Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stable, documented and secure Auth API #332

Open
yankovichv opened this issue Dec 5, 2022 · 2 comments
Open

Stable, documented and secure Auth API #332

yankovichv opened this issue Dec 5, 2022 · 2 comments
Labels
neutral: chrome Not opposed or supportive from Chrome neutral: firefox Not opposed or supportive from Firefox neutral: safari Not opposed or supportive from Safari

Comments

@yankovichv
Copy link

Colleagues, I would like to know the vision of the group members about API authorization.

It seems to me that a simple authorization API is required by many developers. That being said, it must be safe out of the box.

However, at the moment, with the advent of V3, we are deprived of such a solution. Or is it unknown to me?

  1. Firebase does not support extensions on V3.
  2. Chrome.Identity is poorly documented and unstable. Developers don't want to work with him.
  3. I have already seen a couple of homemade solutions. But it seems to me that a refresh token in a cookie or even in Chrome Storage doesn't look secure enough.

What do you think? What is the best authorization solution at the moment? What is your vision for a better solution in the future? What's the priority?

I would probably be most happy with the support for V3 extensions from the Firebase team. Moreover, it is possible that within the initiative, they could support not only Auth but come up with something else for real-time Firestore sync.
@zombie
Copy link
Collaborator

zombie commented Dec 8, 2022

2. Chrome.Identity is poorly documented and unstable. Developers don't want to work with him.

Can you provide more details of why this isn't enough for your use case? Is the documentation on MDN also insufficient?
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/identity

@yankovichv
Copy link
Author

  1. Chrome.Identity is poorly documented and unstable. Developers don't want to work with him.

Can you provide more details of why this isn't enough for your use case? Is the documentation on MDN also insufficient? https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/identity

Suppose we are talking about identity.launchWebAuthFlow() method, then at the moment, it is broken.

  1. He does not have access to the shared storage of cookies.
  2. The cookies that this method creates are session cookies and are deleted when the browser is closed.

Both of these points make the UX of this thread completely unacceptable.

If we are talking about identity.getAuthToken() then

  1. This method only works with Google
  2. Required documentation is missing. It is not particularly clear how this method behaves offline.
  3. This method is broken. Because for some reason, it remembers the account with which the user logged in for the first time and then does not offer an account selection.

We worked with this method for six months but eventually gave up.

@Rob--W Rob--W mentioned this issue Jan 5, 2023
Merged
@Rob--W Rob--W mentioned this issue Mar 2, 2023
Merged
@Rob--W Rob--W added neutral: chrome Not opposed or supportive from Chrome neutral: safari Not opposed or supportive from Safari neutral: firefox Not opposed or supportive from Firefox and removed needs-triage labels Mar 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
neutral: chrome Not opposed or supportive from Chrome neutral: firefox Not opposed or supportive from Firefox neutral: safari Not opposed or supportive from Safari
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zombie @Rob--W @yankovichv