Best practices for user authentication?

[JhaAman]

Hey! I love the near-webapp like experience developing with @crxjs/vite-plugin. But how would I setup user authentication? Specially with third-party providers like Google or Github - they have no URL to redirect to. How would that work?

I'm guessing that it can direct to any URL that the content matches to, and then the content can grab any tokens it needs from the URL without the user noticing.

But how do the rest of you deal with this?

[jacksteamdev]

Third-party login is not well supported, but it can be done. I know Firebase doesn't support MV3 Chrome Extensions for third-party login.

External URL

If you redirect to a website URL, the page can use external messages to pass a token to the extension. The message goes right to the extension background, so it is as secure as the page. You won't necessarily need a content script, the redirect page can access chrome.runtime.sendMessage if the extension declares the redirect page in the manifest under externally_connectable. See the Chrome Developer docs for more details.

Extension URL

A Chrome Extension page has a URL that uses the pattern chrome-extension://<extension_id>/some_page.html. You could redirect to this URL if your provider supports the chrome-extension scheme. The extension id is basically random for locally installed extensions. You can make it stable during development by using the key field in the manifest. Don't include the key in your production build.

[JhaAman]

Hey!

It actually seems to work pretty well with Supabase natively - haven't been logged out yet and everything else works just fine. But These are some really great resources, I didn't know about extension URL and I definitely have some needs for it. Thanks!

[jacksteamdev]

Supabase looks awesome! I haven't used it, but I sure will now. They are killing it with their docs.