Safari Web Extension and Auth0 Log-in: the Good, the Bad and the Ugly

1 minute read

The Good

Simply works with Chrome as extension id is a stable identifier there, and you can regitser a callback url in Auth0 as constant string chrome-extension://xxxxxxxxxxxxxxxyyyyyyyyyyyyyzzzzzzzzzzzz/options.html.

The Bad

Safari makes a new extension id every time you install the extension (via companion app), so every time you build it in xcode and run — you get a new url, every user who installs extension — gets a new unique url. And Auth0 does not allow you to wildcard callback urls.

And the Ugly

Looking for a solution.

1. Add new extension ids to auth0’s callback_urls via my backend

Every time you open extension’s options page, it triggers a request to your backend and provides it’s extension id, and there you add it to a list of allowed callback_urls via auth0 management api. Bloody straight.

2. Redirect to an owned endpoint

So you launch authentication flow with redirect_to: https://my-backend/redirect. Which can then redirect to a specific options url which is unique safari-web-extension://XXXX-…..-XXXX/options.html. But you need to provide this XXXX-.....-XXXX extension id to your backend. And Auth0 does not allow you to parameterise the redirect_to callbacks either.

Note: there is only one wildcard supported by auth0, which is subdomain, so you can redirect to https://XXXX-…..-XXXX.my-backend/redirect, but that brings complexity to your backend hosting provider.

I thought that browser would hint the XXXX-.....-XXXX somehow (in Referer for example), but hi did not.

3. Login on your site and message access token to your extension

There is a way to send message from webpage to safari web extension, but that technique simply did not work. My question in apple support forum.

UPDATE: it works, but could be silently not working with non-SSL (http) or localhost or not production extension build (?) – it just appeared to be working with real domain name…

4. Login on your site and then window.open options page + #access-token=xyz

That should not expose the secret on the internet as browser should open extension options page netively. But Chrome blocks the page chrome-extension://djjiokkmnhkmccblpacjpegaaiebcmhm/options.html when you try to open it from the site, unless you specify the page in "web_accessible_resources"!

5. Login on your site, hide a div tag with secret on the page and find it with content script

Playing hide-and-seek, but that can work. Adding <div id="my-very-secret-message-to-my-extension" value="xyz" hidden="true"></div> on the site’s page after login, and query for it in content script.

Updated:

You May Also Enjoy

Booting EFI in QEMU

2 minute read

How you boot a disk.img (dd’d from a drive) with a EFI bootloader using QEMU.