Monday, October 17, 2022

[FIXED] How to revoke Identity API Token ( Chrome Extension )

      , , , ,      No comments   

Issue

I would like to add a Sign In with Google and a Sign Out button to my Chrome extension.

One technique that uses chrome.identity.getAuthToken for Sign In is described in this tutorial. It works great! When the button is clicked, it shows a popup for authentication and authorization.

But how should I implement the Sign Out button?

I tried to use the removeCachedAuthToken method in the on-click handler of my Sign Out button. With this, the sign-in functionality doesn't work as expected. After, when I pressed the Sign In button again, I got a new token directly without a popup asking the user to authenticate and authorize my extension. I would like users to be able to change their account by signing out. With this technique, that's not possible. How should I implement the sign out functionality to allow for this?


Solution

This has been bugging me too, until I realized that I got mixed up by the difference between sign-in and authorization, sign-out and revoking access.

First, let's not get caught up in the name of the button. Yo may call it Sign Out, but what you actually want to achieve is to let users revoke access for their Google Account, and then log in and grant access to a different account.

If you use removeCacheAuthToken, then authorize again, and see no popup, then that means the extension still has access to certain APIs. To check which apps have been granted access to which Google services, go to permission settings and have a look.

There are several ways to revoke access:

  1. Go to chrome://identity-internals/ and remove the tokens that you want. Then click on the Authorize button, and you should see a popup to choose the Google accounts to grant access.

Of course, that method is for testing only. Your end users won't see the access token for your extension if they visit that page.

  1. When the user clicks on the Revoke access button, or whatever name you call, display a popup that tells them to go to the permission settings page to manually revoke access.

  2. Create a form on the current web page, add access token to the form and submits to the https://oauth2.googleapis.com/revoke endpoint.

From my experience, method 3 seems like an ideal solution, but it was a hit and mix for me. Sometimes I would get an invalid or expired token error, and troubleshooting it is not worth it. I would stick with method for peace of mind.



Answered By - bytrangle
Answer Checked By - Candace Johnson (PHPFixing Volunteer)

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...