Enhancing the security of Microsoft Edge extensions with the new Publish API

[Microsoft Edge Team]

As part of our commitment to continuously improve our security methods and practices, we are excited to introduce changes to the Publish API for Edge extensions developers. These changes are part of the Microsoft Secure Future Initiative and are designed to enhance the security of your extensions and streamline the extension publishing process. In this blog post, we'll walk you through the key security capabilities introduced with the new Publish API, how it differs from the current API, and how extension developers can easily opt-in to and use the new experience.

Key security enhancements​

The new Publish API delivers the following key enhancements:

• Enhanced API key generation
  
  Secrets are now API keys. With the new Publish API, the API key is generated automatically by our backend services. This means that the ClientId and API Keys are regenerated for every developer, therefore enhancing security by reducing dependency on static credentials.
• API key management
  
  Instead of creating and deleting secrets from the App registration, the new experience involves creating and deleting hashes of API keys in the database. This approach ensures that sensitive information is not stored directly, further enhancing security.
• Access token URL
  
  The new Publish API doesn't require sending an access token URL. The URL is now generated internally instead. Note that this change may require you to update your CI/CD pipeline configurations, but it greatly reduces the risk of exposing sensitive information.
• API key expiration
  
  API keys now expire every 72 days, compared to the previous 2-year expiration period. This change ensures that API keys are rotated more frequently, reducing the risk of compromised credentials. You will receive regular email notifications before your API key expires.

Here is what the Publish API page looks like when you sign in to Partner Center. For comparison, the first screenshot below shows the current experience, and the second screenshot shows the new version: [caption id="attachment_25547" align="alignnone" width="1024"] The current Publish API page in Partner Center[/caption] [caption id="attachment_25548" align="alignnone" width="1024"] The new Publish API page in Partner Center[/caption]

Get ready for the new Publish API experience​

Using the new Publish API requires some development workflow changes. Here is how to get started:

• As a developer, you opt-in to the new API key management experience in Partner Center.
• Next, regenerate your ClientId and secrets, which may require updates to your authentication workflows.
• Finally, reconfigure any existing CI/CD pipelines that may be impacted by the changes to access token URL and API key.

In Partner Center, once you opt-in, you will be guided through the steps to regenerate your ClientId and API key. To learn more, see Using the REST API for updating Microsoft Edge Add-ons. To minimize the disruption of moving to the new Publish API, we have made this an opt-in experience. This allows you to transition to the new experience at your own pace. If needed, you can also opt-out and revert to the previous experience, although we encourage everyone to transition to the new, more secure, experience as soon as possible. The security enhancements coming with the new Publish API will help protect your extensions and improve the security of the publishing process. If you have any questions or feedback, you can contact us by opening on issue on our GitHub repository.

Continue reading...