I am building an chrome extension in which I used
chrome.identity.getAuthToken({
interactive: true
}, function(token) {
if (chrome.runtime.lastError) {
alert(chrome.runtime.lastError.message);
return;
}
var x = new XMLHttpRequest();
x.open('GET', 'https://www.googleapis.com/oauth2/v1/userinfo?alt=json&access_token=' + token);
x.onload = function() {
alert(x.response);
};
x.send();
});
on background.js for google login authentication.
When this function called, a window appear which show logged-in google accounts (if any) but my problem is it shows only 1 account but I logged-in 5 accounts in the browser.
Is there anything which I missed over here ?
And I also need to know how to write logout function ?
chrome.identity will use the account that is "signed in" in chrome://settings. If not signed into Chrome, it will pop up a tab to allow you to "sign in" to Chrome, meaning linking the current profile and a google account.
If you want to show all the accounts simply signed in, you will need to manually create a popup window (using e.g. chrome.tabs.create or window.open and have the redirect url go back to your server which then communicates to your extension (e.g. using sendMessage and onMessageExternal), or if you have tabs permission, you could redirect using urn:ietf:wg:oauth:2.0:oob:auto as your redirect url, which will make the oauth grant appear in the window.title, which you can read with your tabs permission.
Related
I have an an iframe, which uses MSAL authentication. it's parent also uses the same auth mechanism and once the user has logged in the parent app, I should be able to log him in the iframe with SSO. I tried doing it with loginHint but I get this error:
That's the piece of code in the iframe that receives the loginHint from the parent and trying to use it for SSO:
window.addEventListener("message", (event) => {
// check the origin of the data
if (event.origin === parentDomain) {
const loginHint = event.data;
// attempt SSO
publicClient
.ssoSilent({
scopes: ["openid", "profile", "User.Read"],
loginHint,
})
.then((res) => {
console.log(res);
})
.catch((error) => {
console.error(error);
});
}
});
I think it might have something to do with the fact that my organization is using MFA (Multi factor authentication), but I'm not exactly sure. Is there a way to bypass this
without canceling the MFA?
You cannot use interactive login inside IFRAME with MSAL, also embedded webviews can stop working for security reassons authenticathing against third party providers like Google or others (OpenID).
It's not about MFA.
CmsiInterrupt - For security reasons, user confirmation is required for this request. Because this is an "interaction_required" error, the client should do interactive auth. This occurs because a system webview has been used to request a token for a native application - the user must be prompted to ask if this was actually the app they meant to sign into. To avoid this prompt, the redirect URI should be part of the following safe list:
http://
https://
msauth://(iOS only)
msauthv2://(iOS only)
chrome-extension:// (desktop Chrome browser only)
I've created a Chrome extension that works on mail.google.com page and uses gapi to manage emails, and it is not doing well if the Chrome user doesn't match the Gmail user.
The reason is that I'm getting an access_token from chrome.identity.getAuthToken which provides me with a Chrome current user, but not a Gmail one.
I've tried to use gapi.auth2 in my extension to get Gmail users access token, but with no luck:
when used from background.js it gets "gapi.auth2.ExternallyVisibleError: Invalid cookiePolicy" error
when the same code used from content.js it gets "gapi undefined" error.
Is there a way to get an access_token from a current Gmail user, not a Chrome one?
chrome.identity.launchWebAuthFlow worked for me.
create oauth2 url:
var url = 'https://accounts.google.com/o/oauth2/auth' +
'?client_id=' + clientId +
'&response_type=token' +
'&redirect_uri=' + redirectUri +
'&login_hint=' + email +
'&scope=' + scopes;
Where redirectUri is https://<your extension id>.chromiumapp.org/oauth2 and it has to be in the list of Authorized redirect URI (in developers console). I've struggled here a little, because initially I've created "chrome app" credentials and there was no authorized redirect URI's option, so I switched to "web app" credentials.
email is current user email. Specifying email helps to ommit dialog if user have given permissions already.
clientId and scopes need to be specified manually, the they wont't be taken automatically from the manifest.
Then run launchWebAuthFlow:
chrome.identity.launchWebAuthFlow({
'url': url,
'interactive': true
}, function (redirectedTo) {
// check errors and get token from redirect url
});
I'm having issues with my authentication on a Chrome Extension that I am working on to learn. Currently, my extension works for my profiles if users are logged in. As soon as I test this (by giving another party access), the extension does not seem to authorize. Am I doing something wrong here?
Could the below code be causing the issues with authentication? To give some context, this is in the background.js file of my extension.
function auth(token){
chrome.identity.getAuthToken({ 'interactive': true }, function (token) {
if (chrome.runtime.lastError) {
console.log(chrome.runtime.lastError);
//Push Manual Authorise Button to UI
} else {
//Authorised
console.log('Token acquired: ' + token +
' See chrome://identity-internals for details.');
classroomsExist(token);
}
return token;
});
}
Update:
I have tested this on another user account by loading the extension manually, as an unpacked extension and the authentication works. What could be causing the issue when installing from the webstore? My application ID is the same in manifest.json as Google Developer Console.
The client_id changes when you publish, so the manifest.json and app code needs to update any references to it when publishing to the web store.
I am working on a Chrome extension where the backend server requires offline access and a refresh token for the user's account. I am not familiar with Chrome extensions, and not sure how I should do the authorization in this case.
The benefit of using chrome.identity is that I can set interactive=false and attempt to authorize without bothering the user when the plugin loads. However, the getAuthToken() method doesn't provide a way for the backend to get a refresh token.
If, instead, I use the launchWebAuthFlow() method and redirect user back to OAuth page, i.e.
chrome.identity.launchWebAuthFlow({
url: https://*<my_host>*/auth/google,
interactive: true,
}, function(url) {
var uri = URI(url),
params = uri.search(true);
var token = params.authToken;
done(token);
});
where https://*<my_host>*/auth/google is my server OAuth path, then for some reason the Permissions scope page doesn't show up. Instead, it shows the Google login page. (Note: if I navigate to https://*<my_host>*/auth/google using the browser, it permissions page shows correctly.)
Is there anyway to do this with chrome.identity API? If not, do I have to do the OAuth using a popup? What's the proper way to do this normally?
In my packaged app I call
chrome.identity.getAuthToken({'interactive': true }, function (token) {
console.log('user token: ' + token);
});
but every time i enter with different google accounts it produces the same token. What could possibly go wrong here?
Chrome app identities are tied to the Google account signed into Chrome. You can change the current signed in account in Chrome settings, but I recommend you create a new Chrome profile instead.