1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
|
// Copyright 2013 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Use the <code>chrome.identity</code> API to get OAuth2 access tokens.
namespace identity {
dictionary AccountInfo {
// A unique identifier for the account. This ID will not change
// for the lifetime of the account.
DOMString id;
};
enum AccountStatus {
// Specifies that Sync is enabled for the primary account.
SYNC,
// Specifies the existence of a primary account, if any.
ANY
};
dictionary ProfileDetails {
// A status of the primary account signed into a profile whose
// <code>ProfileUserInfo</code> should be returned. Defaults to
// <code>SYNC</code> account status.
AccountStatus? accountStatus;
};
dictionary ProfileUserInfo {
// An email address for the user account signed into the current
// profile. Empty if the user is not signed in or the
// <code>identity.email</code> manifest permission is not
// specified.
DOMString email;
// A unique identifier for the account. This ID will not change
// for the lifetime of the account. Empty if the user is not
// signed in or (in M41+) the <code>identity.email</code>
// manifest permission is not specified.
DOMString id;
};
dictionary TokenDetails {
// Fetching a token may require the user to sign-in to Chrome, or
// approve the application's requested scopes. If the interactive
// flag is <code>true</code>, <code>getAuthToken</code> will
// prompt the user as necessary. When the flag is
// <code>false</code> or omitted, <code>getAuthToken</code> will
// return failure any time a prompt would be required.
boolean? interactive;
// The account ID whose token should be returned. If not specified, the
// function will use an account from the Chrome profile: the Sync account if
// there is one, or otherwise the first Google web account.
AccountInfo? account;
// A list of OAuth2 scopes to request.
//
// When the <code>scopes</code> field is present, it overrides the
// list of scopes specified in manifest.json.
DOMString[]? scopes;
// The <code>enableGranularPermissions</code> flag allows extensions to
// opt-in early to the granular permissions consent screen, in which
// requested permissions are granted or denied individually.
boolean? enableGranularPermissions;
};
dictionary InvalidTokenDetails {
// The specific token that should be removed from the cache.
DOMString token;
};
dictionary WebAuthFlowDetails {
// The URL that initiates the auth flow.
DOMString url;
// Whether to launch auth flow in interactive mode.
//
// Since some auth flows may immediately redirect to a result URL,
// <code>launchWebAuthFlow</code> hides its web view until the first
// navigation either redirects to the final URL, or finishes loading a page
// meant to be displayed.
//
// If the <code>interactive</code> flag is <code>true</code>, the window
// will be displayed when a page load completes. If the flag is
// <code>false</code> or omitted, <code>launchWebAuthFlow</code> will return
// with an error if the initial navigation does not complete the flow.
//
// For flows that use JavaScript for redirection,
// <code>abortOnLoadForNonInteractive</code> can be set to <code>false</code>
// in combination with setting <code>timeoutMsForNonInteractive</code> to give
// the page a chance to perform any redirects.
boolean? interactive;
// Whether to terminate <code>launchWebAuthFlow</code> for non-interactive
// requests after the page loads. This parameter does not affect interactive
// flows.
//
// When set to <code>true</code> (default) the flow will terminate
// immediately after the page loads. When set to <code>false</code>, the
// flow will only terminate after the
// <code>timeoutMsForNonInteractive</code> passes. This is useful for
// identity providers that use JavaScript to perform redirections after the
// page loads.
boolean? abortOnLoadForNonInteractive;
// The maximum amount of time, in miliseconds,
// <code>launchWebAuthFlow</code> is allowed to run in non-interactive mode
// in total. Only has an effect if <code>interactive</code> is
// <code>false</code>.
long? timeoutMsForNonInteractive;
};
dictionary GetAuthTokenResult {
// The specific token associated with the request.
DOMString? token;
// A list of OAuth2 scopes granted to the extension.
DOMString[]? grantedScopes;
};
callback GetAuthTokenCallback = void (GetAuthTokenResult result);
callback GetAccountsCallback = void (AccountInfo[] accounts);
callback GetProfileUserInfoCallback = void (ProfileUserInfo userInfo);
callback InvalidateAuthTokenCallback = void ();
callback ClearAllCachedAuthTokensCallback = void ();
callback LaunchWebAuthFlowCallback = void (optional DOMString responseUrl);
interface Functions {
// Retrieves a list of AccountInfo objects describing the accounts
// present on the profile.
