This is a duplicate of a stack overflow question, since it might apply more to security and authentication best practices.
I'm working on auth between a Chrome Extension, Google Cloud Platform, and trying to send the id_token JWT to an AWS server to retrieve user data (and/or establish a session?).
My question is this -- how can I prevent chrome extensions with tabs permissions from reading the GET request or the redirected URI which has the fully-validated user JWT?
The JWT confirms that a user is who they are, but how do I know my Chrome Extension is the one making the request to my backend?
I have a few ideas:
Maybe I can make a private window that only my extension can control
Maybe I can somehow use the nonce or get the nonce from my server first
Maybe my chrome extension has a private key or some way to verify itself with my backend, which has the public key
Any help would be appreciated, it's difficult to research this specific scenario.
var url = 'https://accounts.google.com/o/oauth2/v2/auth' +
'?client_id=' + encodeURIComponent(chrome.runtime.getManifest().oauth2.client_id) +
'&response_type=id_token' +
'&redirect_uri=' + encodeURIComponent(chrome.identity.getRedirectURL()) +
'&scope=' + encodeURIComponent(chrome.runtime.getManifest().oauth2.scopes.join(' ')) +
'&nonce=' + Math.floor(Math.random() * 10000000);
chrome.windows.create({ url: 'about:blank' }, function ({ tabs }) {
chrome.tabs.onUpdated.addListener(
function googleAuthorizationHook(tabId, changeInfo, tab) {
if (tab.id === tabs[0].id) {
if (tab.title !== 'about:blank') {
console.log(url);
if (tab.title.startsWith(chrome.identity.getRedirectURL())) {
const id_token = tab.title.split('#')[1];
console.log(id_token);
} else {
console.error(tab.title)
}
chrome.tabs.onUpdated.removeListener(googleAuthorizationHook);
chrome.tabs.remove(tab.id);
}
}
}
);
chrome.tabs.update(tabs[0].id, { 'url': url });
});
