Microsoft Introduces New Publish API to Enhance Security of Edge Extensions
In a significant stride toward bolstering cybersecurity, Microsoft has unveiled a new Publish API for Microsoft Edge extensions. Part of the Microsoft Secure Future Initiative, this update is designed to enhance the security of extensions while streamlining the publishing process for developers.
The new Publish API introduces several pivotal security features:
- Enhanced API Key Generation
Previously, developers manually created secrets for authentication. With the new system, API keys are now automatically generated by Microsoft’s backend services. This shift means that ClientId and API Keys are regenerated for every developer, reducing the reliance on static credentials and minimizing potential security risks.
- Improved API Key Management
Instead of managing secrets through app registrations, the new approach involves creating and deleting hashes of API keys within the database. By not storing sensitive information directly, this method significantly enhances the security of the extension publishing process.
- Simplified Access Token URL
The requirement for developers to send an access token URL has been eliminated. The Access Token URL is now generated internally by Microsoft. While this change might necessitate updates to continuous integration and continuous deployment (CI/CD) pipeline configurations, it substantially reduces the risk of exposing sensitive data.
- Regular API Key Expiration
To further tighten security, API keys will now expire every 72 days, a notable reduction from the previous two-year expiration period. This frequent rotation ensures that compromised credentials have a limited window of opportunity for misuse. Developers will receive regular email notifications prior to the expiration of their API keys, prompting timely renewals.
The current Publish API page in Partner Center | Image: Microsoft
Transitioning to the new Publish API involves a few steps:
- Opt-In Through Partner Center
Developers can opt-in to the new API key management experience via the Partner Center. This action initiates the process and provides access to the updated features.
- Regenerate ClientId and API Keys
After opting in, you will need to regenerate your ClientId and API Keys. This step may require modifications to your authentication workflows to accommodate the new credentials.
- Update CI/CD Pipelines
Due to changes in the Access Token URL and API key, existing CI/CD pipelines may need reconfiguration. Ensuring these pipelines are updated is crucial for maintaining seamless automation in your development process.
For detailed guidance, refer to the official documentation: Using the REST API for updating Microsoft Edge Add-ons.
Understanding the potential impact on development workflows, Microsoft has made the new Publish API an opt-in experience. This approach allows developers to transition at their own pace. If necessary, you can also opt-out and revert to the previous system, although Microsoft strongly encourages adoption of the new, more secure API.
