chromiumapp.org/redirect&
state=[state_token]&
nonce=[nonce]

I have three questions:

  • Is there a way to retrieve an ID token from Google using a client library that is known to work on Chrome extensions, so I don’t have to retrieve an ID token using a custom implementation?
  • In general, is using the implicit flow to retrieve short-lived ID tokens from the client, passing that token to a server, and validating the token from the server using Google OAuth libraries an acceptable and secure way to manage this?
  • If this is not ideal, is there a recommended way to validate the user from the API (use case #2) given some of the Chrome extension limitations I’m dealing with? E.g. by using the hybrid flow, or another mechanism?
tcdyl
  • 325
  • 2
  • 13
  • Did you ever figure this out? I am trying to pull an id_token in my crx too right now :/ – kidCoder Oct 28 '17 at 22:59
  • 2
    No, but I created a feature request and had some good discussion with the Chrome devs here: https://bugs.chromium.org/p/chromium/issues/detail?id=721851#c13 . Feel free to star that request and tell your friends to do the same :) – tcdyl Oct 29 '17 at 03:06
  • I think the general intent is to coerce devs to use the "Sign Into Chrome" path, which is really simple, but which in my narrow preference provides a suboptimal experience. I will star your request though! – kidCoder Oct 29 '17 at 05:09
  • If you're early enough in your development, maybe try the approach suggested in this answer https://stackoverflow.com/questions/26256179/is-it-possible-to-get-an-id-token-with-chrome-app-indentity-api/32548057#32548057 , it seems to work for a few people, but I am trying to avoid messing with my config anymore because it's byzantine and opaque – kidCoder Oct 29 '17 at 14:44
  • I would recommend _against_ that approach, actually. If you look at the original comment in that Chromium issue, you'll see that I originally asked why chrome.identity.launchWebAuthFlow seems to kill auth cookies on Chrome restart - I noticed chrome.identity.launchWebAuthFlow launched each time users closed and re-opened Chrome. Another thought - you could examine how some tools make persistent Google auth work (e.g. Boomerang, Mixmax). – tcdyl Oct 29 '17 at 16:14
  • Wow, I never even thought about that, I never close Chrome..., I am currently caching the access token locally in the CRX, which is probably not great. I just gave up and restructured some of my endpoints to accept either an access_token or an id_token. Thanks for the insights! – kidCoder Oct 29 '17 at 18:03

0 Answers0