doorkeeper: how to share auth data between different clients

I have web client (site) that using password flow to authorize user and saves access_token in localStorage

web client auth flow in rspec tests

# spec/api/current_user/show_spec.rb
require 'rails_helper'

RSpec.describe 'CurrentUser#show', type: :request do
  when_application_exists
  when_user_logged

  it 'can check current user' do
    get '/api/v2/users/current', {}, user_access_header
    expect(response).to be_success
    expect(json_body[:id]).to eq(user.id)
  end
end

# spec/support/api/contexts/when_application_exists.rb
module Api
  module Contexts
    module WhenApplicationExists
      def when_application_exists
        let!(:application) { create :application }
      end
    end
  end
end

RSpec.configure do |config|
  config.extend Api::Contexts::WhenApplicationExists, type: :request
end

# spec/support/api/contexts/when_user_logged.rb
module Api
  module Contexts
    module WhenUserLogged
      def when_user_logged
        let!(:user_password) { Faker::Internet.password }
        let!(:user) { create_user_with_password(user_password) }

        let!(:user_access_token) do
          request_access_token(application, user, user_password)
          json_body[:access_token]
        end

        let(:user_access_header) do
          {
            'Authorization': "Bearer #{user_access_token}"
          }
        end
      end
    end
  end
end

RSpec.configure do |config|
  config.extend Api::Contexts::WhenUserLogged, type: :request
end

# spec/support/api/macroses/authentication.rb
module Api
  module Macroses
    module Authentication
      def request_access_token(application, user, password)
        params = {
          client_id:     application.uid,
          client_secret: application.secret,
          username:      user.username,
          password:      password,
          grant_type:    'password',
          scope:         'user_all'
        }

        post '/oauth/token', params
      end
    end
  end
end

RSpec.configure do |config|
  config.include Api::Macroses::Authentication, type: :request
end

# spec/factories/doorkeeper.rb
FactoryBot.define do
  factory :access_grant, class: Doorkeeper::AccessGrant do
    sequence(:resource_owner_id) { |n| n }
    application
    redirect_uri 'urn:ietf:wg:oauth:2.0:oob'
    expires_in 100
    scopes 'public write'
  end

  factory :access_token, class: Doorkeeper::AccessToken do
    sequence(:resource_owner_id) { |n| n }
    application
    expires_in 2.hours

    factory :clientless_access_token do
      application nil
    end
  end

  factory :application, class: Doorkeeper::Application do
    sequence(:name) { |n| "Application #{n}" }
    redirect_uri 'urn:ietf:wg:oauth:2.0:oob'
  end
end

And I want to make chrome extension (similar to lingualeo chrome extension)

If user logged in web client – chrome extension logged too

If not – it can use login flow from web client
(from options page lingualeo uses auth flow of web client)

enter image description here

but also can use login from extension window

enter image description here

Are web client and chrome extension must share client_id and client_secret? How auth flow must look like?

A forward slash from https:// is being removed when sending a /oauth/authorize request to a Rails app from a chrome extension?

I am making a launchWebAuthFlow authorization code request from a Chrome extension to a Rails app hosted on Heroku. Doorkeeper is an OAuth wrapper for Rails, and that is what is processing my request. More specifically Doorkeeper::AuthorizationsController#new is processing the request as HTML (why HTML?).
The forward slash (/) is missing from both the URL encoded redirect_uri and the redirect_uri shown in the rails params. The url is correct on the chrome extension side of things (unless the launchWebAuthFlow built in function is doing something to it), so I think something is happening on the server.
It works in development so I don’t think anything is wrong on the extension. The app is hosted on Heroku.

Any idea of what could be going wrong here?

Using Oauth for authentication from a browser extension

I’m creating a browser extension to add functionality to some websites and I’m pairing it with my own web app/ api backend. I want authenticate users who POST to the api. And I’m using the Doorkeeper gem with a Rails app to make my app an Oauth2 provider.

The Google page on the topic (https://developer.chrome.com/apps/app_identity) says the client needs to register with the app (I have a sign up page set up) and then use

chrome.identity.launchWebAuthFlow(
  {'url': '', 'interactive': true},
  function(redirect_url) { /* Extract token from redirect_url */ });

to hand the oauth

with

https://www.website-of-provider-with-user-photos.com/dialog/oauth?client_id=123456789012345&
redirect_uri=https://abcdefghijklmnopqrstuvwxyzabcdef.chromiumapp.org/provider_cb&response_type=token&scope=user_photos

being an example of the url

So, my questions are:

1) Doorkeeper gives you an app_id and an app secret I don’t see anywhere to put those in this process. And since it’s an extension it’s all public so I don’t see the point in that anyway.

2) I don’t see how the user is supposed to get a client_id. My idea is that when a user logs in that will trigger the extension to send an ajax request in the background which will get the client_id and then I can keep that in storage. And if it ever gets lost the user can log in again and get it resent.

But just sending a client id doesn’t seem secure and really easy to brute force. Maybe you couldn’t log in as someone particular but you could log in as lots of people if you just have one number to guess.

And if I do make it more secure doesn’t that replace the functionality of the the token, or couldn’t I get the token more directly?