Embedding client Id in chrome extension

2.2k views Asked by At

I am building a chrome extension which will interact with salesforce-chatter api. But for a user using oAuth(User agent flow) authentication, I need to embed my client key in my extension.

Will this cause any security problem? Or is there a way to use oAuth without embedding client id in my extension?

3

There are 3 answers

0
Jan Gerlinger On BEST ANSWER

The client id has to be included into a request, so the provider knows that the request came from you, as @Matt Lacey already pointed out. Normally, the provider also issues a confidential client secret that is additionally included into the access token request, so the provider can verify that your app is allowed to use that client id.

Chrome extensions run on an open platform and the platform itself provides no methods for either authenticating the extension against a server (which salesforce would then also have to support) or storing properties securely (would be hard, if not impossible on an open platform), so keeping the client secret confidential is unfortunately not possible.

As this is a common problem, it is already considered in the OAuth specification (see section 10.1 Client Authentication and 10.2 Client Impersonation). The provider is therefore required to do additional checks, but on the client side you can't do anything to effectively improve security.

If you want some more insight into how this will be handled on Android devices in the future, check out my answer here.

1
Matt Lacey On

You have to embed the client ID in the extension to let Salesforce know what the app is that's trying to authenticate. These client IDs are intended to always be stored and passed to the server, so as long as you're storing it in a secure manner there shouldn't be a problem.

3
Daniel Blackhall On

As Matt explained if you are creating a packaged app you will be forced to include the client id. Another solutions is to write the app as a hosted app:

What is the difference between packaged apps and hosted apps?

The drawback of this is the added complexity of managing a web server. But it will allow greater security.