OAuth Redirect URL in (the new) Safari Web Extension

Question

Created Dec ’20

Replies 5

Boosts 0

Views 4.6k

Participants 4

I am porting my chrome extension to Safari. The extension requires the user to sign-in and I use the OAuth code flow, which requires a redirect url.
In Chrome, I can use chrome.runtime.getURL('/mypage.html') as a redirect url because in chrome the extension id is never changed.
In Safari, however, the extension id keeps changing in every (xcode) build. This is similar to the behaviour of Firefox but in Firefox, I can use browser.identity.getRedirectURL(). Although not reachable, it guarantees to stay the same.
As in Safari, there is NO browser.identity and safari-web-extension:// is blocked by Safari, what url can I use as a redirect URL?

Boost

Answer 1

Engineer OP

Apple

Jan ’21

You should be able to use chrome.runtime.getURL or browser.runtime.getURL in Safari to get this information.

Did this not work for you? What do you mean by "safari-web-extension:// is blocked by Safari"?

Thanks!

0

Answer 2

here_nerd OP

Jan ’21

Thank you bweinstein for your reply.

I can use chrome.runtime.getURL in safari. That will return a url like 'safari-web-extension://<random-per-xcode-build-id>/'.

I need such a URL in order to configure an oidc-client configuration in my backend such that after a successful login, the user will be redirected to this url -- hence the name redirect url.

The problem is when I use 'safari-web-extension://<random-per-xcode-build-id>/' as the redirect url and it gets redirected (302) by the oidc server, Safari does not allow a redirect to a custom scheme ('safari-web-extension') url. This is what I meant by 'blocking'. This causes a problem for an oidc code flow in general. And I cannot believe I am the only one having this issue. Please help.

Thanks.

0

Answer 3

here_nerd OP

Feb ’21

Accepted Answer

As a workaround, you may use whatever reachable URL as an OAuth redirect URL and use webRequest.onBeforeRedirect to capture the redirect attempt and 'force redirect' e.g. by tabs.update.

Although this will work, it is far from being elegant. It could even be error-prone. While Firefox offers a decent solution for this, why safari can't / doesn't. So, if it is an intention for Safari not to support this workflow, I would like to submit my post as a change request because this is so common usecase. (or please suggest where I can submit a change request for this???)

0

Answer 4

papegaaij OP

Apr ’23

Unfortunately, the proposed workaround cannot be used with manifest v3. The webRequest API is not available from non-persistent background pages (or service workers) and v3 forbids persistent background pages. The declarativeNetRequest allows redirecting to a path in your extension, but via this route the original request is not available. A workaround for this is to redirect using a regexSubstitution. This works fine in Chrome, but not in Safari, because redirects to safari-web-extension:// are blocked. I've filed a bug report for this: https://bugs.webkit.org/show_bug.cgi?id=256054 . As it stands now, I see no way of implementing an OAuth2 redirection flow in a manifest v3 extension on Safari.

1

Answer 5

here_nerd OP

Oct ’24

for @rtolton, this is an example code:

browser.tabs.onUpdated.addListener((tabId, changeInfo, tab) => { 
    if (changeInfo.url && changeInfo.url === 'your-reachable-redirect-url') { 
        // do your post sign-in ceremony 
        // e.g. take authCode from the query param, etc. 
    } 
})

0