Now that https://github.com/auth0-community/auth0-chrome is deprecated what advice does Auth0 have for Chrome Extension authentication using Auth0?
Also–the deprecation notice should indicate why it was deprecated (no one willing to maintain, insecure, etc.)
Edit: I noticed auth0-chrome just stores the refresh token in local storage. Is that considered safe?
Edit 2: Would Auth0 recommend chrome extensions use the implicit flow?
Hey there @cam!
Totally agree with that! I reached out to our SDKs team to find out more about that!
Here’s what I’ve got so far. I’ve used Auth0-Chrome to authenticate. I setup Auth0 for a Native app (it’s for a Chrome extension).
I get a refresh token in the initial authentication response. Then when I need to refresh my token, I’m following roughly Use Refresh Tokens advice but adjusted for javascript instead of nodejs (see below).
async _refresh() {
let storageData = await Storage.get(['refreshToken']) //fetch refresh token from chrome.storage.local
let refreshToken = storageData.refreshToken
let params = new URLSearchParams()
params.set('grant_type', 'refresh_token')
params.set('client_id', EnvVariables.clientId)
params.set('refresh_token', refreshToken)
let result = await axios.post(`https://${EnvVariables.auth0Domain}/oauth/token`, params)
await this._handleResult(result.data) //store new id token (since I'm using with AWS Cognito) in chrome.storage.local
}
My concern at the moment, is verifying that storing the refresh token in chrome.storage.local is the best acceptable choice. Documentation at Manifest for storage areas - Chrome Developers does state “Confidential user information should not be stored! The storage area isn’t encrypted”. Does that mean I shouldn’t store the refresh token there? Or is that implying more username/passwords? Also, if I shouldn’t store the refresh token there, where else could I store it?
It’s not acceptable for my extension to require the user to login periodically. They need to be able to login once, and then remain logged in as long as the extension is installed.
Hey there!
The team is still processing the request. I pinged them and will get back to you as soon as I have the info back! Thank you!
Any updates here? We’re looking to do the same. Did you find a solution cam?
I got an update from them from tomorrow that the team is working on a more specific guidance as the repo is deprecated + the methods used in it are no longer recommended. Thank you for your patience!
Thanks for the reply, what is the supported method to connect Auth0 to a chrome extension? Happy to jump on a quick call.
Matt
Hey there!
As of now we don’t have any public content or guidance on connecting Auth0 to Chrome extensions that’s why I reached out to our SDKs team regarding that. Once I have an answer from them I will relay that here. Thanks!
Anyway we can make this an urgent request? As we re keen to launch our chrome extension today. Sure many others will have this concern. Matt
I repinged the team today morning and checking with them everyday so as soon as I have the info to share I will do that. Thank you!
thank - keen to solve
Got the response from the team.
They advise in this case the best thing we can do is offer some general guidance around auth flows and token storage strategies, as the QS and sample are no longer maintained, and when they were they were “community” supported only.
Here are some links that may help:
There are also changes coming to support refresh token rotation, and you can see the docs PR for the changes here. This is not available or published to the docs site as of now.