DEV Community: Saloni Kataria The latest articles on DEV Community by Saloni Kataria (@saloni28). https://dev.to/saloni28 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3408191%2Fa1fddb0f-7ae7-4873-a103-609a06143941.jpg DEV Community: Saloni Kataria https://dev.to/saloni28 en 3 Gotchas When Calling an IAP‑Protected Cloud Run API from a Chrome Extension (MV3) Saloni Kataria Fri, 19 Sep 2025 19:08:24 +0000 https://dev.to/saloni28/3-gotchas-when-calling-an-iap-protected-cloud-run-api-from-a-chrome-extension-mv3-mfa https://dev.to/saloni28/3-gotchas-when-calling-an-iap-protected-cloud-run-api-from-a-chrome-extension-mv3-mfa <blockquote> <p>This is a short, code‑first tutorial for developers. It assumes you already have a Cloud Run service and an OAuth2 Web Client. No business case study here—just the practical bits.</p> </blockquote> <h2> Summary </h2> <ul> <li>Use <code>chrome.identity.launchWebAuthFlow</code> to get a <strong>Google ID token</strong>.</li> <li>Send it as <code>Authorization: Bearer &lt;token&gt;</code> to your <strong>IAP/IAM‑protected</strong> Cloud Run endpoint.</li> <li>Verify the token <strong>audience</strong> on the server and cache tokens with a small expiry buffer on the client.</li> </ul> <h2> 1) Getting an ID token (MV3) </h2> <p><code>background.js</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">getIdToken</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">redirectUrl</span> <span class="o">=</span> <span class="nx">chrome</span><span class="p">.</span><span class="nx">identity</span><span class="p">.</span><span class="nf">getRedirectURL</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">u</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://accounts.google.com/o/oauth2/v2/auth</span><span class="dl">"</span><span class="p">);</span> <span class="nx">u</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">client_id</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">YOUR_OAUTH_CLIENT_ID.apps.googleusercontent.com</span><span class="dl">"</span><span class="p">);</span> <span class="nx">u</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">response_type</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">id_token</span><span class="dl">"</span><span class="p">);</span> <span class="nx">u</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">scope</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">openid email profile</span><span class="dl">"</span><span class="p">);</span> <span class="nx">u</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">redirect_uri</span><span class="dl">"</span><span class="p">,</span> <span class="nx">redirectUrl</span><span class="p">);</span> <span class="nx">u</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">nonce</span><span class="dl">"</span><span class="p">,</span> <span class="nc">String</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()));</span> <span class="nx">u</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">prompt</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">select_account</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">chrome</span><span class="p">.</span><span class="nx">identity</span><span class="p">.</span><span class="nf">launchWebAuthFlow</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="nx">u</span><span class="p">.</span><span class="nf">toString</span><span class="p">(),</span> <span class="na">interactive</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">url</span><span class="p">).</span><span class="nx">hash</span><span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">idToken</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">id_token</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">idToken</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">No id_token returned</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="nx">idToken</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Mini‑cache (optional):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">decodePayload</span><span class="p">(</span><span class="nx">jwt</span><span class="p">){</span><span class="kd">const</span> <span class="nx">b</span><span class="o">=</span><span class="nx">jwt</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">].</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/-/g</span><span class="p">,</span><span class="dl">'</span><span class="s1">+</span><span class="dl">'</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/_/g</span><span class="p">,</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">);</span><span class="k">return</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nf">atob</span><span class="p">(</span><span class="nx">b</span><span class="p">));}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getCachedIdToken</span><span class="p">(){</span> <span class="kd">const</span> <span class="nx">now</span><span class="o">=</span><span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span><span class="o">/</span><span class="mi">1000</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">token</span><span class="p">,</span><span class="nx">exp</span><span class="p">}</span><span class="o">=</span><span class="k">await</span> <span class="nx">chrome</span><span class="p">.