Okta Browser Plugin permissions for web extensions

Okta Browser Plugin requires the following permissions in Chrome:

Permission Why Okta Browser Plugin needs it
tabs

To open a new tab when the user performs the following tasks.

  • Clicks an app on the popup window. The plugin opens a new tab with the login URL and signs the user in.
  • Wants to sign in to their Admin Dashboard using the admin link on the popup window.
  • Wants to switch between their Okta accounts using the account chooser feature.
  • Wants to allow disabling browser password prompts from the popup window settings

cookies Because the plugin inherits the session ID and device token cookies from the End-User Dashboard that it uses to make its API calls for SWA. This enables the server to verify the user and ensure that the POST requests are coming from a valid plugin user.

https://*/

http://*/

To inject the content script into https:// web pages on the internet.

It enables the plugin to do the following:

  • Detect if the page is a login page of interest.
  • Detect the okta home page and initialize the plugin to the logged in account
  • Change password for end users
  • Display anti-phishing warnings
management To access the chrome.management API.
privacy To prevent browser extension prompts to save the passwords of their apps defined in Okta during single sign-on. Given that theOkta extension manages these passwords, this is an optional permission that Okta end-users can opt into.
storage

To access the chrome.managementAPI, to store and access Okta a third-party app metadata that identifies the app. This data is cached in extension local storage to minimize server-side API calls for that metadata information.

unlimitedStorage To provide an unlimited quota for storing client-side Okta third-party app data, which has the potential to rarely exceed 5 MB of local storage.
webRequest

To hook into the request lifecycle to do various tasks required for single sign-on and identifying the extension to the End-User Dashboard.

webRequestBlocking To detect whether the plugin is installed on the user's computer.
webNavigation To detect when a DOM is loaded. After the DOM is loaded, Okta Browser Plugin injects the content scripts into the web page. This is required for the auto-login and SWA functionality to work correctly.