Get email address of managed enterprise user?

[Todd Schiller]

We're looking to retrieve the email address of the enterprise user in enterprise deployments of our extension without user interaction. 

Our extension is deployed using organization policy and includes a managed storage configuration. The managed storage configuration is per organizational unit

We'd like to avoid adding the "identity" and "identity.email" permissions to our manifest because: 1) adding new permissions would require our users to re-activate our extension, and 2) we only need the email for certain enterprise deployments

Any ideas? The other possibility seems to be:

• Open a Google tab and scrape the account email from the account picker

Thanks,

Todd

[Jackie Han]

Your requirements are:

• Without user interaction (that means can't use "optional_permissions")
  
• Don't use "identity" and "identity.email" permissions
• No any new warning permissions
• Only some organizations need this
  

It's really hard to meet all these!

One way I thought is let the domain administrator set a key-value in chrome.storage.managed. For example, "getUser" -> "A URL to get email". In the extension, fetch('that url') to get the current user's email. The organization should deploy this backend service (and allow CORS, so no new host permissions).

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/a89ff68e-d581-4218-9213-c406b3756d23n%40chromium.org.

[Todd Schiller]

Thanks for the response, Jackie!

 

One way I thought is let the domain administrator set a key-value in chrome.storage.managed

Thanks for the suggestion. The question though is how that URL/endpoint would have any additional information about the user's email beyond what the extension has? I guess Chrome would pass along any cookies that already exist for that domain (so the user would have to have already visited that domain to get the cookies)? Although I'm not sure it would since it's cross-origin?  

Without user interaction (that means can't use "optional_permissions")

This is another area where Chromium's enterprise deployment story doesn't quite add up. In enterprise policies, there is a runtime_allowed_hosts settings. My understanding is that including a host there means the extension can ask for permissions without Chrome prompting the user? Or does/should Chrome still prompt?

It's really hard to meet all these!

I'll raise an issue with the w3c webextensions group. It seems reasonable to want to 1) minimize required permissions, 2) give enterprises control required for security/compliance use cases

Todd