Closed
Bug 1131660
Opened 9 years ago
Closed 9 years ago
Need FxA relier client production creds for Fx Firstrun tests (Need by Feb 11 2015)
Categories
(Cloud Services :: Operations: Miscellaneous, task)
Cloud Services
Operations: Miscellaneous
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jpetto, Assigned: ckolos)
References
Details
We will be running a test for a small percentage of users (see bug 1128726) and need production creds for the FxA relier client. We need access to production from staging (https://www.allizom.org) and prod (https://www.mozilla.org). If possible, it would be nice to test from dev (https://www-dev.allizom.org/) as well. Thanks!
Reporter | ||
Updated•9 years ago
|
Assignee: nobody → ckolos
Comment 1•9 years ago
|
||
We are launching the small sampled test on Feb 12 2015. We will do a code review and QA phase on Feb 11th, thus we will need the client id by the 11th. Thanks, Chris!
Summary: Need FxA relier client production creds for Fx Firstrun tests → Need FxA relier client production creds for Fx Firstrun tests (Need by Feb 11 2015)
Comment 2•9 years ago
|
||
:ckolos, r+ on this request. However, :jpetto in order for :ckolos to generate credentials he needs: 1) A service name. The login flow you've integrated with will say "Continue to <service name>". In the demo service it's set to "Firefox Firstrun (demo5)". We need the production version in this bug for :ckolos. 2) A redirect_uri for the OAuth flow. Also, in this bug please. It's our policy to only provide encrypted credentials to the operations team running your service. Please provide the email and GPG key of this person.
Flags: needinfo?(jon)
Updated•9 years ago
|
Component: FxAccounts → Operations
Product: Core → Mozilla Services
Reporter | ||
Comment 3•9 years ago
|
||
> 1) A service name. The login flow you've integrated with will say "Continue > to <service name>". In the demo service it's set to "Firefox Firstrun > (demo5)". We need the production version in this bug for :ckolos. Service name should be: Firefox Setup > > 2) A redirect_uri for the OAuth flow. Also, in this bug please. We aren't doing any actual redirection, so could the redirectUri just be the root of the associated domain? https://www-dev.allizom.org/ https://www.allizom.org/ https://www.mozilla.org/ > > It's our policy to only provide encrypted credentials to the operations team > running your service. Please provide the email and GPG key of this person. I believe the webops person doing the work will depend on when the keys are ready. Will needinfo :cyliang, who may be the best point of contact (and can forward to whomever is assigned to set the keys). I was thinking we would put the production key in our base settings file[1] and have it overridden in local settings only on stage and dev. Should we instead plan to have the key in each server's (prod, stage, dev) local settings file and leave it out of source control? [1] - https://github.com/mozilla/bedrock/blob/bug-1128726-fx-firstrun-experiments/bedrock/settings/base.py#L1499
Flags: needinfo?(jon)
Flags: needinfo?(cliang)
Flags: needinfo?(ckarlof)
Comment 4•9 years ago
|
||
Requirements around your client_secret: 1) The production client_secret must never be your code's source control. 2) The production client_secret must never leave your back end server. In particular, it should never be provided to the web page or client code implementing the first run experience. client_id and redirect_uri are essentially public, so they can be stored anywhere.
Flags: needinfo?(ckarlof)
Comment 5•9 years ago
|
||
If the keys come out before before 2 PM EST today, you can encrypt the info to the key I have up at keys.mozilla.org. If the keys come out after that, your best bet is to send them to Jake Maul. His key is also available at keys.mozilla.org
Flags: needinfo?(cliang)
Assignee | ||
Comment 6•9 years ago
|
||
:cyliang - your key on gpg.m.o isn't usable for me to encrypt these: gpg: cyliang@uiuc.edu: skipped: Unusable public key I'm guessing b/c it's only 1024 bits?
Flags: needinfo?(cliang)
Comment 7•9 years ago
|
||
You probably want my Mozilla key: pub 2048R/9A326461 2011-11-08. The UIUC key is undoubtably expired. =)
Flags: needinfo?(cliang)
Assignee | ||
Comment 8•9 years ago
|
||
cylaing v. cliang. *sigh* I've emailed the credentials to cliang@mozilla.com
Comment 9•9 years ago
|
||
What's the ETA on this? We are planning on launching the test Thursday AM PST.
Comment 10•9 years ago
|
||
I received the credentials and made the changes to the local.py settings file as described in bug 1131781. I'm waiting to get some kind of confirmation that the changes I've made to stage are correct.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Comment 11•9 years ago
|
||
:ckolos: were the right keys generated and where are we at with this? thx!
Flags: needinfo?(ckolos)
Reporter | ||
Comment 12•9 years ago
|
||
There was some confusion with the initial request in comment #0 resulting in incorrect creds being generated. I spoke to :ckolos over IRC earlier this afternoon and he said he was on it. Have not heard back yet.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 13•9 years ago
|
||
creds have been delivered to jakem. To be completely clear you should now have: dev ID for Prod DB stage ID for Prod DB prod ID for Prod DB No other credentials are configured.
Flags: needinfo?(ckolos)
Assignee | ||
Comment 14•9 years ago
|
||
I have delivered a copy of the creds to :cyliang as well. Everyone should now have the correct information available.
Reporter | ||
Comment 15•9 years ago
|
||
Thanks :ckolos!
Comment 16•9 years ago
|
||
Now that you guys are unblocked, I have a couple questions and issues. 1) I didn't see that you guys requested production credentials for your dev environment. We're currently not allowing reliers to integrate their dev environments with our production infrastructure. Instead we offer a production clone, which is sandboxed: https://developer.mozilla.org/en-US/Firefox_Accounts#Stable_development_%28production_clone%29 2) Are you guys using the client_secret at all? (I presume not since you're not actually obtaining an OAuth token.) If not, giving you guys the client_secret for these credentials unnecessarily created security risk. 3) Since there is general agreement that current implementation presents a non-ideal accounts experience (i.e., signing up for FxA doesn't actually get you started with any services), I propose that after your test is over, we remove the credentials we issued you. Going forward we can figure out a better integration between FxA and the first run experience that has both better UX and security properties. Thoughts? FWIW, in hindsight, we could issued you a set of creds that doesn't have a secret or redirect_uri (much like the one for the actual Desktop browser: https://oauth.accounts.firefox.com/v1/client/5882386c6d801776), which would have had less risk around it from a security perspective.
Updated•9 years ago
|
Flags: needinfo?(jon)
Updated•9 years ago
|
Flags: needinfo?(chrismore.bugzilla)
Updated•9 years ago
|
Flags: needinfo?(chrismore.bugzilla)
Comment 17•9 years ago
|
||
After some firefighting on IRC, we got this all set up. Thanks!
Status: REOPENED → RESOLVED
Closed: 9 years ago → 9 years ago
Flags: needinfo?(jon)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•