Oh the joy of learning all about authentication!
I’m writing a chrome extension and I have a backend service that I need to have it talk to. I also have a web frontend with ueberauth-google + guardian and I’d like to share as much as possible. Though lots of failure I’ve learned that I can get chrome to give me an id_token, and I can get an auth_token, but I can’t get an auth_token with the same oauth client_id I’m using for phoenix+ueberauth-google.
It seems that since I’m using google for all auth currently this should be more straight forward. Am I missing something?
Assuming I"m not missing something, below is what I plan on doing.
- user creates an account in my system using google oauth to provide a google “sub” validated by the id_token produced by ueberauth-google. once registered i then use guardian sign_in to create a cookie for future signin.
- user installs chrome extension. chrome.runtime.onInstalled() is triggered which I then use to start chrome.identity.launchWebAuthFlow(…) which ultimately provides the extension an id_token.
- the extension sends the id_token to phoenix which uses either the tokeninfo endpoint or JOSE.JWT.verify (leaning on tokeninfo for this first extension authentication). If verified the token is stored and associated with the user.
- Assuming it is verified phoenix sends back the user_id for my application and start tracking the expiration of the id_token.
- Assuming the token is still valid the extension can use the whole id_token as a key for signing a JWT where the id_token is the JWT secret string since it has already been exchanged with phoenix and associated with the user.
- when the id_token expires get a new one and go back to step 3.
I’m assuming that I can’t reuse any of the authentication logic for a web-user that I can for an extension user, and that all extension requests should be processed in a completely separate stateless token pipeline. Is this correct?
Bonus Question:
How hopeless is supporting firefox extensions in the above scenario