Microsoft Introduces New Publish API to Enhance Security of Edge Extensions

Publish API
The new Publish API page in Partner Center | Image: Microsoft

In a significant stride toward bolstering cybersecurity, Microsoft has unveiled a new Publish API for Microsoft Edge extensions. Part of the Microsoft Secure Future Initiative, this update is designed to enhance the security of extensions while streamlining the publishing process for developers.

The new Publish API introduces several pivotal security features:

  • Enhanced API Key Generation

Previously, developers manually created secrets for authentication. With the new system, API keys are now automatically generated by Microsoft’s backend services. This shift means that ClientId and API Keys are regenerated for every developer, reducing the reliance on static credentials and minimizing potential security risks.

  • Improved API Key Management

Instead of managing secrets through app registrations, the new approach involves creating and deleting hashes of API keys within the database. By not storing sensitive information directly, this method significantly enhances the security of the extension publishing process.

  • Simplified Access Token URL

The requirement for developers to send an access token URL has been eliminated. The Access Token URL is now generated internally by Microsoft. While this change might necessitate updates to continuous integration and continuous deployment (CI/CD) pipeline configurations, it substantially reduces the risk of exposing sensitive data.

  • Regular API Key Expiration

To further tighten security, API keys will now expire every 72 days, a notable reduction from the previous two-year expiration period. This frequent rotation ensures that compromised credentials have a limited window of opportunity for misuse. Developers will receive regular email notifications prior to the expiration of their API keys, prompting timely renewals.

Microsoft Edge extensions

The current Publish API page in Partner Center | Image: Microsoft

Transitioning to the new Publish API involves a few steps:

  1. Opt-In Through Partner Center

    Developers can opt-in to the new API key management experience via the Partner Center. This action initiates the process and provides access to the updated features.

  2. Regenerate ClientId and API Keys

    After opting in, you will need to regenerate your ClientId and API Keys. This step may require modifications to your authentication workflows to accommodate the new credentials.

  3. Update CI/CD Pipelines

    Due to changes in the Access Token URL and API key, existing CI/CD pipelines may need reconfiguration. Ensuring these pipelines are updated is crucial for maintaining seamless automation in your development process.

For detailed guidance, refer to the official documentation: Using the REST API for updating Microsoft Edge Add-ons.

Understanding the potential impact on development workflows, Microsoft has made the new Publish API an opt-in experience. This approach allows developers to transition at their own pace. If necessary, you can also opt-out and revert to the previous system, although Microsoft strongly encourages adoption of the new, more secure API.

Related Posts: