Is it possible to use HTTP-only cookies to store authentication tokens when developing a chrome extension? I have tried using the same API endpoint that I use for the website but it doesn't store the cookie in the chrome extension. If it's not possible, what is the best way of storing an auth token when developing a chrome extension? thanks in advance for your help.
Related
What is the best and secured way to store authentication token in web and mobile application ?
In the mobile store the token using the UserDefault in iOS and SharedPreference in Android. Likewise in the web use cookies to store data.
Reference for UserDefaults: https://www.hackingwithswift.com/example-code/system/how-to-save-user-settings-using-userdefaults
Reference for SharedPreference: https://www.hackingwithswift.com/example-code/system/how-to-save-user-settings-using-userdefaults
Reference for cookies: https://www.tutorialspoint.com/javascript/javascript_cookies.htm
I would like to know the best option for sending session key in my system.
In my system, there is an API server that is used by web browser, command line interface and desktop apps. It authenticates the user by looking at the Authorization HTTP header.
Currently, the browser stores the session key in the localStorage and attaches it in the Authorization header for requests that require login. However, it was pointed out that a more secure way to store secrets such as session keys is using HTTP-Only cookies.
The problem is that the web browser client will not be able to read the HTTP-Only cookie and put the session key in the HTTP header.
Given the situation, I am thinking about extending the API server to use either one of Authorzation header or cookie to authorize users. Is this a feasible option, and are there alternatives?
You are right, Cookies and Authorization headers are not compatible out of the box. As you pointed out, you are looking at two use-cases: one for browser usage and another for API (cli, desktop app).
If you want to support both via a single authentication scheme, you will need to work a bit more. As a good rule of thumb, browsers work well with cookies and its easy to set it up securely. You should opt for cookie-based session management with browsers.
Given the situation, I am thinking about extending the API server to
use either one of Authorization header or cookie to authorize users. Is
this a feasible option, and are there alternatives?
Yes, this is feasible, it will make your browser use-case more secure. As for alternatives, I put together a Web Authentication Guide that will greatly assist you in exploring your options.
Right now I have hard-coded all my keys in the background page. Do I need to secure access_token that is generated after authorization is successful?
By using Google OAuth, they're pretty secured unless you explicitly want to expose them. Also, just place your client_id in your manifest like every chrome extension developer does.
I currently have a web app that implements its own authentication via a "login" REST endpoint which returns a JWT and I would like to reuse this for my Chrome extension's authentication.
The accepted answer in this question suggests that only OAuth 2.0 should be used when authenticating within a Chrome extension otherwise attackers could steal the username & password.
I'm unsure how using an HTTPS POST request within a chrome extension and storing the resulting JWT in the extension's localStorage would be any more vulnerable than a website that does the same thing.
Am I correct in assuming that it is in fact safe to do (HTTPS POST & store JWT in localStorage) and, if so, are there any best practices or common pitfalls to avoid?
All Chrome extension authentication references I've found only talk about OAuth 2.
Thanks
How would I authenticate with Firebase in a chrome extension? I need to specify the allowed domain list in the Forge. Chrome domain for the extension is just a big hash-like string.
I did read this: authClient.login problems
But the hashed based domain of a chrome extension is not being accepted in the Firebase forge. Is there another way to go about it? Currently am just reading the cookie firebaseSessionKey to just assume that I am logged in. But surely that can't be as secure as letting Firebase validate this session key.
As Rob points out, authentication cannot work in an environment that does not enforce origin restrictions. The fundamental problem here is that any authentication provider (Facebook, Twitter, Persona, or your own service) cannot issue an identity to a browser - i.e. it is meaningless to use Facebook to login to your browser (or extension).
The F1 add-on for Firefox ran into a similar problem (http://f1.mozillamessaging.com/) - where you would authorize F1 to post on twitter/facebook on your behalf. The extension had a website to along with it, from where you would serve the login page and proceed as you would normally in a web page. You'll need some code to communicate between the web page and your extension, chrome provides the tools necessary.
I would recommend the same approach - create a web page on a real domain (Github pages is awesome for this) to go along with your extension. This means your extension can't work offline, but neither can your login or writing to Firebase!
This will work using Google Plus Login Flow which I believe is the only one that allows cross authentication so the scopes are Google Plus Login.
"www[dot]googleapis[dot]com/auth/plus.login"
So what is happening here is you will get the access_token from the extension which you will be sending to firebase with the request using authwihtoauthtoken specifying google as a provider along with the access_token acquired from chrome.identity.getAuthToken()!
https://www.firebase.com/docs/web/api/firebase/authwithoauthtoken.html
Now the fact is that this access token could be issued by any other app, so we need to make sure that it is valid and has been issued for our app, basically we need to know there isn't man in the middle trying to access our database.
This verification is being made by the firebase.
They will check if this token belongs to the same application as the token has been issued to.
So you will need to create another set of credentials under the same application in the google developers console as for your extension. We will be basically doing the same thing as if we were to do it for our webpage but we will be inserting this new set of credentials to firebase's google oAuth in their security section.
They will do this check for us there. They will verify with google if the token is issued to the same app.
That's it.
Background Information.
https://developers.google.com/identity/protocols/OAuth2UserAgent#validatetoken
Use case
Sending ID tokens with requests that need to be authenticated. For example, if you need to pass data to your server and you want to ensure that particular data came from a specific user.
When to verify the access
All tokens need to be verified on your server unless you know that they came directly from Google. Any token that you receive from your client apps must be verified.
Google has a tutorial how to do this for python found at:
"github[dot]com/googleplus/gplus-verifytoken-python"
So basically what is happening here is; instead you doing to verification from on your server, firebase does this verification for you when you enter the CLIENT_ID and APP_SECRET into the firebase and enable the Google Authentication.
The way to do this correctly is a combination or same style of verifying to whom the client_secret was issued. Chrome will give you a access_token and then this access_token will be checked on the firebase's backend.