+ Start a Discussion
Saqib AliSaqib Ali 

Secure handling of OAuth Consumer Key and Secret in Chrome Extensions and Gmail Gadgets

I would like to get some ideas on to properly handle Salesforce OAuth Consumer Key and Secret in Chrome Extensions and Gmail Gadgets. Chrome extensions are essentially Javascript wrapped up in a zip compatible format. If I need to build an extension that calls Salesforce APIs on behalf of the user, I have to embed the Salesforce generated App OAuth Consumer Key and Secret in Javascript for the extension. This creates the possibility of disclosure of the OAuth Consumer Key and Secret, and possible misuse.


I am curious as to how other developers are handling these OAuth Consumer Key and Secrets in installed apps.


Google provides anonymous Consumer Keys and Secrets for installed apps that need to access Google APIs. However Salesforce doesn't provide similar OAuth setup. Is this on the roadmap for the Salesforce OAuth 2.0 implementation?




Hi Saqib,


We use oAuth to handle secure authentication for the Chrome Extension for Cirrus Insight, the top ranked integration between Salesforce and Gmail on the Salesforce AppExchange.


Here's a link to our security page: http://www.cirrusinsight.com/features/security/


Please feel free to get in touch with us if you have any questions.