问题
I'm wondering if it's possible to set up secure login authentication in a Chrome extension without OAuth2. I'm considering setting it up as follows:
- On opening the extension, send a POST to server which returns the CSRF token
- JavaScript inserts the token into the usual login form (as in Django template)
[steps 1 and 2 replace the usual Django template rendering]
- User provides username and password and submits the form
- Success/Fail JSON response is returned and handled appropriately
- CSRF token is stored as a cookie (or in browser storage that Chrome extensions use) to enable automated login until it expires
Would be great to hear possible problems/corrections to this approach as well as pointers to relevant resources!
== UPDATE ==
It seems like chrome.identity.launchWebAuthFlow is the way to go. I found resources that explain how to implement it client-side but they all say nothing about how to authenticate server-side for non-Google accounts:
- "The provider will perform authentication" - how?
- "Validation of the returned access token isn't shown here"
It seems that the last missing ingredient is to write code that validates a URL such as:
https://www.my-app.com/dialog/oauth?client_id=123456789012345&
redirect_uri=https://abcdefghijklmnopqrstuvwxyzabcdef.chromiumapp.org/provider_cb&response_type=token&scope=user_photos
That will surely be done by another Chrome Identity API call from my application's server. I looked through a large number of resources (and related stack overflow questions) and they provide no clear answer. Thanks!
来源:https://stackoverflow.com/questions/59045885/log-into-chrome-extension-without-oauth2