Chrome扩展程序登录最佳做法 [英] Chrome extension login best practices
问题描述
我正在创建Chrome扩展程序弹出窗口并需要登录。现在,我将使用用户名和密码进行自己的身份验证,但扩展中的最佳实践是什么?
这是我的想法:
- 我将使用帖子对远程服务器进行登录。
- 获取一个令牌,我将保存在本地存储中一段时间。
- 弹出窗口中还应该有一个寄存器 li>
把它全部放在扩展名里面好吗?这是我希望我的用户成为的地方,而不是在某些网站上注册等。
从登录到主页或注册页面的变化,是否应该通过消息传递完成?
您应始终使用 OAuth 2.0 用于在扩展中进行认证不要传递用户名/密码,因为攻击者可以简单地窃取这些信息。
Chromium关于扩展中的OAuth的示例是 教程:OAuth 。
另外,还有一个实验性API可用于OAuth 2.0,这应该可以让整个过程变得更简单。有一篇全面的博客文章 来自Chrome扩展程序的OAuth 2.0 。 p>
I'm creating a Chrome extension popup and need login. For now, I will make my own authentication with a username and password, but what are best practices within an extension?
Here are my thoughts:
- I will make the login against a remote server using a post.
- Get a token back which I will keep in local storage for an amount of time.
- The popup should also have a register inside it
Is it good to keep it all inside the extension? This is where I want my users to be, and not in some website to register and so on.
The change from login to "home page" or the registration page, should this be done with messaging?
You should always use OAuth 2.0 for authentication within extensions. Never pass the username/password because an attacker can simply steal such information.
An example from Chromium regarding OAuth in extensions is Tutorial: OAuth.
Additionally, there's an experimental API available for OAuth 2.0, which is supposed to make the whole process a little easier. There's a comprehensive blog post, OAuth 2.0 from Chrome Extensions.
这篇关于Chrome扩展程序登录最佳做法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
