Improving the security of Microsoft Edge extensions with the new publishing API.

In an ongoing effort to improve security practices and methods, significant changes have been announced in the Publishing API for Edge extension developers as part of the Microsoft Secure Future Initiative. These modifications are designed to enhance the security of extensions and streamline the publishing process.

The new Publishing API introduces several key security improvements:

1. Enhanced API key generation: With the new API, API keys are automatically generated by backend services, including regenerating the ClientId and API keys for each developer. This reduces dependence on static credentials, thus strengthening security.

2. API key management: Instead of creating and deleting secrets from the application registry, API key hashes are now managed in the database. This method ensures that sensitive information is not stored directly, increasing protection.

3. Access token URL: The new Publishing API internally generates the access token URL, eliminating the need to send it externally. Although this may require updates to CI/CD pipeline configurations, it minimizes the risk of exposing confidential information.

4. API key expiration: API keys will now expire every 72 days, compared to the previous two-year period. This ensures more frequent rotation of keys, reducing the risk of compromised credentials. Developers will receive email notifications before their API keys expire.

The new look of the Publishing API page in Partner Center will reflect these changes, with a guided transition for developers who opt for this new experience. To get started, developers will need to opt for API key management in Partner Center, regenerate their ClientId and secrets, and reconfigure CI/CD pipelines as needed.

Microsoft has made the transition easier by allowing developers to voluntarily opt into the new experience. This gives them the flexibility to adapt their processes at their own pace. If needed, it is also possible to revert to the previous experience, although everyone is encouraged to adopt the new, more secure one.

These improvements to the Publishing API will not only provide greater protection for extensions, but also enhance the security of the publishing process. For inquiries or feedback, developers can contact Microsoft by opening an issue in the Microsoft Edge Extensions GitHub repository.