I have made a chrome extension that uses chrome.identity but now I want to add support for other browsers (e.g. opera).
Obviously, most features like getAuthToken do not work: I have to use launchWebAuthFlow. But there is one problem: it does not give the access_token actually.
In google developers console I have to apps: chrome app with the id ...dtrfe... and a web app with id ...gbo04... and some client_secret and redirect_uris.
If I use
chrome.identity.launchWebAuthFlow({"interactive": true, "url": "https://accounts.google.com/o/oauth2/v2/auth?scope=...&redirect_uri=https://o**fgjcoofkoe.chromiumapp.org/&response_type=code&client_id=...gbo04..."} (chrome app), I get a redirect_uri mismatch error (I cannot even set it in the console). So it does not seem like a correct way.
If I use
chrome.identity.launchWebAuthFlow({"interactive": true, "url": "https://accounts.google.com/o/oauth2/v2/auth?scope=...&redirect_uri=https://o**fgjcoofkoe.chromiumapp.org/&response_type=code&client_id=...dtrfe..."} (web app), I get a code but it is not an access_token: to turn it into an access_token I have to send a request with my client_secret. Obviously, it does not seem like a good way to do client-side (in a browser extension where every user can find the source code and get the secret credentials of my app).
How to handle such situations correctly? Is there a way to 'remake' chrome.identity.getAuthToken in browsers other than chrome (using chrome.identity.launchWebAuthFlow) without exposing my secret credentials? Or in such cases I must make a server that will get the code from extension and respond with the information needed?
