I have an api which uses OAuth 1.0a to authenticate applications using it. It’s replacing an old api which used a number of custom built and hodge-podge calls which are being deprecated.

It’s well known that OAuth 1.0a is not secure in (client-side) Javascript since it relies on the consumer secret being kept secret. Which is not possible since the source is always viewable.

We have browser extensions for Chrome, Firefox, IE and Safari which need to use this api in the future. These extensions are all written largely or entirely in Javascript, and hence the problem of security.

These extensions are in-house and so can have custom authentication methods to get their access tokens.

What I’m planning on implementing is the following:

• The user logs into the website in the browser.
• The website issues them a cookie with a session key.
• Our extension then takes that cookie and passes it to the api.
• The api validates that it is a valid & active session and issues the extension its access tokens.
• These tokens last for a maximum of one hour before they expire.
• There will also be lower rate limits on the javascript issued cookies.

It operates under the following assumptions:

• If another application has access to your cookies, then they can impersonate you on the website anyway, so access to the api is no different.
• All authentication methods still go through our control.
• Regular expiry of tokens means that if they are compromised then there is a limited time for exploitation.

My question is, is this a secure method of restricting access to the api?
Are there any better ones?

A couple of notes.
I know for a fact that chrome extensions can ask for permission to access your cookies for a given site. I believe firefox extensions can do so too.

Obviously we don’t want our cookies accessible via javascript on any page otherwise we’d expose ourselves to XSS attacks, so they need to only be accessible via extensions.