implement Auth0 into chrome extension with one time use tokens

Im making a chrome extension where I want to create a security method for my chrome extension to stop it from getting shared without me in the process

I have an idea to generate a token somewhere (usually some backend, maybe server of the website that gets user registrations/payments my website which I am building with worpress), send token via email, get email+token in extension, make request to webserver to verify that they’re valid. This seems like a typical auth flow except the password is now the token, which is generated instead of set by the user. In other news, I have more ideas (Extension-side prng with shared seed, can check to see if token is within X generations for eg.)

I want to be able to sell tokens on my website which only allow one use to prevent the token from being shared.

I tried to setup the Auth0 for the chrome extension but I keep getting errors and the process doesnt lead to how I would want done.

is a great example of what I want to be able to do. Can anyone help me doing this? I am building my website in wordpress not hard coding it so Im not sure on How to do this exacly

If anyone can point me in a direction of what I am supposed to do or maybe provide some code that could help me?

I really appreciate the help Thank you <3

authenticate on gmail extention

I am creating extension to chrome.
the flow is:
user click on connect button => popup window open to authenticate with google -> i get access token as permission to use google api in user behalf.

my question is: in case user log out and login again how i can secure the user data resonse that coming from my server. because when user login to gmail i use the email written in the html as parameter to return user info. but its not secured. because i can change this email from the console or with script before request sent, or send request manually.
what can be the best practice in that case. i am using Node.js server.

Authenticate Github app through chrome extension

I built a chrome extension which uses the Github API so I need an access token to avoid the rate limits. I don’t need the authentication for anything else. The examples I read always included the client secret (even a chrome extension example ) but I can’t included it for obvious reasons. What’s the default process to resolve this issue? I’m new to both Chrome extension and Github Auth so every resource on the topic is appreciated.

How to make common authentication between 2 server – Rails & Django

the service I’m developing consists of chrome extension & web application.
For it I’m trying to create 2 server:

  • web application server (build by Rails)
  • API server(build by Django) to receive requests from chrome extension and process user data.

Those application use same database, same user information.

My question is how to authenticate users — in Rails app, users can sign-up and sign-in via form. But in API server, how to authenticate users?

One solution might be JWT authentication, user get JWT token from Rails server and send token to Django server, and Django server authenticate by JWT authorization.

Is that best practice — or simply sending username & password is better then this?


Browser Extension – maintain login auth session across multiple domians

Had to ask this question as I couldn’t find the correct way of asking Google.

I am building a browser extension that requires the user to login using his/her credentials.

Lets keep the OAuth2 way aside for a moment there. After logging in, I am storing the JWT token received from the server in the local storage.

Now when the user navigates to another website, the extension does not have access to the stored local storage data due to cross domain access restriction.

I would like to know if there is any way to maintain the session across multiple domain. Can’t ask the user to keep on logging in for every other site, he/she navigates to.

Anywhere else we can store the token to make it accessible everywhere?

Get and store auth_token in chrome extension

I am implementing a chrome extension. Where an user log in(email and password) and get auth token from 3rd party. I want to store this auth token so when sending another request to same party I can use this token. What is good approach to do this. Should I store it ? If yes how? Else what should I do?

How to pass pass user credentials to chrome via Native Messaging API

This is a pretty specific problem to have … but if you’re using Selenium, etc, from a machine which is not part of an Active Directory and you’re being foiled by browser popups, I have a solution for you.

I will explain the problem and link to some resources (and my other questions, with even more links in them) which informed the solution then I’ll post the change I made to the example for the extension I “wrote.”


You’re automating or testing via selenium or something similar … and an auth popup comes out of the blue! But this popup isn’t JavaScript and you’re required not to save any credentials on the machine you’re testing from.

How do you pass through the authentication credentials to the browser and prevent that popup from occurring … but without using keystores, browser storage or, ghasp, a file?

Once you know how to pass that data in, how do you then get the values into the browser in such a way as to allow hands-free authentication?

