|
| 1 | +# Privacy Policy — OIDC Devtool |
| 2 | + |
| 3 | +**Last updated:** May 10, 2026 |
| 4 | + |
| 5 | +## Overview |
| 6 | + |
| 7 | +OIDC Devtool is a Chrome DevTools extension that helps developers inspect and debug OIDC/OAuth2 authentication flows. **All data stays in your browser — nothing is transmitted to external servers.** |
| 8 | + |
| 9 | +## What Data Is Collected |
| 10 | + |
| 11 | +When the DevTools panel is open, the extension observes and captures: |
| 12 | + |
| 13 | +- **Network requests** — URLs, HTTP methods, status codes, headers, and response bodies for authentication-related requests (e.g. token endpoints, authorization endpoints, OIDC discovery) |
| 14 | +- **Authentication data** — OAuth2/OIDC tokens, authorization codes, client IDs, grant types, PKCE parameters, and flow state |
| 15 | +- **SDK events** — If the host application uses the optional `@wolfcola/devtools-bridge` package, the extension captures SDK node transitions, configuration, and flow metadata |
| 16 | +- **Session data** — Changes to cookies and localStorage keys related to authentication |
| 17 | +- **Web history** — URLs of network requests observed during authentication flows |
| 18 | + |
| 19 | +## How Data Is Stored |
| 20 | + |
| 21 | +- All data is stored **locally in your browser** using `chrome.storage.local` |
| 22 | +- Up to 5 user-initiated flow snapshots are stored locally |
| 23 | +- No data is synced to the cloud, sent to analytics services, or transmitted to any external server |
| 24 | + |
| 25 | +## How Data Is Used |
| 26 | + |
| 27 | +Captured data is used solely to: |
| 28 | + |
| 29 | +- Display authentication flow timelines, network details, and diagnostics in the DevTools panel |
| 30 | +- Identify CORS issues, missing OIDC parameters, and other auth misconfigurations |
| 31 | +- Allow developers to export flow data for debugging purposes |
| 32 | + |
| 33 | +## Data Export and Redaction |
| 34 | + |
| 35 | +When you export flow data (JSON or Markdown), sensitive fields are **automatically redacted**, including: |
| 36 | + |
| 37 | +- Bearer tokens, access tokens, refresh tokens, and ID tokens |
| 38 | +- Authorization codes |
| 39 | +- Cookies and Set-Cookie headers |
| 40 | +- Passwords, secrets, and credential callback values |
| 41 | + |
| 42 | +Exported files are written to your clipboard — they are not uploaded anywhere. |
| 43 | + |
| 44 | +## What Data Is NOT Collected |
| 45 | + |
| 46 | +- No personally identifiable information (names, emails, addresses) |
| 47 | +- No analytics, telemetry, or usage tracking |
| 48 | +- No data is sent to any external server, API, or third party |
| 49 | +- No user accounts or sign-in required |
| 50 | + |
| 51 | +## Permissions Explained |
| 52 | + |
| 53 | +| Permission | Why It's Needed | |
| 54 | +|---|---| |
| 55 | +| `storage` | Store captured flow data and snapshots locally in the browser | |
| 56 | +| `clipboardWrite` | Copy exported flow data to the clipboard | |
| 57 | +| `clipboardRead` | Paste imported flow data into the panel for analysis | |
| 58 | +| `host_permissions (<all_urls>)` | Observe authentication network requests across all origins, since OIDC flows involve redirects between multiple domains | |
| 59 | + |
| 60 | +## Third-Party Services |
| 61 | + |
| 62 | +This extension does not integrate with, send data to, or receive data from any third-party services. |
| 63 | + |
| 64 | +## Changes to This Policy |
| 65 | + |
| 66 | +Updates to this privacy policy will be reflected in this document with an updated date. |
| 67 | + |
| 68 | +## Contact |
| 69 | + |
| 70 | +If you have questions about this privacy policy, please open an issue at [https://github.com/ryanbas21/devtools/issues](https://github.com/ryanbas21/devtools/issues). |
0 commit comments