Chrome extension advice - Auth0 Community

link管理

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

相关文章推荐

另类的滑板 · commons-cli/src/main/j ...· 2 天前 ·

考研的手电筒 · 大模型知识引擎 ...· 5 天前 ·

伤情的感冒药 · Troubleshooting OAuth ...· 5 天前 ·

独立的黑框眼镜 · node.js设置请求头_全局设置请求头_j ...· 5 天前 ·

霸气的领结 · PHP生成随机ID，生成随机字符串 | ...· 6 天前 ·

威武的蜡烛 · WebOS软件下载 ...· 3 月前 ·

慈祥的匕首 · 基里尔·别特连科指挥莫扎特与柴科夫斯基作品 ...· 3 月前 ·

面冷心慈的枕头 · 小米路由器mini刷openwrt系统 - ...· 3 月前 ·

多情的钢笔 · 数据库检测机制是什么 • Worktile社区· 4 月前 ·

逃课的汉堡包 · [Renderer Workbench] ...· 8 月前 ·

Now that https://github.com/auth0-community/auth0-chrome is deprecated what advice does Auth0 have for Chrome Extension authentication using Auth0?

Also–the deprecation notice should indicate why it was deprecated (no one willing to maintain, insecure, etc.)

Edit: I noticed auth0-chrome just stores the refresh token in local storage. Is that considered safe?

Edit 2: Would Auth0 recommend chrome extensions use the implicit flow?

Here’s what I’ve got so far. I’ve used Auth0-Chrome to authenticate. I setup Auth0 for a Native app (it’s for a Chrome extension).

I get a refresh token in the initial authentication response. Then when I need to refresh my token, I’m following roughly Use Refresh Tokens advice but adjusted for javascript instead of nodejs (see below).

async _refresh() {
    let storageData = await Storage.get(['refreshToken']) //fetch refresh token from chrome.storage.local
    let refreshToken = storageData.refreshToken
    let params = new URLSearchParams()
    params.set('grant_type', 'refresh_token')
    params.set('client_id', EnvVariables.clientId)
    params.set('refresh_token', refreshToken)
    let result = await axios.post(`https://${EnvVariables.auth0Domain}/oauth/token`, params)
    await this._handleResult(result.data) //store new id token (since I'm using with AWS Cognito) in chrome.storage.local
My concern at the moment, is verifying that storing the refresh token in chrome.storage.local is the best acceptable choice.  Documentation at Manifest for storage areas - Chrome Developers does state “Confidential user information should not be stored! The storage area isn’t encrypted”.  Does that mean I shouldn’t store the refresh token there?  Or is that implying more username/passwords?  Also, if I shouldn’t store the refresh token there, where else could I store it?
It’s not acceptable for my extension to require the user to login periodically.  They need to be able to login once, and then remain logged in as long as the extension is installed.
              Thanks for the reply, what is the supported method to connect Auth0 to a chrome extension? Happy to jump on a quick call.

              
Got the response from the team.
They advise in this case the best thing we can do is offer some general guidance around auth flows and token storage strategies, as the QS and sample are no longer maintained, and when they were they were “community” supported only.
Here are some links that may help:
Token Storage (published guidance on storing tokens)
There are also changes coming to support refresh token rotation, and you can see the docs PR for the changes here. This is not available or published to the docs site as of now.

推荐文章

另类的滑板 · commons-cli/src/main/java/org/apache/commons/cli/DefaultParser.java at master · apache/commons-cli ·

2 天前

考研的手电筒 · 大模型知识引擎对话端接口文档（WebSocket）-应用接口文档-文档中心-腾讯云

5 天前

伤情的感冒药 · Troubleshooting OAuth Issue with zbctl Status Call in Camunda Self-Managed Setup - Camunda 8 Topics

5 天前

独立的黑框眼镜 · node.js设置请求头_全局设置请求头_js设置请求头 - 腾讯云开发者社区 - 腾讯云

5 天前

霸气的领结 · PHP生成随机ID，生成随机字符串 | 让编程变得更简单

6 天前

威武的蜡烛 · WebOS软件下载 WebOS(网盘挂载工具) for Windows v1.3.2 安装免费版下载-脚本之家

3 月前

慈祥的匕首 · 基里尔·别特连科指挥莫扎特与柴科夫斯基作品 | 数字音乐厅

3 月前

面冷心慈的枕头 · 小米路由器mini刷openwrt系统 - 木子欢儿 - 博客园

3 月前

多情的钢笔 · 数据库检测机制是什么 • Worktile社区

4 月前

逃课的汉堡包 · [Renderer Workbench] Lighting - FreeCAD Forum

8 月前