Authentication

[joneslloyd]

Hello,

I was wondering if you advocate a particular pattern for handling authentication in a web browser extension created using WXT?

My (limited) understanding from what I've observed "in the wild" is that if I want to create a web browser extension in to which my users can log in, then I should also have a separate website / web service that supports a login flow that issues a JWT (OAuth 2.0 & OIDC, etc), which can then be accessed with the browser extension (like this).

Would you advocate an approach like this?

And are there any differences and/or special considerations when using WXT?

[sgcullen]

I posted a similar question here a few days ago having missed yours. It looks like it's not a totally trivial problem to solve securely.

[aklinker1]

The suggested method is to use OAuth, which is the most secure. Here's a guide using supabase, but it should be very similar for every other oauth client (auth0, GCP, etc)

https://beastx.ro/supabase-login-with-oauth-in-chrome-extensions

Otherwise, if the API you're using doesn't support oauth, you can just manage access/refresh tokens (or however the API does authentication) in extension storage. Not super secure, but a solution. Extension storage is more secure than localStorage, but not perfect. You could encode values at rest (like the feature Plasmo provides), making it a bit harder to debug. I plan on adding that to @wxt/storage, but haven't yet.

[sgcullen]

Thanks so much for your reply as always @aklinker1
The OAuth option makes sense but the storage of the tokens as per the article (https://beastx.ro/supabase-login-with-oauth-in-chrome-extensions) leaves quite a bit to be desired.
The option that I'm going to test is to use httpOnly cookies set on the website I'm building alongside. As I understand it, with a host_permission set for the website host in the chrome extension, the extension should use the cookie for API requests to check login status or other.
Let's see!