Inconsistency: identity.clearAllCachedAuthTokens API availability

[twschiller]

Description

• The identity.clearAllCachedAuthTokens endpoint is inconsistently supported across browsers. It looks like it might only be only available on Chrome?
• What's the intended behavior of the method? Is it only for use in clearing the Google-specific token in Chrome?
• It'd be good to get it added to MDN compatibility matrix, and for the MS Edge team to chime in on support

Documentation

• Chrome documentation
• MS Edge support list: makes no mention of of the API not being supported
• Firefox/MDN: not listed (and not supported by Firefox)

Related Discussions

• https://discourse.mozilla.org/t/firefox-equivalent-api-to-chrome-identity-clearallcachedauthtokens/75731
• https://groups.google.com/a/chromium.org/g/chromium-extensions/c/4OX3cv_wepY
• https://issues.chromium.org/issues/41080411

[mukul-p]

Edge is not supporting this API. I'll work with internal teams to get the document updated.
Call to this API in Edge should give an error message.

[Rob--W]

This is a Google/Chrome-only API.

There was a recent feature request for a similar API (identity.removeCachedAuthToken) in Firefox that I closed with an explanation. For more context, see https://bugzilla.mozilla.org/show_bug.cgi?id=1888889#c2

[twschiller]

@mukul-p @Rob--W To clarify, clearAllCachedAuthTokens and removeCachedAuthToken are only for use with the Google OAuth2 token obtained using getAuthToken (and are therefore only supported on Google Chrome)?

They're not for use with launchWebAuthFlow, which has cross-browser support? Is there any information/specification on what caching (if any) is performed with launchWebAuthFlow?

[Rob--W]

@mukul-p @Rob--W To clarify, clearAllCachedAuthTokens and removeCachedAuthToken are only for use with the Google OAuth2 token obtained using getAuthToken (and are therefore only supported on Google Chrome)?

Yes. Note that this only removes the token from the cache, it does not revoke it. If you want to revoke the token, an answer is available at https://stackoverflow.com/questions/17337107/google-packaged-app-identity-api-removecachedauthtoken. From the answer it is also apparent that the token is tied to Google's API.

They're not for use with launchWebAuthFlow, which has cross-browser support?

Indeed.

Is there any information/specification on what caching (if any) is performed with launchWebAuthFlow?

The regular browser cache is used. This is not explicitly documented. Documentation is at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/identity/launchWebAuthFlow and https://developer.chrome.com/docs/extensions/reference/api/identity#method-launchWebAuthFlow

[twschiller]

Thanks for the clarification!

From the answer it is also apparent that the token is tied to Google's API.

It'd be great if the Chrome team updated their documentation to clarify. In particular, clearAllCachedAuthTokens mentions "De-authorizes the user from all auth flows" which shares the "auth flow" terminology of web auth flow

Does the Chrome team have a way to suggest changes? (I just see an "Is it helpful" voting button)

The regular browser cache is used.

Does that suggest we'd need to request cookies and clear out anything that might be related to client-side caching for launchWebAuthFlow? Or what would be getting cached for an OAuth2 PKCE flow?

[Rob--W]

Thanks for the clarification!

From the answer it is also apparent that the token is tied to Google's API.

It'd be great if the Chrome team updated their documentation to clarify. In particular, clearAllCachedAuthTokens mentions "De-authorizes the user from all auth flows" which shares the "auth flow" terminology of web auth flow

Does the Chrome team have a way to suggest changes? (I just see an "Is it helpful" voting button)

@oliverdunk ^

The regular browser cache is used.

Does that suggest we'd need to request cookies and clear out anything that might be related to client-side caching for launchWebAuthFlow? Or what would be getting cached for an OAuth2 PKCE flow?

This is dependent on the OAuth provider. From the OAuth2 perspective, only the output (token) matters. Any potential side effects from the intermediate steps to get there are site-specific. E.g. the user could logs in to some site, or even already be logged in. Unconditionally clearing cookie state is not really useful. I cannot offer more concrete advice here.

[oliverdunk]

Does the Chrome team have a way to suggest changes? (I just see an "Is it helpful" voting button)

Hi @twschiller, you can use the "File a bug" link in the footer which goes here: https://issuetracker.google.com/issues/new?component=1400036&template=1897236

Please do file this, it seems like a good thing to clarify :)