API to retrieve user email or well-known identifier on Enterprise deployments

[twschiller]

Background/Current Behavior

• Chrome offers a chrome.identity API that can be used to get the logged in email if the user has Chrome sync enabled. This requires the identity and identity.email permissions in the manifest
• The API is not available in Chromium forks (since Jan 2021): https://blog.chromium.org/2021/01/limiting-private-api-availability-in.html

Use Cases

• For compliance and security use cases, an enterprise admin needs to be able to configure settings based on the user entitlements/role. A browser extension needs to be able to alter its behavior without user action. (Because the user forget/chose not to enable the compliance extension; in enterprise deployments this may require content multiple times a day due to clean machine images at beginning of shifts)

Proposal

• Make the identity and identity.email permissions optional (and not require user action, see related issue "Runtime allowed hosts" on Enterprise to pre-grant optional host permissions without user action #260)
• Expose the browser.identity.getProfileUserInfo API to return the email

Alternatives/Workarounds

• An IT department configures options by Organization Unit in the managed storage for the browser extension. (Are there any good ways to configure extension managed storage at an individual level?)

Related Support Forum Threads

• Get email address of managed enterprise user?
• Tutorial for using chrome.enterprise apis
• https://stackoverflow.com/questions/46898503/chrome-identity-getprofileuserinfo-returns-empty-id

Related APIs

• https://developer.chrome.com/docs/extensions/reference/identity/#event-onSignInChanged