I’m building a Chrome Extension using Manifest V3, and I need to implement Auth0 so users can log in. This will enable us to make secure API calls to our backend.
All extension components, including the popup and multiple content scripts, would message the background worker to make API calls.
From my research, there are primarily three ways to do it:
1. Login with Auth0 directly in the Chrome Extension service worker
- using the Authorization Code Flow with PKCE, we can get an access token in a service worker, and prompt the user to log in if needed
References: - from @david20 → Auth0 in Chrome Extension Content/Background script MV3 - #3 by mrksbnch
- from @mirai-auth0 → Robert Tolton | Implementing Auth0 Authentication into a Chrome…
Problem → since service workers are not persistent, we need to store the access token in the Storage API or keep it in memory
Both options are vulnerable to XSS attacks
2. Log in with Auth0 in a dedicated web app using the Auth0 SDK, and message the web app to silently obtain the access token
For example, I have a NextJS web app where I use the @auth0/auth0-react package.
There is a provided getAccessTokenSilently() method we can use to obtain the access token.
The flow would then be:
- The user opens the Chrome Extension popup, or a content script is injected into a page.
- They message a service worker.
- The service worker messages the web app to obtain the access token (using the getAccessTokenSilently() method).
- The web app message handler sends the access token back to the extension service worker.
- We then use it to make an API call in the service worker and never store the token (message the web app for every API call)
Problem → I’m not sure if this is secure enough
Would something like this work @dan.woda @robertino.calcaterra ?
3. Use the Token Handler Pattern
References:
Problem → it requires a lot of work to set up and additional backend resources
I think including examples in the Auth0 docs would be very useful, as it appears quite easy to encounter security breaches with Chrome Extensions and Manifest V3