My current chrome extension works by injecting a “content script” onto webpages a user might go to. It will enable certain functionality on those web pages, but I would like the user to be authenticated first.
These content scripts effectively run in the same scope as the actual website. Therefore it shares their origins. However, I do also have a service worker running in the background to coordinate the scripts across many websites.
Intended experience
I want the user to login once, and then use that auth token across many different websites AND refresh the token as regularly as is necessary to ensure they aren’t constantly logging back in.
I currently have a dedicated, extension hosted page, that handles authorising through a redirect (although I wish I could get popup working… another thread maybe). When that page finishes authenticating, I want to be able to store the access token and refresh token somewhere so that my extension can access it from any web page. Right now I am leaning towards using chrome’s chrome.storage API to share memory between the tabs. My hope is to then use the service worker to regularly refresh that access token, so whenever my extension loads on a webpage, it can access the storage and get a relevant access token.
What I’ve tried
-
Implicit Flow
I requested a token, tried to include theoffline_access
scope and quickly realised I am not able to get a refresh token this way. -
Code Flow with PKCE
This felt promising, but seems to rely on the session to refresh the token, which I won’t have from the different web pages, and am not sure how to use in a service worker.
I would like to get some advise on the following questions:
- Is what I’m trying possible?
- If so, what is the recommended flow to be able to authenticate the user as securely as possible?