I’m building a Chrome Extension using manifest v3, and I need to implement Auth0 so users can log in and make secure API calls to our backend.
I plan to rely on a background worker, messaging, and Chrome storage.
All extension components, including the popup and multiple content scripts, would message the background worker to check if the user is logged in.
If not, the background worker will redirect the user to a web page where we use the React Auth0 SDK.
It would then redirect the user to the Auth0 domain login page.
Once the user is logged in, we redirect back to the same web page and store the access token in the persistent storage available to browser extensions, in conjunction with SubtleCrypto (SubtleCrypto - Web APIs | MDN).
The access token would then be available in the background worker, allowing all popup and content script codes to message the worker to make API requests and get responses back.
Would this be a good implementation?
Would it be secure enough?