48

I'm creating a Chrome extension popup and need login. For now, I will make my own authentication with a username and password, but what are best practices within an extension?

Here are my thoughts:

  • I will make the login against a remote server using a post.
  • Get a token back which I will keep in local storage for an amount of time.
  • The popup should also have a register inside it

Is it good to keep it all inside the extension? This is where I want my users to be, and not in some website to register and so on.

The change from login to "home page" or the registration page, should this be done with messaging?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Rasmus Christensen
  • 8,321
  • 12
  • 51
  • 78

1 Answers1

40

You should always use OAuth 2.0 for authentication within extensions. Never pass the username/password because an attacker can simply steal such information.

An example from Chromium regarding OAuth in extensions is Tutorial: OAuth.

Additionally, there's an experimental API available for OAuth 2.0, which is supposed to make the whole process a little easier. There's a comprehensive blog post, OAuth 2.0 from Chrome Extensions.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Mohamed Mansour
  • 39,445
  • 10
  • 116
  • 90
  • Rasmus, I updated my answer with the tutorial on how to implement it client side. – Mohamed Mansour Sep 06 '11 at 17:41
  • 7
    Is this true? Lastpass allows you to log in inside the popup and they seem secure... – alpalalpal Nov 25 '18 at 00:41
  • is it still working ? I heard there's some part of deprecated one? – gumuruh Sep 13 '19 at 05:47
  • Assuming you only send the username/password over an SSL encrypted connection I don't see what kind of attack oauth protects against that username/password doesn't. Either way you store a secret in the broswer's local storage whose theft allows an attacker to impersonate the user and the SSL cert & encryption protects against sniffing/MITM. – Peter Gerdes Jul 16 '22 at 14:29