</span><span class="nx">storage</span><span class="p">.</span><span class="nx">local</span><span class="p">.</span><span class="nf">get</span><span class="p">([</span><span class="dl">"</span><span class="s2">token</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="s2">exp</span><span class="dl">"</span><span class="p">]);</span> <span class="k">if</span><span class="p">(</span><span class="nx">token</span> <span class="o">&amp;&amp;</span> <span class="nx">exp</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="nx">exp</span><span class="o">-</span><span class="mi">300</span><span class="p">)</span><span class="o">&gt;</span><span class="nx">now</span><span class="p">)</span> <span class="k">return</span> <span class="nx">token</span><span class="p">;</span> <span class="c1">// 5‑min buffer</span> <span class="kd">const</span> <span class="nx">fresh</span><span class="o">=</span><span class="k">await</span> <span class="nf">getIdToken</span><span class="p">();</span> <span class="kd">const</span> <span class="p">{</span><span class="na">exp</span><span class="p">:</span><span class="nx">e</span><span class="p">}</span><span class="o">=</span><span class="nf">decodePayload</span><span class="p">(</span><span class="nx">fresh</span><span class="p">);</span> <span class="k">await</span> <span class="nx">chrome</span><span class="p">.</span><span class="nx">storage</span><span class="p">.</span><span class="nx">local</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span><span class="na">token</span><span class="p">:</span><span class="nx">fresh</span><span class="p">,</span> <span class="na">exp</span><span class="p">:</span><span class="nx">e</span><span class="p">});</span> <span class="k">return</span> <span class="nx">fresh</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> 2) Calling your API </h2> <p><code>popup.js</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">go</span><span class="dl">"</span><span class="p">).</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">click</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">chrome</span><span class="p">.</span><span class="nx">runtime</span><span class="p">.</span><span class="nf">sendMessage</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GET_TOKEN</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://YOUR‑SERVICE‑HASH‑ue.a.run.app/run-secure-endpoint</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Authorization</span><span class="dl">"</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="p">(</span><span class="k">await</span> <span class="nx">chrome</span><span class="p">.</span><span class="nx">tabs</span><span class="p">.</span><span class="nf">query</span><span class="p">({</span><span class="na">active</span><span class="p">:</span><span class="kc">true</span><span class="p">,</span><span class="na">currentWindow</span><span class="p">:</span><span class="kc">true</span><span class="p">}))[</span><span class="mi">0</span><span class="p">].</span><span class="nx">url</span> <span class="p">})</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">text</span><span class="p">());</span> <span class="p">});</span> </code></pre> </div> <p>And in <code>background.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">chrome</span><span class="p">.</span><span class="nx">runtime</span><span class="p">.</span><span class="nx">onMessage</span><span class="p">.</span><span class="nf">addListener</span><span class="p">((</span><span class="nx">m</span><span class="p">,</span><span class="nx">_</span><span class="p">,</span><span class="nx">send</span><span class="p">)</span><span class="o">=&gt;</span><span class="p">{</span> <span class="k">if</span><span class="p">(</span><span class="nx">m</span><span class="p">?.</span><span class="nx">type</span><span class="o">===</span><span class="dl">"</span><span class="s2">GET_TOKEN</span><span class="dl">"</span><span class="p">)</span> <span class="nf">getCachedIdToken</span><span class="p">().</span><span class="nf">then</span><span class="p">(</span><span class="nx">t</span><span class="o">=&gt;</span><span class="nf">send</span><span class="p">(</span><span class="nx">t</span><span class="p">)).</span><span class="k">catch</span><span class="p">(</span><span class="nx">e</span><span class="o">=&gt;</span><span class="nf">send</span><span class="p">({</span><span class="na">error</span><span class="p">:</span><span class="nc">String</span><span class="p">(</span><span class="nx">e</span><span class="p">)}));</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">});</span> </code></pre> </div> <h2> 3) Verifying on Flask (Cloud Run) </h2> <p><code>main.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">jsonify</span> <span class="kn">from</span> <span class="n">google.oauth2</span> <span class="kn">import</span> <span class="n">id_token</span> <span class="kn">from</span> <span class="n">google.auth.transport</span> <span class="kn">import</span> <span class="n">requests</span> <span class="k">as</span> <span class="n">greq</span> <span class="kn">import</span> <span class="n">os</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">IAP_AUDIENCE</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">IAP_OAUTH_CLIENT_ID</span><span class="sh">"</span><span class="p">,</span><span class="sh">""</span><span class="p">)</span> <span class="c1"># set this for IAP </span> <span class="k">def</span> <span class="nf">verify_google_id_token</span><span class="p">(</span><span class="n">tok</span><span class="p">:</span><span class="nb">str</span><span class="p">)</span><span class="o">-&gt;</span><span class="nb">dict</span><span class="p">:</span> <span class="k">return</span> <span class="n">id_token</span><span class="p">.