Can’t Google auth with multiple accounts

I am trying to use the google apis with multiple users in my chrome extension.
The main problems are:
1) If I’m not logged in into browser I can’t auth with google
2) If I login in browser and then try to log in to the app, then autorisoes under that account and in chrome, no matter what account I chose in the menu.

Function toggleGetIdTokenListener invoked from the background.

export const toggleGetIdTokenListener = () => {
  chrome.runtime.onMessage.addListener((request) => {
    if (request.type === 'get_idToken') {

const createRequestURL = () => {
  const manifest = chrome.runtime.getManifest();

  const clientId = encodeURIComponent(manifest.oauth2.client_id);
  const scopes = encodeURIComponent(manifest.oauth2.scopes.join(' '));
  const redirectUri = encodeURIComponent('urn:ietf:wg:oauth:2.0:oob:auto');

  const url = '' +
    '?client_id=' + clientId +
    '&response_type=id_token' +
    '&access_type=offline' +
    '&redirect_uri=' + redirectUri +
    '&scope=' + scopes;

  return url;

const getTokenId = () => {
    url: createRequestURL(),
    active: false
  }, getResponseFromGoogle);

const getResponseFromGoogle = (authenticationTab) => {
  const RESULT_PREFIX = ['Success', 'Denied', 'Error'];

  // After the tab has been created, open a window to inject the tab
  chrome.tabs.onUpdated.addListener(function googleAuthorizationHook(tabId, changeInfo) {
    const titleParts = changeInfo.title.split(' ', 2);
    const result = titleParts[0];
    if (titleParts.length === 2 && RESULT_PREFIX.indexOf(result) >= 0) {

      const response = titleParts[1];

      chrome.identity.getAuthToken({'interactive': true}, function (token) {
        if (chrome.runtime.lastError) {
          console.log('ERROR', chrome.runtime.lastError.message);

        const x = new XMLHttpRequest();'GET', '' + token);
        x.onload = function () {
          populateUserData(JSON.parse(x.response), response);


const createPopupWindow = (authenticationTab) => {{
    type: 'popup',
    focused: true
    // incognito, top, left, ...
  }, function () {
    chrome.tabs.update(, {'url': createRequestURL()});

const populateUserData = (userInfo, id_token) => {
  const userData = [{
    id_token: id_token.substring(id_token.indexOf('=') + 1, id_token.indexOf('&')),
    clientId: '',
    picture: userInfo.picture


Any ideas? Thanks anyway!

Chrome.identity. How to prolong Google authentication token in Chrome extensions?

I’m developing an extension, which requests authentication with Google Calendar.

The built-in method in Chrome API chrome.identity works almost fine, but there is the issue.

Let’s say, a user is authorized in Chrome with account [email protected], but wants to get an access to another account [email protected].

While starting the extensions, I run chrome.identity.getAuthToken({interactive: true}), user authorises the extension, and I get the token.

The problem appears, specifically with the secondary account. The auth token expires, approximately in an hour. And the only way to get a new one chrome.identity.getAuthToken({interactive: true}), i.e. users interaction is required.

Although, if a user chooses authentication with primary account [email protected], I can just run chrome.identity.getAuthToken({interactive: false}) to refresh auth token.

And the question is how can I prolong the lifetime of auth token if a user chooses the secondary account [email protected] without users interaction?


Store oAuth 2.0 Token in Cookies – Good Idea?

Just a quick background,

  • I have built an API which authenticates user via oAuth 2.0 and returns token
  • I have built the chrome extension which allows user to enter login details and send request to API for authentication


When user ticks “Remember Me“, how do I keep the user logged in to
my extension, Do I store the token in Cookies?

What if a user changes the password on some other device, I need to
re-authenticate right? but if I am getting token from cookies and then
those tokens are still valid on my server as I am using ASP.NET
Identity in my API which keeps the token valid for 14 days.

I will be grateful to know the answers to these questions.

thank you