Closed Bug 1131660 Opened 9 years ago Closed 9 years ago

Need FxA relier client production creds for Fx Firstrun tests (Need by Feb 11 2015)

Categories

(Cloud Services :: Operations: Miscellaneous, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: jpetto, Assigned: ckolos)

References

Details

We will be running a test for a small percentage of users (see bug 1128726) and need production creds for the FxA relier client.

We need access to production from staging (https://www.allizom.org) and prod (https://www.mozilla.org). If possible, it would be nice to test from dev (https://www-dev.allizom.org/) as well.

Thanks!
Assignee: nobody → ckolos
Blocks: 1128726
We are launching the small sampled test on Feb 12 2015. We will do a code review and QA phase on Feb 11th, thus we will need the client id by the 11th.

Thanks, Chris!
Summary: Need FxA relier client production creds for Fx Firstrun tests → Need FxA relier client production creds for Fx Firstrun tests (Need by Feb 11 2015)
:ckolos, r+ on this request. 

However, :jpetto in order for :ckolos to generate credentials he needs:

1) A service name. The login flow you've integrated with will say "Continue to <service name>". In the demo service it's set to "Firefox Firstrun (demo5)". We need the production version in this bug for :ckolos.

2) A redirect_uri for the OAuth flow. Also, in this bug please.

It's our policy to only provide encrypted credentials to the operations team running your service. Please provide the email and GPG key of this person.
Flags: needinfo?(jon)
Component: FxAccounts → Operations
Product: Core → Mozilla Services
> 1) A service name. The login flow you've integrated with will say "Continue
> to <service name>". In the demo service it's set to "Firefox Firstrun
> (demo5)". We need the production version in this bug for :ckolos.

Service name should be:

Firefox Setup

> 
> 2) A redirect_uri for the OAuth flow. Also, in this bug please.

We aren't doing any actual redirection, so could the redirectUri just be the root of the associated domain?

https://www-dev.allizom.org/
https://www.allizom.org/
https://www.mozilla.org/

> 
> It's our policy to only provide encrypted credentials to the operations team
> running your service. Please provide the email and GPG key of this person.

I believe the webops person doing the work will depend on when the keys are ready. Will needinfo :cyliang, who may be the best point of contact (and can forward to whomever is assigned to set the keys).

I was thinking we would put the production key in our base settings file[1] and have it overridden in local settings only on stage and dev. Should we instead plan to have the key in each server's (prod, stage, dev) local settings file and leave it out of source control?

[1] - https://github.com/mozilla/bedrock/blob/bug-1128726-fx-firstrun-experiments/bedrock/settings/base.py#L1499
Flags: needinfo?(jon)
Flags: needinfo?(cliang)
Flags: needinfo?(ckarlof)
Requirements around your client_secret:

1) The production client_secret must never be your code's source control.
2) The production client_secret must never leave your back end server. In particular, it should never be provided to the web page or client code implementing the first run experience.

client_id and redirect_uri are essentially public, so they can be stored anywhere.
Flags: needinfo?(ckarlof)
If the keys come out before before 2 PM EST today, you can encrypt the info to the key I have up at keys.mozilla.org. 

If the keys come out after that, your best bet is to send them to Jake Maul.  His key is also available at keys.mozilla.org
Flags: needinfo?(cliang)
:cyliang - your key on gpg.m.o isn't usable for me to encrypt these:

gpg: cyliang@uiuc.edu: skipped: Unusable public key

I'm guessing b/c it's only 1024 bits?
Flags: needinfo?(cliang)
You probably want my Mozilla key: pub  2048R/9A326461 2011-11-08.

The UIUC key is undoubtably expired. =)
Flags: needinfo?(cliang)
cylaing v. cliang. *sigh* 

I've emailed the credentials to cliang@mozilla.com
What's the ETA on this? We are planning on launching the test Thursday AM PST.
Blocks: 1131781
I received the credentials and made the changes to the local.py settings file as described in bug 1131781.  I'm waiting to get some kind of confirmation that the changes I've made to stage are correct.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
:ckolos: were the right keys generated and where are we at with this? thx!
Flags: needinfo?(ckolos)
There was some confusion with the initial request in comment #0 resulting in incorrect creds being generated.

I spoke to :ckolos over IRC earlier this afternoon and he said he was on it. Have not heard back yet.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
creds have been delivered to jakem. To be completely clear you should now have:

dev ID for Prod DB
stage ID for Prod DB
prod ID for Prod DB

No other credentials are configured.
Flags: needinfo?(ckolos)
I have delivered a copy of the creds to :cyliang as well. Everyone should now have the correct information available.
Thanks :ckolos!
Now that you guys are unblocked, I have a couple questions and issues.

1) I didn't see that you guys requested production credentials for your dev environment. We're currently not allowing reliers to integrate their dev environments with our production infrastructure. Instead we offer a production clone, which is sandboxed: https://developer.mozilla.org/en-US/Firefox_Accounts#Stable_development_%28production_clone%29

2) Are you guys using the client_secret at all? (I presume not since you're not actually obtaining an OAuth token.) If not, giving you guys the client_secret for these credentials unnecessarily created security risk. 

3) Since there is general agreement that current implementation presents a non-ideal accounts experience (i.e., signing up for FxA doesn't actually get you started with any services), I propose that after your test is over, we remove the credentials we issued you. Going forward we can figure out a better integration between FxA and the first run experience that has both better UX and security properties.

Thoughts?

FWIW, in hindsight, we could issued you a set of creds that doesn't have a secret or redirect_uri (much like the one for the actual Desktop browser: https://oauth.accounts.firefox.com/v1/client/5882386c6d801776), which would have had less risk around it from a security perspective.
Flags: needinfo?(jon)
Flags: needinfo?(chrismore.bugzilla)
Flags: needinfo?(chrismore.bugzilla)
After some firefighting on IRC, we got this all set up. Thanks!
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Flags: needinfo?(jon)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.