</span><span class="nf">verify_oauth2_token</span><span class="p">(</span><span class="n">tok</span><span class="p">,</span> <span class="n">greq</span><span class="p">.</span><span class="nc">Request</span><span class="p">(),</span> <span class="n">audience</span><span class="o">=</span><span class="n">IAP_AUDIENCE</span><span class="p">)</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/run-secure-endpoint</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">run_secure</span><span class="p">():</span> <span class="n">auth</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">,</span><span class="sh">""</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">auth</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">Bearer </span><span class="sh">"</span><span class="p">):</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span><span class="sh">"</span><span class="s">missing bearer</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">401</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="nf">verify_google_id_token</span><span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="nf">split</span><span class="p">()[</span><span class="mi">1</span><span class="p">])</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span><span class="sh">"</span><span class="s">invalid token</span><span class="sh">"</span><span class="p">,</span><span class="sh">"</span><span class="s">detail</span><span class="sh">"</span><span class="p">:</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)}),</span> <span class="mi">401</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">:</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">)})</span> </code></pre> </div> <h2> Common gotchas (and fixes) </h2> <ul> <li> <strong>401 with IAP:</strong> wrong audience. Use the <strong>IAP OAuth Client ID</strong> as <code>aud</code> when verifying. </li> <li> <strong>Empty <code>id_token</code>:</strong> check your OAuth2 client type (Web) and the redirect URI from <code>getRedirectURL()</code>. </li> <li> <strong>Tokens expiring mid‑session:</strong> cache with a small buffer (5 minutes) and refresh on demand. </li> <li> <strong>CORS:</strong> add <code>Access-Control-Allow-Origin</code> + <code>Authorization</code> header allowances if you call from content scripts or pages.</li> </ul> <h2> Minimal repo layout </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>repo/ ├─ extension/ (manifest.json, background.js, popup.{html,js}) └─ backend/ (main.py, requirements.txt, Dockerfile) </code></pre> </div> <p>That’s it—short and sweet. If you need a deeper walkthrough, look for my longer guide or case‑study later.</p> googlecloud tutorial javascript security How I Built a Chrome Extension That Connects Securely to a Flask Backend (with Google OAuth + Cloud Run) Saloni Kataria Sat, 02 Aug 2025 22:53:42 +0000 https://dev.to/saloni28/how-i-built-a-chrome-extension-that-connects-securely-to-a-flask-backend-with-google-oauth-cloud-1307 https://dev.to/saloni28/how-i-built-a-chrome-extension-that-connects-securely-to-a-flask-backend-with-google-oauth-cloud-1307 <blockquote> <p>This is a <strong>developer tutorial</strong>. It focuses on copy‑pasteable steps, code, and gotchas for MV3 extensions talking to <strong>IAP/IAM‑protected</strong> Cloud Run. (I have a separate trade‑journal case study aimed at analytics leaders.)</p> </blockquote> <h2> What you’ll build </h2> <p>A Chrome Extension (MV3) that signs in with <strong>Google OAuth2</strong> using <code>chrome.identity.launchWebAuthFlow</code>, obtains a <strong>Google ID token</strong>, and calls a <strong>Flask</strong> API on <strong>Cloud Run</strong> behind <strong>IAP/IAM</strong>. The backend verifies the token and (optionally) queries <strong>BigQuery</strong>.</p> <p><strong>High‑level flow</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Extension (MV3) → launchWebAuthFlow → Google OAuth2 → ID token (JWT) → fetch with Authorization: Bearer &lt;token&gt; → Cloud Run (Flask; IAP/IAM) → verify token audience → BigQuery (optional) </code></pre> </div> <h2> Prereqs </h2> <ul> <li>Chrome 121+ (MV3), a Google Cloud project</li> <li>A <strong>Web application</strong> OAuth2 client (client_id)</li> <li>A Cloud Run service (Flask) protected by <strong>IAP</strong> (preferred) or IAM</li> <li>Python 3.10+, <code>flask</code>, <code>google-cloud-bigquery</code>, <code>google-auth</code> </li> <li>Basic familiarity with JWTs and Cloud roles</li> </ul> <blockquote> <p><strong>Tip:</strong> If you use <strong>IAP</strong>, the token's <strong>audience</strong> must be the <em>IAP OAuth Client ID</em> for your Cloud Run service. If you use only IAM, the audience is often the service URL.