search

alexanderatallah / window.ai

Use your own AI models on the web
https://windowai.io
MIT License
782 stars 68 forks source link

RFC: Authentication Provider Architecture #37

Closed alexanderatallah closed 1 year ago

alexanderatallah commented 1 year ago

Requirements

  1. Flexible: Extension does not handle authentication or payment itself - it just uses credentials passed to it from providers, following a set standard. Users have their authentication experience on a web page outside of the extension.
  2. Decentralized: i.e. no direct dependencies in the Window codebase. Method # 2 above below is weak on this (since each new provider would need to be added manually in a window.ai PR), but seems very secure
  3. Secure: method # 1 below (window.postMessage) seems to lack here, same w/ query param. But it's possible to reduce this with e.g. refresh tokens and expiration times

Options

  1. Using window.postMessage to send it to the extension inside a content script
    1. eg https://github.com/nextauthjs/next-auth/discussions/6021
  2. Having the webpage message the extension directly, where the extension whitelists each website in the codebase
    1. eg https://developer.chrome.com/docs/extensions/mv3/messaging/#external-webpage
  3. Using a code in the query params to later obtain a JWT
    1. https://github.com/PlasmoHQ/gcp-refresh-token/tree/main
    2. Discussion: https://discord.com/channels/1091220969173028894/1096183356628156477/1098375784609087640