How to authenticate a chrome extension using blazor server
Our users sign in to the blazor app using the standard identity authentication with their own username and password. We want users to be able to authenticate themselves to use the chrome extension by being redirected to sign in to blazor app. There's so many different auth flows that I don't know what makes the most sense here. Is oauth2/openiddict overkill?
We just need to get basic information about the user: name, email. As well as authorize them to use a couple endpoints that the extension uses. The authorization needs to be added in addition to the current authorization we use.
2 Replies
So your blazor app uses a regular asp net backend with identity for login? I think what might work is
- Your chrome extension opens the web auth flow https://developer.chrome.com/docs/extensions/reference/api/identity#method-launchWebAuthFlow
- The popup will be forwarded to your login page
- Login page does it's thing, and in the end you'd probably redirect and therefore transfer the final token in the redirect which your chrome extension can then capture in the callback
Chrome for Developers
chrome.identity | API | Chrome for Developers
I think some critical details would be that you can't use cookies IIRC since there's no way to store these in the background service
That's the convenient detail the browser usually handles for you when it comes to not exposing the token
If you use a JWT it would probably mean you'd have to transfer the JWT in the redirect query string right away, which is not very neat
I could imagine that in this case openiddict could come in convenient, since you can basically do a PKCE-like flow
So the token you send to the extension is not the JWT & refresh token combination straight up, but only the authorization code
So your chrome extension can implicitly hold the corresponding verifier to exchange for the access & refresh token together with the auth code
It's a bit awkward overall because of the cookie and the embedded auth callback situation
Oh, and chrome extensions can also access cookies of a page depending on the permission. So if you have an existing session somewhere, you could also reuse that cookie