Issue with webAuthenticationProxy API

[yehudit osditcher]

Hello Chromium Extensions Team,

I am developing a Chrome extension and need to handle proxy authentication (e.g., 407 Proxy Authentication Required). I found references to the webAuthenticationProxy API, but I encountered the following challenges:

1. API Unavailability:
   The webAuthenticationProxy API is undefined at runtime, even after adding the required permissions ("webAuthenticationProxy") to my manifest.json.
   Example error:

   javascript

   Copy code

   Uncaught TypeError: Cannot read properties of undefined (reading 'hasListener')

2. Experimental Feature:
   I could not find an option to enable Experimental Extension APIs under chrome://flags in the latest stable version of Chrome. Does this API require enabling a specific flag or using a Chrome Dev/Beta channel?

3. Documentation:
   I reviewed the Chrome Extensions API documentation but could not find detailed information about the webAuthenticationProxy API or its current status.

Questions:

• Is the webAuthenticationProxy API currently available for use in stable Chrome versions?
• If not, is it experimental, and how can it be enabled for testing purposes?
• Are there alternative APIs or recommendations for handling proxy authentication (407 Proxy Authentication Required) in Chrome extensions?

Environment Details:

• Chrome Version:Version 131.0.6778.265 (Official Build) (arm64)
• Manifest Version: 3
• Dependencies: "@types/chrome": "^0.0.287"

Thank you for your guidance! Any documentation, examples, or timeline for the webAuthenticationProxy API would be greatly appreciated.

Best regards,
Judith.

[Patrick Kettner]

Hello Judith,

Can you share your code? Creating a very simple demo shows the API as existing

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/68f708ca-06c1-49c3-a766-4686aa295b1en%40chromium.org.

[yehudit osditcher]

Thank you for your reply Patrick.
My problem is that chrome.webAuthenticationProxy is not compiled in @types/chrome": "^0.0.287, the IDE also doesn't recognize it as part of the package.
I tries to write webAuthenticationProxy.d.ts of-course, it passed IDE but then the chrome could not load the extension properly (MV3, Chrome version 131.0.6778.265 (Official Build) (arm64) ). 

Thanks,
Judith.

 

ב-יום רביעי, 8 בינואר 2025 בשעה 17:11:13 UTC+2, Patrick Kettner כתב/ה:

[Oliver Dunk]

Hi Judith,

The `webAuthenticationProxy` isn't the right API for your use case. It is designed for specific situations where you need to add middleware to the Credential Management API.

For HTTP authentication, you should take a look at the webRequest.onAuthRequired API: https://developer.chrome.com/docs/extensions/reference/api/webRequest#event-onAuthRequired

Thanks,

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/99a1161a-e14c-4e46-8392-658c33a9164cn%40chromium.org.

[yehudit osditcher]

Thank you Oliver for your reply.
I'll explain wha is the use case I m trying to handle:
My extension set a proxy for the browser traffic and the proxy uses Proxy Authorization protocol, meaning the extension should get 407 and then return credentials.
I was trying use webRequest.onAuthRequired.
The problem with this implementation is that not always the extension gets onAuthRequired events for some reason, and its not consistent.  
This is why I am trying to find a different way to deal with 407 CONNECT responses, perhaps one that will not miss the 407 events.

known bugs with onAuthRequired events:

https://issues.chromium.org/issues/40275804 - onAuthRequired not firing from service worker fetch.
https://issues.chromium.org/issues/40880379 - Proxy-related events are not triggered consistently.

Thanks,
Judith.

ב-יום חמישי, 9 בינואר 2025 בשעה 13:31:21 UTC+2, Oliver Dunk כתב/ה:

[Oliver Dunk]

That makes sense - I think you're using the right API for the job.

You mentioned that it is inconsistent - do you think there's anything you could do to get a better picture of when it does and doesn't work? That would be very helpful for trying to see if it is the same bug and what we should do next.

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[yehudit osditcher]

Hello Oliver,

Hello,

Thank you for your response.
The inconsistent behavior does not follow an identifiable pattern based on my current testing.
A factor I’ve considered (but cannot confirm as root causes): After long time the extension is active the onAuthRequired event is fired less times.

 I’d like to provide additional details and clarify my observations about the inconsistent behavior of the chrome.webRequest.onAuthRequired listener.

Setup:

• I implemented the onAuthRequired listener at the top level of the background script to ensure it is always active.
• The listener avoids any asynchronous operations during execution to prevent delays or race conditions. (The token that is provided is updated periodically and stored locally - not in chrome local cache or something. The listener always builds the credentials callback with the local token, and we always log what it provides - and confirm it always a correct token)
• Detailed logging is included to trace when the event is fired and how it handles requests.

---

Observed Behavior:

1. The onAuthRequired listener works as expected in many cases, but it does not always fire when proxy authentication is required.
2. Using Wireshark, I recorded the traffic and noticed the following inconsistencies:
   • In some cases, the browser receives a CONNECT request but responds with an empty Proxy-Authorization header or fails to use the updated token provided by the listener.
   • When the event fires - which I can see in the logs, the token is always correct, and the authentication succeeds.

---

Insights into When It Works vs. Doesn't Work:

• The inconsistent behavior does not follow an identifiable pattern based on my current testing.
• Some factors I’ve considered (but cannot confirm as root causes):
  • Timing: After long time the extension is active the onAuthRequired event is fired less times.
    

---

Environment Details:

• Chrome Version: 131.0.6778.265 (Official Build) (arm64)
• Manifest Version: 3
• Permissions: "webRequest" (and other of course. but not relevant to this listener)
• Debugging Evidence: Wireshark logs confirm inconsistent triggering of the onAuthRequired event, with CONNECT requests missing or include old Proxy-Authorization header.

Questions and Next Steps:

1. Are there known limitations or edge cases where the onAuthRequired event might not fire as expected?
2. Could the behavior be influenced by specific environmental factors, such as network conditions, proxy server configurations, or request timing?
3. Are there alternative APIs or approaches I could explore for handling proxy authentication more reliably?
   

Thank you,

Judith.

ב-יום חמישי, 9 בינואר 2025 בשעה 14:32:41 UTC+2, Oliver Dunk כתב/ה:

[Oliver Dunk]

Thanks for sharing that writeup.

Are there known limitations or edge cases where the onAuthRequired event might not fire as expected?

I don't see a resolution on https://issues.chromium.org/issues/40275804 - onAuthRequired not firing from service worker fetch. So if you're seeing this when making fetch calls from a service worker, that may be related. Feel free to leave a comment on the bug if so.

We believe we have resolved https://issues.chromium.org/issues/40880379 - Proxy-related events are not triggered consistently. That sounds similar to your issue, but without steps to reproduce it's hard for us to make any further progress on it.

Could the behavior be influenced by specific environmental factors, such as network conditions, proxy server configurations, or request timing?

Without knowing the issue, it's hard to speculate on what the cause is. If I had to guess though I would say it is likely based on some subtle difference between the state of the browser / cookies / proxy auth etc in the working and non-working scenario. It seems less likely that something like request timing would be at play, although it's not impossible of course.

Are there alternative APIs or approaches I could explore for handling proxy authentication more reliably?

Unfortunately not, the API you're using is the right approach. 

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[yehudit osditcher]

Thank you for the answers Oliver,

Judith.

ב-יום שישי, 10 בינואר 2025 בשעה 18:36:22 UTC+2, Oliver Dunk כתב/ה: