Authentication
Whop OAuth from the extension's service worker.
The extension signs users in with Whop's OAuth, run entirely from the background service worker through chrome.identity.launchWebAuthFlow.
PKCE, no client secret
A Chrome extension can't keep a secret, so it uses PKCE. The worker generates a code verifier, a state, and a nonce, sends the S256 challenge to Whop's authorize endpoint, and exchanges the returned code for tokens.
Two details Whop requires:
- The token exchange body is JSON, not form-encoded.
- The
openidscope requires anonceon the authorize request.
The returned id_token is not validated in the extension. The server independently re-fetches the user from /oauth/userinfo, which is the real trust boundary.
Tokens
Tokens live in chrome.storage.local. The worker refreshes the access token a few minutes before it expires, and clears everything on logout. Because storage is unencrypted on disk, never put anything there you wouldn't put in a cookie.