</p> </blockquote> <h2> 1) Minimal MV3 setup </h2> <p><code>manifest.json</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"manifest_version"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Secure Cloud Run Caller"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"identity"</span><span class="p">,</span><span class="w"> </span><span class="s2">"storage"</span><span class="p">,</span><span class="w"> </span><span class="s2">"activeTab"</span><span class="p">,</span><span class="w"> </span><span class="s2">"scripting"</span><span class="p">],</span><span class="w"> </span><span class="nl">"oauth2"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"client_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"YOUR_OAUTH_CLIENT_ID.apps.googleusercontent.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scopes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"openid"</span><span class="p">,</span><span class="w"> </span><span class="s2">"email"</span><span class="p">,</span><span class="w"> </span><span class="s2">"profile"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"background"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"service_worker"</span><span class="p">:</span><span class="w"> </span><span class="s2">"background.js"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"default_title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Secure Cloud Run Caller"</span><span class="p">,</span><span class="w"> </span><span class="nl">"default_popup"</span><span class="p">:</span><span class="w"> </span><span class="s2">"popup.html"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><code>popup.html</code> (skeleton)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;button</span> <span class="na">id=</span><span class="s">"go"</span><span class="nt">&gt;</span>Call API<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;pre</span> <span class="na">id=</span><span class="s">"out"</span><span class="nt">&gt;&lt;/pre&gt;</span> <span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"popup.js"</span><span class="nt">&gt;&lt;/script&gt;</span> </code></pre> </div> <h2> 2) Get an <strong>ID token</strong> with <code>launchWebAuthFlow</code> </h2> <p><code>background.js</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">getIdTokenInteractive</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">redirectUrl</span> <span class="o">=</span> <span class="nx">chrome</span><span class="p">.</span><span class="nx">identity</span><span class="p">.</span><span class="nf">getRedirectURL</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">u</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://accounts.google.com/o/oauth2/v2/auth</span><span class="dl">"</span><span class="p">);</span> <span class="nx">u</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">client_id</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">YOUR_OAUTH_CLIENT_ID.apps.googleusercontent.com</span><span class="dl">"</span><span class="p">);</span> <span class="nx">u</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">response_type</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">id_token</span><span class="dl">"</span><span class="p">);</span> <span class="nx">u</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">scope</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">openid email profile</span><span class="dl">"</span><span class="p">);</span> <span class="nx">u</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">redirect_uri</span><span class="dl">"</span><span class="p">,</span> <span class="nx">redirectUrl</span><span class="p">);</span> <span class="nx">u</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">nonce</span><span class="dl">"</span><span class="p">,</span> <span class="nc">String</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()));</span> <span class="nx">u</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">prompt</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">select_account</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">chrome</span><span class="p">.</span><span class="nx">identity</span><span class="p">.</span><span class="nf">launchWebAuthFlow</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="nx">u</span><span class="p">.</span><span class="nf">toString</span><span class="p">(),</span> <span class="na">interactive</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">hash</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">url</span><span class="p">).</span><span class="nx">hash</span><span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="c1">// "id_token=...&amp;..."</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">(</span><span class="nx">hash</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">idToken</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">id_token</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">idToken</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">No id_token returned</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="nx">idToken</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Optional: cache tokens with an expiry buffer </h3> <p><code>background.js</code> (continued)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">decodeJwtPayload</span><span class="p">(</span><span class="nx">jwt</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">.