Secure handling of OAuth Consumer Key and Secret in Chrome Extensions and Gmail Gadgets

Question

I would like to get some ideas on to properly handle Salesforce OAuth Consumer Key and Secret in Chrome Extensions and Gmail Gadgets. Chrome extensions are essentially Javascript wrapped up in a zip compatible format. If I need to build an extension that calls Salesforce APIs on behalf of the user, I have to embed the Salesforce generated App OAuth Consumer Key and Secret in Javascript for the extension. This creates the possibility of disclosure of the OAuth Consumer Key and Secret, and possible misuse.

I am curious as to how other developers are handling these OAuth Consumer Key and Secrets in Chrome Extensions.

Google provides anonymous Consumer Keys and Secrets for Chrome Extensions that need to access Google APIs. However, Salesforce doesn't provide similar OAuth setup. Is this on the roadmap for the Salesforce OAuth 2.0 implementation?

Answer 1

Following are the two ways by which you can do so:

1. You can run a proxy via your own server which protects the limits and secrets that allow methods through your own API. You can also update the API keys in moments rather than potential days to refresh an extension

2. Obscure the secrets in the gadget code. It may be difficult to find but, in Chrome, it will be fairly easier to pick out the keys in dev tools network tab.

3. Make sure no original damage is done using the secrets.

Do you want to build a career in Salesforce? Enroll in this Salesforce training course to start your journey!