authenticate on gmail extention

I am creating extension to chrome.
the flow is:
user click on connect button => popup window open to authenticate with google -> i get access token as permission to use google api in user behalf.

my question is: in case user log out and login again how i can secure the user data resonse that coming from my server. because when user login to gmail i use the email written in the html as parameter to return user info. but its not secured. because i can change this email from the console or with script before request sent, or send request manually.
what can be the best practice in that case. i am using Node.js server.

How to authenticate an HTTP request from a Chrome Extension in order to use Google APIs

I am writing a chrome extension that writes to a Google Sheets spreadsheet.

The code I have for getting a spreadsheet at a given spreadsheetId is as follows:

function getSpreadsheet() {
  var httpRequest = new XMLHttpRequest();
  // Processes the server response
  httpRequest.onreadystatechange = function() {
    if (httpRequest.readyState == XMLHttpRequest.DONE) {
      // Response was received
      if (httpRequest.status === 200) {
      } else {
        alert('There was a problem with the request.');
  // Makes the HTTP request'GET', '{spreadsheetId}', true);

Currently I get a 403 forbidden error, and I am confused as to how to authenticate my requests.

Ideally, I want to ask the user permission for the chrome extension to access their spreadsheets, and then be able to authorise my requests without redirecting them to Google’s consent screen, as described in their documentation.

Any help on how to achieve this would be greatly appreciated.

Can’t Google auth with multiple accounts

I am trying to use the google apis with multiple users in my chrome extension.
The main problems are:
1) If I’m not logged in into browser I can’t auth with google
2) If I login in browser and then try to log in to the app, then autorisoes under that account and in chrome, no matter what account I chose in the menu.

Function toggleGetIdTokenListener invoked from the background.

export const toggleGetIdTokenListener = () => {
  chrome.runtime.onMessage.addListener((request) => {
    if (request.type === 'get_idToken') {

const createRequestURL = () => {
  const manifest = chrome.runtime.getManifest();

  const clientId = encodeURIComponent(manifest.oauth2.client_id);
  const scopes = encodeURIComponent(manifest.oauth2.scopes.join(' '));
  const redirectUri = encodeURIComponent('urn:ietf:wg:oauth:2.0:oob:auto');

  const url = '' +
    '?client_id=' + clientId +
    '&response_type=id_token' +
    '&access_type=offline' +
    '&redirect_uri=' + redirectUri +
    '&scope=' + scopes;

  return url;

const getTokenId = () => {
    url: createRequestURL(),
    active: false
  }, getResponseFromGoogle);

const getResponseFromGoogle = (authenticationTab) => {
  const RESULT_PREFIX = ['Success', 'Denied', 'Error'];

  // After the tab has been created, open a window to inject the tab
  chrome.tabs.onUpdated.addListener(function googleAuthorizationHook(tabId, changeInfo) {
    const titleParts = changeInfo.title.split(' ', 2);
    const result = titleParts[0];
    if (titleParts.length === 2 && RESULT_PREFIX.indexOf(result) >= 0) {

      const response = titleParts[1];

      chrome.identity.getAuthToken({'interactive': true}, function (token) {
        if (chrome.runtime.lastError) {
          console.log('ERROR', chrome.runtime.lastError.message);

        const x = new XMLHttpRequest();'GET', '' + token);
        x.onload = function () {
          populateUserData(JSON.parse(x.response), response);


const createPopupWindow = (authenticationTab) => {{
    type: 'popup',
    focused: true
    // incognito, top, left, ...
  }, function () {
    chrome.tabs.update(, {'url': createRequestURL()});

const populateUserData = (userInfo, id_token) => {
  const userData = [{
    id_token: id_token.substring(id_token.indexOf('=') + 1, id_token.indexOf('&')),
    clientId: '',
    picture: userInfo.picture


Any ideas? Thanks anyway!