Okta Browser Plugin: Plugin permissions for Chrome extensions

The Okta Browser Plugin requires several permissions to work properly with Google Chrome-based browser extensions.

Permission Required
tabs

This permission opens a new tab in the following scenarios.

  • When the user selects an app on the pop-up window. The plugin opens a new tab to the application URL and signs in the user
  • When the user wants to sign in to their Admin Console through the Admin link on the pop-up window
  • When the user wants to switch between their Okta accounts using the account chooser feature

  • When the user wants to allow disabling browser password prompts from the pop-up window settings
cookies When the plugin inherits the session ID and device token cookies from the Okta End-User Dashboard. The plugin uses these to make API calls for SWA applications. This setting permits the server to verify the user and ensure that POST requests are coming from a valid plugin user.

https://*/

http://*/

To inject the content script into secure web pages on the internet.

It enables the plugin to do the following things:

  • Detect if the page is a sign-in page of interest
  • Detect the Okta home page and initialize the plugin for the sign-in account
  • Change a password for end users
  • Display anti-phishing warnings
management To access the chrome.management API.
privacy To prevent browser extensions from prompting to save application passwords during single sign-on (SSO) operations. This is an optional permission that Okta end users can opt into if they choose, as the Okta extension manages these particular passwords.
storage

To access the chrome.management setting. Okta stores and accesses third-party app metadata in this location. This includes app login links, app logo links, and other info that identifies the app. Okta caches the data in the extension's local storage to minimize server-side API calls for that metadata information.

unlimitedStorage To provide an unlimited quota for storing client-side Okta third-party app data. This rarely exceeds 5 MB of local storage.
webRequest

To hook into the request lifecycle to perform any tasks required for SSO and to identify the extension to the Okta End-User Dashboard.
webRequestBlocking To detect if the user's system has the plugin installed.
webNavigation To detect when the browser loads the Document Object Model (DOM). After the DOM is loaded, Okta injects the content scripts into the web page. Okta requires this permission for the automatic sign-in and SWA functionality to work correctly.