</span><span class="dl">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="k">return</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nf">atob</span><span class="p">(</span><span class="nx">payload</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/-/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">+</span><span class="dl">"</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/_/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">)));</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getCachedIdToken</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">now</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">cachedToken</span><span class="p">,</span> <span class="nx">cachedExp</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">chrome</span><span class="p">.</span><span class="nx">storage</span><span class="p">.</span><span class="nx">local</span><span class="p">.</span><span class="nf">get</span><span class="p">([</span><span class="dl">"</span><span class="s2">cachedToken</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">cachedExp</span><span class="dl">"</span><span class="p">]);</span> <span class="k">if </span><span class="p">(</span><span class="nx">cachedToken</span> <span class="o">&amp;&amp;</span> <span class="nx">cachedExp</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="nx">cachedExp</span> <span class="o">-</span> <span class="mi">300</span><span class="p">)</span> <span class="o">&gt;</span> <span class="nx">now</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// 5‑min buffer</span> <span class="k">return</span> <span class="nx">cachedToken</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">fresh</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getIdTokenInteractive</span><span class="p">();</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">exp</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">decodeJwtPayload</span><span class="p">(</span><span class="nx">fresh</span><span class="p">);</span> <span class="k">await</span> <span class="nx">chrome</span><span class="p">.</span><span class="nx">storage</span><span class="p">.</span><span class="nx">local</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="na">cachedToken</span><span class="p">:</span> <span class="nx">fresh</span><span class="p">,</span> <span class="na">cachedExp</span><span class="p">:</span> <span class="nx">exp</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">fresh</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> 3) Call the Cloud Run API </h2> <p><code>popup.js</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">go</span><span class="dl">"</span><span class="p">).</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">click</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">out</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">out</span><span class="dl">"</span><span class="p">);</span> <span class="nx">out</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Calling…</span><span class="dl">"</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">chrome</span><span class="p">.</span><span class="nx">runtime</span><span class="p">.</span><span class="nf">sendMessage</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GET_TOKEN</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://YOUR‑SERVICE‑HASH‑ue.a.run.app/run-secure-endpoint</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Authorization</span><span class="dl">"</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="p">(</span><span class="k">await</span> <span class="nx">chrome</span><span class="p">.</span><span class="nx">tabs</span><span class="p">.</span><span class="nf">query</span><span class="p">({</span> <span class="na">active</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">currentWindow</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}))[</span><span class="mi">0</span><span class="p">].</span><span class="nx">url</span> <span class="p">})</span> <span class="p">});</span> <span class="nx">out</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">res</span><span class="p">.</span><span class="nx">ok</span> <span class="p">?</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(),</span> <span class="kc">null</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="p">:</span> <span class="s2">`HTTP </span><span class="p">${</span><span class="nx">res</span><span class="p">.</span><span class="nx">status</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">out</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">e</span><span class="p">.</span><span class="nx">message</span><span class="p">;</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// in background.js</span> <span class="nx">chrome</span><span class="p">.</span><span class="nx">runtime</span><span class="p">.</span><span class="nx">onMessage</span><span class="p">.</span><span class="nf">addListener</span><span class="p">((</span><span class="nx">msg</span><span class="p">,</span> <span class="nx">_sender</span><span class="p">,</span> <span class="nx">sendResponse</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">msg</span><span class="p">?.