Get id_token using Chrome Identity APIs
I am developing a Google Chrome extension so that users can authenticate with their Google accounts. I decided to use Chrome Identity API
.
To authenticate a user in my application I need to get the ID_Token (signed token)
Is there a way to get OpenID Connect token with Google Chrome Identity API?
Thank you for your help!
source to share
This is an paste of my answer from another thread fooobar.com/questions/818604 / ...
I ran into the same problem yesterday, and since I found a solution, I might as well share it as it wasn't that obvious. As far as I know, Google does not provide a direct and documented way to do this, but you can use the function chrome.identity.launchWebAuthFlow()
.
First you need to create credentials Web application in Google Console and add the following the URL-address as valid Authorized redirect URI
: https://<EXTENSION_OR_APP_ID>.chromiumapp.org
. The URI doesn't have to exist, chrome will just intercept the redirect to that url and call your callback function later.
manifest.json
{ "manifest_version": 2, "name": "name", "description": "description", "version": "0.0.0.1", "background": { "scripts": ["background.js"] }, "permissions": [ "identity" ], "oauth2": { "client_id": "<CLIENT_ID>.apps.googleusercontent.com", "scopes": [ "openid", "email", "profile" ] } }
background.js
// Using chrome.identity var manifest = chrome.runtime.getManifest(); var clientId = encodeURIComponent(manifest.oauth2.client_id); var scopes = encodeURIComponent(manifest.oauth2.scopes.join(' ')); var redirectUri = encodeURIComponent('https://' + chrome.runtime.id + '.chromiumapp.org'); var url = 'https://accounts.google.com/o/oauth2/auth' + '?client_id=' + clientId + '&response_type=id_token' + '&access_type=offline' + '&redirect_uri=' + redirectUri + '&scope=' + scopes; chrome.identity.launchWebAuthFlow( { 'url': url, 'interactive':true }, function(redirectedTo) { if (chrome.runtime.lastError) { // Example: Authorization page could not be loaded. console.log(chrome.runtime.lastError.message); } else { var response = redirectedTo.split('#', 2)[1]; // Example: id_token=<YOUR_BELOVED_ID_TOKEN>&authuser=0&hd=<SOME.DOMAIN.PL>&session_state=<SESSION_SATE>&prompt=<PROMPT> console.log(response); } } );
Google OAuth2 API documentation (for OpenID Connect) can be found here: https://developers.google.com/identity/protocols/OpenIDConnect#authenticationuriparameters
PS: Unless you need the oauth2 section in the manifest. You can safely omit it and provide IDs and scopes only in your code.
EDIT: For those interested, you don't need an identification API. You can even access the token using a little tab API trick. The code is a little longer, but you have better error reporting and management. Keep in mind that in the following example, you need to create your Chrome App credentials .
manifest.json
{ "manifest_version": 2, "name": "name", "description": "description", "version": "0.0.0.1", "background": { "scripts": ["background.js"] }, "permissions": [ "tabs" ], "oauth2": { "client_id": "<CLIENT_ID>.apps.googleusercontent.com", "scopes": [ "openid", "email", "profile" ] } }
background.js
// Using chrome.tabs var manifest = chrome.runtime.getManifest(); var clientId = encodeURIComponent(manifest.oauth2.client_id); var scopes = encodeURIComponent(manifest.oauth2.scopes.join(' ')); var redirectUri = encodeURIComponent('urn:ietf:wg:oauth:2.0:oob:auto'); var url = 'https://accounts.google.com/o/oauth2/auth' + '?client_id=' + clientId + '&response_type=id_token' + '&access_type=offline' + '&redirect_uri=' + redirectUri + '&scope=' + scopes; var RESULT_PREFIX = ['Success', 'Denied', 'Error']; chrome.tabs.create({'url': 'about:blank'}, function(authenticationTab) { chrome.tabs.onUpdated.addListener(function googleAuthorizationHook(tabId, changeInfo, tab) { if (tabId === authenticationTab.id) { var titleParts = tab.title.split(' ', 2); var result = titleParts[0]; if (titleParts.length == 2 && RESULT_PREFIX.indexOf(result) >= 0) { chrome.tabs.onUpdated.removeListener(googleAuthorizationHook); chrome.tabs.remove(tabId); var response = titleParts[1]; switch (result) { case 'Success': // Example: id_token=<YOUR_BELOVED_ID_TOKEN>&authuser=0&hd=<SOME.DOMAIN.PL>&session_state=<SESSION_SATE>&prompt=<PROMPT> console.log(response); break; case 'Denied': // Example: error_subtype=access_denied&error=immediate_failed console.log(response); break; case 'Error': // Example: 400 (OAuth2 Error)!!1 console.log(response); break; } } } }); chrome.tabs.update(authenticationTab.id, {'url': url}); });
source to share