Search code examples
.netasp.net-mvcgoogle-chrome-extensiongoogle-apigoogle-apps

Authenticate Chrome extension with non-Google API using Google account

I work for an educational institution which is making heavy use of Google Apps and now ChromeOS devices. A project we've embarked upon is to develop a Chrome extension (possibly multiple) which will duplicate functionality we have in the Windows environment. These will be used only within our domain and on our devices, not available generally.

We have an HTTP/JSON-based API built in-house which provides various details such as reminders and other stuff from our MIS (again, built in-house) and can provide popups with this information and so on. It's possible to make sure the API knows who the current user is via NTLM authentication under Windows.

I need some way of the API being able to know who the user is when accessing from a Chrome device. This means the extension needs to be able to tell the API who the user is in a secure manner. If the API can establish the logged in user's Google Apps email address, it can determine who the person is from our database. My question is, how do I achieve this?

Some solutions that have been considered and rejected:

  • Have the extension simply tell the API the current user's email address
    Rejected due to the fact it could be easily faked. This must be secure.
  • Ask the user for their Active Directory credentials instead
    The extension should be able to operate without user input - we can authorise the extension against the Google Apps domain on users' behalf.

In addition the Google OAuth 2.0 for login seems to be specific to websites which are presented in a browser. This needs to be handled silently.

I understand that this is a very vague question, but any recommendations or examples of very similar problems being solved would be appreciated. The core of it is this: how can I have a Chrome extension authenticate with a non-Google API using Google credentials? (The API can be extended to support this in any way necessary.)

Some further details:

  • Our API is .NET-based
  • The Chrome extension will run on our devices within the College only and these devices will be registered to our domain. Only users within that domain will be logged on and running the extension.
Solution

  • You can do the following :

    1. In the Google Cloud Console, create an API credential for a Chrome extension

    How to create a Chrome extension client id in the Google Cloud Console

    1. In the Chrome extension, use the Identity API to obtain an authentication token for this application and send it to your API. You only need this scope : https://www.googleapis.com/auth/userinfo.email

    2. On your API side, every time you receive a token, access the following URL (replace the access token in the example with the one sent by the extension) :

      https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.iAXXXXXXXXXXXXXXi-mrflhzc-X-U14eb

    You will get something like this :`

    {
 "issued_to": "407408718192.apps.googleusercontent.com",
 "audience": "407408718192.apps.googleusercontent.com",
 "user_id": "1170123456778279183758",
 "scope": "https://www.googleapis.com/auth/userinfo.email",
 "expires_in": 3585,
 "email": "someone@yourdomain.com",
 "verified_email": true,
 "access_type": "offline"
}

    Make sure that the audience is the Chrome client id (very important), and you have the email !