Authenticate a Chrome extension with a backend server using Google identity
Difference between access and ID tokens used for authentication
Authentication of a user of an extension is not more complicated than authentication of a web site user. Chrome extensions behave like web pages, when an extension sends an HTTP request it also includes all possible kinds of cookies. Extensions also have a powerful chrome.identity API simplifying authentication.
In their tutorials Google recommends to use ID token for authentication with the backend server. But strangely it is not documented how an extension can obtain an ID token and it is not recommended anywhere to use an access token for authentication.
In this post I explore how an extension can get an ID token and compare access and ID tokens in terms of the suitability for authentication a backend server.
To illustrate this post, I composed a simple Chrome extension that uses the user’s Google identity to log in to a backend service. The service provides sample data for authenticated users and rejects unauthenticated requests. The simplified service is based Spring Boot with Spring Security. The service uses either type of tokens to authenticate the user of the extension.
