Chrome extension login best practices

Question

I'm creating a Chrome extension popup and need login. For now, I will make my own authentication with a username and password, but what are best practices within an extension?

Here are my thoughts:

• I will make the login against a remote server using a post.
• Get a token back which I will keep in local storage for an amount of time.
• The popup should also have a register inside it

Is it good to keep it all inside the extension? This is where I want my users to be, and not in some website to register and so on.

The change from login to "home page" or the registration page, should this be done with messaging?

question from:https://stackoverflow.com/questions/7217137/chrome-extension-login-best-practices

Answer 1

You should always use OAuth 2.0 for authentication within extensions. Never pass the username/password because an attacker can simply steal such information.

An example from Chromium regarding OAuth in extensions is Tutorial: OAuth.

Additionally, there's an experimental API available for OAuth 2.0, which is supposed to make the whole process a little easier. There's a comprehensive blog post, OAuth 2.0 from Chrome Extensions.