Getting the Auth Token for the secondary Id from Google chrome extension using OAuth 2.0 & Client ID

Question

I am fairly new to developing chrome extensions, more specifically to the user authentication part in chrome extensions. I am following User Identity example from Google Developer docs.

The example works perfectly fine. I was able to generate the client id for the chrome app, add the scope for API's in my case Gmail API. And finally get the Auth Token by adding the identitypermission in manifest.json as follows

"oauth2": {
    "client_id": "MY CLIENT ID",
    "scopes": [
      "https://www.googleapis.com/auth/gmail.readonly",
      "https://www.googleapis.com/auth/gmail.modify"
    ]
  }

And my app.js is a content_script which has the following code.

chrome.identity.getAuthToken({ 'interactive': true }, function(token) {
    /* With which I can use xhr requests to get data from Gmail API */
      console.log('Access Token : '+token);
});

Now this token that I get gives me the result for the user with which I have logged into chrome. Meaning Let's say I have a UserA with email address [email protected] and I have used this log into the chrome browser.

Question

How do I get the associated accounts or the secondary accounts? For instance, let's say a User Blogs into Gmail from the chrome browser. Is it possible to access the Gmail API for that particular user who is currently logged in?

I have tried a couple of things here.

gapi.auth.authorize({
            'client_id': CLIENT_ID,
            'scope': SCOPES.join(' '),
            'immediate': true
          }, 
          function(authResult){//do something});

In the above scenario, the client id and scopes are fetched from the manifest.json using chrome.runtime.getManifest();.

• This method uses the client.js from google api's and makes use of gapi variable.
• In this case, I get the access token for the user whom I generated the client id, not even the chrome application user.
• Furthermore, When I open an incognito mode and access this plugin, still I get the same user's access token.

Additional Note

I tried the same gapi.auth.authorize() using a Web OAuth 2 Client Id. It works perfectly fine. I mean whenever this authorize is executed it fetches the current logged in user's data or it asks for a login where the user can log in and authenticate. How do I achieve the same thing in chrome extension? Kindly let me know if I am missing something here.

Answer 1

As of now, this is not possible using supported APIs in Google Chrome stable (Version 63). However, in the Dev channel and most likely with a future release, the following will be possible:

chrome.identity.getAccounts(function(accounts) {
    // accounts is a list of accounts.
    chrome.identity.getAuthToken({ 'interactive': true, 'account': accounts[0] }, function(token) {
        /* With which i can use xhr requests to get data from gmail api */
          console.log('Access Token : '+token);
    });
});

See the documentation for getAccounts().

---

EDIT: Something that might work in the meantime is registering for the onSigninChanged event.

Answer 2

How I ended up handling is was this (summary):

1. In the page layer, on load, I send a message down the stack to the background layer.
2. I used launchWebAuthFlow() to https://accounts.google.com/o/oauth2/auth to get the access_token for the account.
3. I made an AJAX call to https://www.googleapis.com/oauth2/v4/token using the access_token to get a refresh token.

When a user changes which account they are using via the avatar button on the top-right, this process is triggered again, as it is initiated by onLoad for the page layer of the extension.

The things left out the description above are caching and error handling, which are super-important.