Hi @minibar,
Login/logout works on 3 layers. There is the application session (in the case of a SPA this is a token cached in memory), the auth0 session (this is a cookie that is related to the login domain, and allows for things like SSO across applications on a browser, or lets a SPA refresh a token silently in an iframe checking that there is a valid auth0 session), and the idp session (which is maintained by the idp, whether that is a social provider like google/facebook, or an enterprise provider).
Outlined here:
With that in mind, we use the auth0 session to allow a user to login to Application A, starting a session (cookie) with auth0 and the login domain, and when Application B directs a user to login to that domain auth0 will verify the session and return a token without prompting for login.
I am not familiar enough with chrome extensions to give a full blown solution, but it should be possible to log a user into your SPA, start the session with auth0 via the cookie, then have the user login to the extension without having to provide credentials. This assumes the extension has access to the cookie in the browser.
Hope this helps!
Thanks,
Dan