//
// <code>getAccounts</code> is only supported on dev channel.
static void getAccounts(GetAccountsCallback callback);
// Gets an OAuth2 access token using the client ID and scopes
// specified in the <a
// href="/docs/apps/app_identity#update_manifest"><code>oauth2</code>
// section of manifest.json</a>.
//
// The Identity API caches access tokens in memory, so it's ok to
// call <code>getAuthToken</code> non-interactively any time a token is
// required. The token cache automatically handles expiration.
//
// For a good user experience it is important interactive token requests are
// initiated by UI in your app explaining what the authorization is for.
// Failing to do this will cause your users to get authorization requests,
// or Chrome sign in screens if they are not signed in, with with no
// context. In particular, do not use <code>getAuthToken</code>
// interactively when your app is first launched.
//
// Note: When called with a callback, instead of returning an object this
// function will return the two properties as separate arguments passed to
// the callback.
//
// |details| : Token options.
// |callback| : Called with an OAuth2 access token as specified by the
// manifest, or undefined if there was an error. The
// <code>grantedScopes</code> parameter is populated since Chrome 87. When
// available, this parameter contains the list of granted scopes
// corresponding with the returned token.
static void getAuthToken(
optional TokenDetails details,
optional GetAuthTokenCallback callback);
// Retrieves email address and obfuscated gaia id of the user
// signed into a profile.
//
// Requires the <code>identity.email</code> manifest permission. Otherwise,
// returns an empty result.
//
// This API is different from identity.getAccounts in two
// ways. The information returned is available offline, and it
// only applies to the primary account for the profile.
//
// |details|: Profile options.
// |callback|: Called with the <code>ProfileUserInfo</code> of the primary
// Chrome account, of an empty <code>ProfileUserInfo</code> if the account
// with given <code>details</code> doesn't exist.
static void getProfileUserInfo(
optional ProfileDetails details,
GetProfileUserInfoCallback callback);
// Removes an OAuth2 access token from the Identity API's token cache.
//
// If an access token is discovered to be invalid, it should be
// passed to removeCachedAuthToken to remove it from the
// cache. The app may then retrieve a fresh token with
// <code>getAuthToken</code>.
//
// |details| : Token information.
// |callback| : Called when the token has been removed from the cache.
static void removeCachedAuthToken(
InvalidTokenDetails details,
optional InvalidateAuthTokenCallback callback);
// Resets the state of the Identity API:
// <ul>
// <li>Removes all OAuth2 access tokens from the token cache</li>
// <li>Removes user's account preferences</li>
// <li>De-authorizes the user from all auth flows</li>
// </ul>
//
// |callback| : Called when the state has been cleared.
static void clearAllCachedAuthTokens(
ClearAllCachedAuthTokensCallback callback);
// Starts an auth flow at the specified URL.
//
// This method enables auth flows with non-Google identity
// providers by launching a web view and navigating it to the
// first URL in the provider's auth flow. When the provider
// redirects to a URL matching the pattern
// <code>https://<app-id>.chromiumapp.org/*</code>, the
// window will close, and the final redirect URL will be passed to
// the <var>callback</var> function.
//
// For a good user experience it is important interactive auth flows are
// initiated by UI in your app explaining what the authorization is for.
// Failing to do this will cause your users to get authorization requests
// with no context. In particular, do not launch an interactive auth flow
// when your app is first launched.
//
// |details| : WebAuth flow options.
// |callback| : Called with the URL redirected back to your application.
static void launchWebAuthFlow(
WebAuthFlowDetails details,
LaunchWebAuthFlowCallback callback);
// Generates a redirect URL to be used in |launchWebAuthFlow|.
//
// The generated URLs match the pattern
// <code>https://<app-id>.chromiumapp.org/*</code>.
//
// |path| : The path appended to the end of the generated URL.
[nocompile] static DOMString getRedirectURL(optional DOMString path);
};
interface Events {
// Fired when signin state changes for an account on the user's profile.
static void onSignInChanged(AccountInfo account, boolean signedIn);
};
};
|
