Chrome 扩展登录最佳实践 [英] Chrome extension login best practices

问题描述

我正在创建一个 Chrome 扩展弹出窗口并需要登录.目前，我将使用用户名和密码进行自己的身份验证，但扩展程序中的最佳实践是什么?

这是我的想法:

• 我将使用帖子登录远程服务器.
• 取回一个令牌，我将在本地存储一段时间.
• 弹出窗口也应该有一个寄存器

将所有内容都保存在扩展程序中好吗?这是我希望我的用户所在的位置，而不是在某些网站上进行注册等等.

从登录到主页"或注册页面的变化，是否应该通过消息传递来完成?

解决方案

您应该始终使用 OAuth 2.0 用于扩展中的身份验证.切勿传递用户名/密码，因为攻击者可以简单地窃取此类信息.

Chromium 关于扩展中 OAuth 的一个例子是教程:OAuth.

此外，还有一个可用于 OAuth 2.0 的实验性 API，它应该会使整个过程更容易一些.有一篇综合性的博文，来自 Chrome 扩展程序的 OAuth 2.0.

I'm creating a Chrome extension popup and need login. For now, I will make my own authentication with a username and password, but what are best practices within an extension?

Here are my thoughts:

• I will make the login against a remote server using a post.
• Get a token back which I will keep in local storage for an amount of time.
• The popup should also have a register inside it

Is it good to keep it all inside the extension? This is where I want my users to be, and not in some website to register and so on.

The change from login to "home page" or the registration page, should this be done with messaging?

解决方案

You should always use OAuth 2.0 for authentication within extensions. Never pass the username/password because an attacker can simply steal such information.

An example from Chromium regarding OAuth in extensions is Tutorial: OAuth.

Additionally, there's an experimental API available for OAuth 2.0, which is supposed to make the whole process a little easier. There's a comprehensive blog post, OAuth 2.0 from Chrome Extensions.

这篇关于Chrome 扩展登录最佳实践的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！