Secure OAuth user key and privacy handling in Chrome extensions and Gmail gadgets

Question

Secure OAuth user key and privacy handling in Chrome extensions and Gmail gadgets

I would like to get some ideas on how to properly handle the Salesforce OAuth Consumer Key and Secret in the Chrome and Gmail Gadgets extensions. Chrome extensions are essentially Javascript wrapped in a zip-compatible format. If I need to create an extension that calls the Salesforce API on behalf of the user, I must insert the OAuth consumer key and secret key in Javascript into the Javascript extension. This creates the possibility of disclosing the key and OAuth user privacy and possible abuse.

I'm curious how other developers handle these OAuth user keys and secrets in Chrome extensions.

Google provides anonymous consumer keys and secrets for Chrome extensions that need to access the Google APIs. However, Salesforce does not provide similar OAuth configuration. Is it on the roadmap for implementing Salesforce OAuth 2.0?

+5

google-chrome-extension oauth oauth-2.0 salesforce google-gadget

Saqib ali Feb 08 '12 at 4:35

source share

1 answer

abraham · Accepted Answer · 2012-02-08T04:57:23+0000

Here are a few options.

1) Launch the proxy server through your own server, which protects secrets and restricts valid methods through your own API. It will also allow you to update your API keys in minutes instead of the potential days to upgrade the extension.

2) Obfuscate secrets of extension / gadget code. You can make it harder to find, but with Chrome it’s easy to display the keys on the Developer Tools tab.

3) , , , .

Salesforce, , , , , , .

Secure OAuth user key and privacy handling in Chrome extensions and Gmail gadgets

More articles: