Menu
Context
My HapiJS web application is currently using OAuth 2.0 to access Google APIs. Once a user authenticates in the app, the server generates a JSON Web Token (JWT) which is stored on the client and sent back in the Authorization header of subsequent requests.
What I would like to accomplish
I now would like to use the same steps (authorization + creation of a JWT) with my Google Chrome extension which syncs data back to the app via a REST endpoint.
Current Thoughts
My idea is to use the same OAuth authorization as I have in my application to generate a JWT and then to save this JWT into the Chrome extension. This JWT will then be passed with each request from my chrome extension to my application to validate the request.
Unfortunately, it seems that the Chrome extension is using its own authorization through the Chrome Identity API and won’t let me use the authentication process I had in mind.
The diagram below describes the steps I’m envisioning to get the JWT created on my application then saved on my chrome extension (and also points to where the problem lies):
The Question
So my question is: Is there another or a better way to store a JWT created on my application to my Chrome extension?
Hope my explanation is clear enough
512
# Create OAuth client ID Once ready, select Credentials in the sidebar, click Create credentials and choose OAuth client ID. On the Create client ID page, select Chrome App. Fill out the name of the extension and place the extension ID at the end of the URL in the Application ID field. Finish by clicking create.
You can use your localStorage to save your jwt from the web app, then, if your extension runs on the same domain, you can access saved information from the localStorage through a content script, that gets injected in that page. You can communicate with your popup using the Message Passing API for Chrome extensions.
The problem with this approach comes with the fact that saving sensible information like user info (which is encoded in the jwt) is frowned upon due to security concerns.
Ideally, you should have a server which handles the authentication back and forth, saves the information and emits a session token for its clients, which then you can save in the localStorage if you wish.
84
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
