Re-authenticating the user

I am new to oauth2 and auth0 world.

I am writing a chrome extension that works when the user is playing a youtube video on chrome browser. I need basic user information (username and email). The purpose is to get information on user’s behaviours on how they use the extension.

So I use auth0 services to authenticate user. In the code I do a GETrequest on https://${domain}/authorize and pass scope as openid profile email. I get access token and id token - which is parsed and user information is obtained successfully. My app is registered as SPA (Single Page Application) in the auth0 settings.

The user information (name and email) is stored in chrome local storage. The first question is when to re-authenticate the user. The user may use my extension only for some duration at various times. However in between two usages, she might have closed the browser, or might have signed out of youtube/google and someone else might have signed in. How do I know that now is the time to ask the user to sign in again? Till how long can I assume that the previously received user information is still valid?

The next question is: at the time of reauthentication, is there a way I can verify that the same user is still logged in and hence it need not prompt the user and just re-authenticate in background? I did try prompt=none in the authorize GET request. But I get an error that login is required.

Hi @amitudedhia,

Welcome to Auth0.

The token has an expiration, after it is expired you will have to request a new, valid token. This is one way to limit the user’s session. You can also implement silent authentication (it looks like you are trying this already), which will automatically renew the token based on a cookie or you can renew the token with a cached Refresh Token. This will depend on if you are treating your app like a SPA or native app. I think a chrome extension would be considered a SPA.

Unfortunately, we don’t have a lot of official documentation for how to implement these things in a browser extension, so you may run into some blockers because of that. There are some threads in the Community, you will find the search bar helpful.

This is where silent authentication comes in. You may find this thread useful, some users were able to work through longer sessions in a chrome extension.

https://community.auth0.com/t/sync-auth-state-between-multiple-applications-spa-chrome-extension/33994/23

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.