Better login experience

[angelo-v]

Explore how to login via chrome extension instead of the webpage domain, so that the user does not have to give permission to each and every site he or she clips

https://stackoverflow.com/questions/35770897/how-do-chromiumapp-org-extension-redirects-work-for-google-chrome

https://developer.chrome.com/docs/extensions/reference/identity/#method-launchWebAuthFlow

[ejbyne]

The links look interesting!

[angelo-v]

Insights so far:

• we managed to get an auth code in the callback function of launchWebAuthFlow after doing a manual dynamic client registration and providing the authorization url with client_id to launchWebAuthFlow

chrome.identity.launchWebAuthFlow(
            {
              url: 'https://solidweb.me/idp/auth?client_id=<client-id>&redirect_uri=https://<app-id>.chromiumapp.org/&scope=openid&response_type=code&response_mode=query&nonce=<nonce>',
              interactive: true,
            },
            (...args) => {
              console.log('auth callback', args);
            }
          );

• In principle we could fork the inrupt auth client to support chrome extension login via chrome.identity.launchWebAuthFlow instead of a real redirect and then continue with the rest of the auth flow in the callback

Follow up questions:

• [x] Where do we perform the login, if that works as described above: popup / options page / background script?
• [x] does the origin based ACL work with the extension URL?
• [x] is a cross origin request from extension to webpage possible?
• [x] if not, can we send a large amount of data from content script to popup (or wherever the auth session resides)?
• [x] How often do we need to re-login with this procedure? Does the session survive opening / closing the popup? What if the token expires?
• [x] Can we use a refresh token to refresh an expired session, so the user does not have to re-login at all

[angelo-v]

Proof of concept of the chrome.identity.launchWebAuthFlow-based auth flow is in https://github.com/codecentric/web-clip/pull/12

[angelo-v]

Regarding message size limits https://stackoverflow.com/a/31928402

[angelo-v]

does the origin based ACL work with the extension URL?

• accessing private resources works from options page

  • tested private reading from NSS and CSS
  • tested private writing to NSS
  • the options page does not send an origin at all

• accessing private resources works from background script

  • background script sends Origin: chrome-extension://<app-id>
  • CSS does not implement trusted apps and writing to private file works
  • NSS does not work out of the box, since the origin is untrusted
  • IDEA: use the options page (which has no origin) to initially configure the trust relation

is a cross origin request from extension to webpage possible?

• works, since the options page does not send an origin
• also works from the background script

Where do we perform the login: popup / options page / background script?

I would personally stick to having the UI within the content page, since this looks nicer and is more flexible than the extension popup. The login and data processing and interaction with the pod can move to the background script and be triggered by a message.

if not, can we send a large amount of data from content script to popup (or wherever the auth session resides)?

obsolete, since CORS is possible

How often do we need to re-login with this procedure?

The session lives in the background script and stays active until the script is reloaded somehow, e.g. when browser is restarted, or extension is reloaded.

Does the session survive opening / closing the popup?

Yes, the session can be re-used in multiple tabs 🎉

What if the token expires?

Not tested yet, but I would guess we just need to re-login and it is save to leave this as a known unknown so far. A token from solidweb.me is valid 1 hour.

Can we use a refresh token to refresh an expired session, so the user does not have to re-login at all

The inrupt authn library does not provide a refresh token, so it is at least not straight forword. Could be a follow-up improvement, even without refresh the login experience will be already much better with the described measures.