I am creating a chrome extension, where i plan to use OAuth2 client side

Question

0

Asked: May 28, 20262026-05-28T03:36:54+00:00 2026-05-28T03:36:54+00:00

I am creating a chrome extension, where i plan to use OAuth2 client side

0

I am creating a chrome extension, where i plan to use OAuth2 client side flow for authentication. As per the specs for both google and facebook, when i use client side flow, I get the access token as part of the hash part of the redirect_uri. Now my question is this -> what if a rogue extension transfers that access token to another extension on some other machine, which then uses that access token to get user details? I am quite novice with web development and ouath and would appreciate if somebody could clarify this doubt for me

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-28T03:36:54+00:00

Editorial Team

2026-05-28T03:36:54+00:00Added an answer on May 28, 2026 at 3:36 am

The Facebook OAuth2 implementation requires that you use SSL (https) which means that other people cannot see that token unless you explicitly give it to them outside of the browser itself (or using an evil plugin, as noted).

There’s a great post on this topic here: http://www.sociallipstick.com/?p=239

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I am creating a chrome extension, where i plan to use OAuth2 client side

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply