Okta Browser Plugin Permissions for Web Extensions

Okta Browser Plugin requires the following permissions in Chrome:

 

Permission Why Okta Browser Plugin needs it
tabs

To open a new tab when the user:

  • Clicks on an app on the popover. The plugin opens a new tab with the login url and signs the user in.
  • Wants to login to their admin dashboard using the admin link on the popover.
  • Wants to switch between their okta accounts using the account chooser feature.

  • Wants to allow disabling browser password prompts from the popover settings
cookies Because the plugin inherits the session ID and device token cookies from the end-user dashboard, which it uses to make its API calls for SWA. This enables the server to verify the user and make sure the POST requests are coming from a valid plugin user

https://*/

http://*/

To inject the content script into https:// web pages on the internet.

It enables the plugin to:

  • Detect if the page is a login page of interest.
  • Detect the okta home page and initialize the plugin to the logged in account
  • Change password for end users
  • Display anti-phishing warnings
management To access the chrome.management API.
privacy This is an optional permission that Okta end-users can opt into if they want to prevent browser extension prompts to save the passwords of their apps defined in Okta during single sign-on, given that the Okta extension is managing these particular passwords.
storage

To access the chrome.management , which is needed to store/access Okta third-party app metadata such as app login links, app logo links and other info that identifies the app. This data is cached in extension local storage to minimize server-side API calls for that metadata information.

unlimitedStorage Provides an unlimited quota for storing client-side Okta third-party app data, which has the potential to rarely exceed 5MB of local storage.
webRequest

The extension needs to hook into the request lifecycle to do various tasks required for single sign-on and identifying the extension to the end-user dashboard.
webRequestBlocking To detect whether the plugin is installed on the user's computer.
webNavigation We use this permission to detect when a DOM is loaded. After the DOM is loaded we inject the content scripts into the web page. This is required for the auto-login and SWA functionality to work correctly.