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">GET_TOKEN</span><span class="dl">"</span><span class="p">)</span> <span class="nf">getCachedIdToken</span><span class="p">().</span><span class="nf">then</span><span class="p">(</span><span class="nx">t</span> <span class="o">=&gt;</span> <span class="nf">sendResponse</span><span class="p">(</span><span class="nx">t</span><span class="p">)).</span><span class="k">catch</span><span class="p">(</span><span class="nx">e</span> <span class="o">=&gt;</span> <span class="nf">sendResponse</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nc">String</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">}));</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="c1">// async</span> <span class="p">});</span> </code></pre> </div> <h2> 4) Flask on Cloud Run (verify the token) </h2> <p><code>main.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">jsonify</span> <span class="kn">from</span> <span class="n">google.oauth2</span> <span class="kn">import</span> <span class="n">id_token</span> <span class="kn">from</span> <span class="n">google.auth.transport</span> <span class="kn">import</span> <span class="n">requests</span> <span class="k">as</span> <span class="n">greq</span> <span class="kn">import</span> <span class="n">os</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="c1"># If using IAP, set to the IAP OAuth client ID. Otherwise, expected audience (e.g., service URL). </span><span class="n">IAP_AUDIENCE</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">IAP_OAUTH_CLIENT_ID</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">def</span> <span class="nf">verify_google_id_token</span><span class="p">(</span><span class="n">token</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="c1"># Raises on failure; returns dict on success </span> <span class="k">return</span> <span class="n">id_token</span><span class="p">.</span><span class="nf">verify_oauth2_token</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">greq</span><span class="p">.</span><span class="nc">Request</span><span class="p">(),</span> <span class="n">audience</span><span class="o">=</span><span class="n">IAP_AUDIENCE</span><span class="p">)</span> <span class="nd">@app.after_request</span> <span class="k">def</span> <span class="nf">add_cors</span><span class="p">(</span><span class="n">resp</span><span class="p">):</span> <span class="n">allow</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">ALLOWED_ORIGIN</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">)</span> <span class="n">resp</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="sh">"</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">allow</span> <span class="n">resp</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="sh">"</span><span class="s">Access-Control-Allow-Headers</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">Authorization, Content-Type</span><span class="sh">"</span> <span class="n">resp</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="sh">"</span><span class="s">Access-Control-Allow-Methods</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">GET, POST, OPTIONS</span><span class="sh">"</span> <span class="k">return</span> <span class="n">resp</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/run-secure-endpoint</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">OPTIONS</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">run_secure</span><span class="p">():</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">"</span><span class="s">OPTIONS</span><span class="sh">"</span><span class="p">:</span> <span class="nf">return </span><span class="p">(</span><span class="sh">""</span><span class="p">,</span> <span class="mi">204</span><span class="p">)</span> <span class="n">auth</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">auth</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">Bearer </span><span class="sh">"</span><span class="p">):</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">missing bearer token</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">401</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="nf">verify_google_id_token</span><span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="nf">split</span><span class="p">()[</span><span class="mi">1</span><span class="p">])</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">invalid token</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">detail</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)}),</span> <span class="mi">401</span> <span class="c1"># TODO: enforce domain, user allowlist, or role mapping here </span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">:</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">)})</span> </code></pre> </div> <h3> Optional: BigQuery example </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">google.cloud</span> <span class="kn">import</span> <span class="n">bigquery</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/prices</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">prices</span><span class="p">():</span> <span class="n">token</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">token</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">Bearer </span><span class="sh">"</span><span class="p">):</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span><span class="sh">"</span><span class="s">auth</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">401</span> <span class="nf">verify_google_id_token</span><span class="p">(</span><span class="n">token</span><span class="p">.