Resources / Extension Security

OAuth/OIDC best practices

Secure sign-in that respects MV3 constraints.

Flow

  • External auth page + redirect: use system browser/web flow; avoid embedded secrets in extension UI.
  • PKCE everywhere: code challenge/verifier for public clients.
  • Consent per scope: request narrow scopes tied to clear user actions.
  • Store minimal tokens: persist only what the client must know.

Token strategy

  • Short-lived access tokens: expire quickly; treat as disposable.
  • Refresh at backend: exchange/refresh server-side; issue new short-lived tokens to the client.
  • Rotate & revoke: support immediate revocation and periodic rotation; log token issuance.

Pitfalls

  • Secrets in client: never ship client IDs with embedded secrets or long-term refresh tokens.
  • Blanket scopes: avoid “*.*” style scopes; request least privilege with user-gesture gates.
  • Silent escalation: do not add scopes without explicit consent and visible UI.
Auth Flows Security Hardening