Search code examples
djangogoogle-chrome-extensionbrowser-extensionshibboleth

User authentication in browser extension (via Shibboleth)

I am trying to create a browser extension that authenticates users via Shibboleth--and I am wondering how to get the Shibboleth session into my extension so it works across all tabs / windows. I have not seen much about Shib online, so appreciate any guidance. My question is similar to this, but the authentication could occur in a separate tab (or should it occur in the extension window??).

These two SO questions point to some useful guidance on extensions in general, as well as some tips for handling security / login (for Firefox, and for Chrome). However, they both reference using a built-in library (like OAuth or Firefox Login Manager), where the user presents username / password to the extension directly. Since I am using Shibboleth, my use case seems different and I am not sure how to handle the process. My initial thoughts are:

  • User clicks a "Sign-in" button in the extension.
  • User is redirected to a login-page in a full window, not in the extension (like the eBay or Diigo browser extensions)
  • User logs in with Shibboleth credentials.
  • Server-side Django app does stuff...sets a session cookie--but is this accessible to the extension? In my testing, this seems to not work (i.e. my app is still not authenticated against the server, even if I authenticated within the same tab)
  • The extension looks for the session cookie, and if it finds it, treats the user as authenticated. ??
  • The extension is supposed to be like a bookmarklet tool (like Diigo)--can the "secure session" extend to any tabs / windows that the user opens? My understanding is no (because it is domain specific), but how do extensions (like eBay or Diigo) work across sites, then?

A broader way to ask my question would be: How do extensions like eBay or Diigo handle the user session? Both direct you to a "full window" login page in order to log in instead of using browser-specific extension libraries, but the extensions work across all tabs...

Also, would this process easily port across Safari / Firefox / Chrome?

Thanks!

Solution

  • Form my experience with joomla once user authenticated on main website you could start making XHR calls to the website from background page. Browser includes authentication cookies to all these requests. This approach worked for IE, Chrome, Firefox and Safari.