</span><span class="nf">split</span><span class="p">()[</span><span class="mi">1</span><span class="p">])</span> <span class="c1"># raises if bad </span> <span class="n">client</span> <span class="o">=</span> <span class="n">bigquery</span><span class="p">.</span><span class="nc">Client</span><span class="p">()</span> <span class="c1"># uses Cloud Run service account </span> <span class="n">rows</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT 1 AS ok</span><span class="sh">"</span><span class="p">).</span><span class="nf">result</span><span class="p">()</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">rows</span><span class="sh">"</span><span class="p">:[</span><span class="nf">dict</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">rows</span><span class="p">]})</span> </code></pre> </div> <h2> 5) Troubleshooting 401s (quick fixes) </h2> <ul> <li> <strong>Wrong audience</strong> → For IAP, use the <em>IAP OAuth Client ID</em> as audience. </li> <li> <strong>Redirect URI mismatch</strong> → Add the extension redirect pattern via <code>chrome.identity.getRedirectURL()</code> to your OAuth client. </li> <li> <strong>Clock skew</strong> → Ensure system time is correct; add a 5‑minute buffer when caching tokens. </li> <li> <strong>CORS</strong> → Return the <code>Access-Control-*</code> headers shown above (or stricter). </li> <li> <strong>Roles</strong> → Caller must have <code>roles/run.invoker</code>; service account needs the minimal BigQuery roles. </li> <li> <strong>Mixed IAP/IAM confusion</strong> → Pick one model and configure its audience/headers consistently.</li> </ul> <h2> 6) Security checklist </h2> <ul> <li>[ ] No client secrets or long‑lived tokens in the extension </li> <li>[ ] Verify JWT <strong>aud</strong> and <strong>exp</strong> on the server </li> <li>[ ] Use <strong>allowlists</strong> (email/domain) before serving data </li> <li>[ ] Keep <strong>scopes</strong> minimal (<code>openid email profile</code>) </li> <li>[ ] Store tokens with an <strong>expiry buffer</strong>; refresh before use </li> <li>[ ] Keep Cloud Run <strong>service account</strong> least‑privileged; pull secrets from <strong>Secret Manager</strong> if needed</li> </ul> <h2> Repo layout (suggested) </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>repo/ ├── extension/ │ ├── manifest.json │ ├── background.js │ └── popup.{html,js} └── backend/ ├── main.py ├── requirements.txt └── Dockerfile </code></pre> </div> <h2> Wrap‑up </h2> <p>You now have a working pattern for MV3 → OAuth2 <strong>ID token</strong> → IAP/IAM‑protected Cloud Run → Flask (→ BigQuery). From here you can add per‑route authorization, richer UI, and CI/CD. If you publish a case‑study version for non‑developers, link it as the canonical later.</p> <p><strong>Got questions or stuck on 401s?</strong> Comment here or ping me on GitHub <strong><a class="mentioned-user" href="https://dev.to/saloni28">@saloni28</a></strong>.</p> chromeextension oauth googlecloud programming Hi dev.to — I'm Saloni, and I build smart internal tools with data, cloud, and AI Saloni Kataria Sat, 02 Aug 2025 16:58:43 +0000 https://dev.to/saloni28/hi-devto-im-saloni-and-i-build-smart-internal-tools-with-data-cloud-and-ai-3e9h https://dev.to/saloni28/hi-devto-im-saloni-and-i-build-smart-internal-tools-with-data-cloud-and-ai-3e9h <p>👋 Hey dev.to! I'm Saloni — a data analyst who enjoys building tools that bridge analytics, engineering, and automation.</p> <p>Over the past year, I’ve stepped beyond dashboards and SQL to build internal products that make workflows smarter and faster. My favorite thing is stitching together systems across cloud, browser, and APIs — especially when no one else has tried it before.</p> <p>Some things I’ve recently worked on:</p> <ul> <li>A Chrome Extension powered by Google OAuth + Flask + BigQuery to fetch real-time pricing data</li> <li>A serverless pipeline that automates OpenAI-based classification using Cloud Run and BigQuery</li> <li>Infrastructure-as-code workflows with Spacelift + Terraform to manage CI/CD and deployment automation</li> </ul> <p>I’m starting this blog to share how I build — not just what, but why — and how other data people can ship powerful tools without waiting on traditional engineering teams.</p> <p>🔜 Coming soon:</p> <ul> <li><strong>Building a Chrome Extension with Google OAuth + Flask backend (Cloud Run)</strong></li> <li><strong>How I automated GPT-based product validation using BigQuery + OpenAI</strong></li> <li><strong>What I learned moving from SQL analyst to platform-level problem solver</strong></li> </ul> <p>If you're into applied AI, data + backend integration, internal tooling, or shipping fast with cloud platforms — follow along! Always happy to connect and learn from others building cool things.</p> <p>Let’s build 🛠️</p> programming ai automation cloud