Closed Bug 1117829 Opened 7 years ago Closed 7 years ago
A oauth tokens to Fennec
57 bytes, text/x-github-pull-request
|Details | Review|
A "full" Firefox Account, namely one with an "oauth client id", a session token, and the ability to sign assertions, can request oauth tokens for any oauth scope it desires. See implicit_grant and response_type='token' at . The next generation of Firefox Account-attached services, including reading list, will be authenticated using such oauth tokens. This token model is what the Android Account system was designed to reflect, and as such we should decouple our services (reading list) from the backend (our Firefox Account AbstractAccountAuthenticator). Important: these tokens should only be exposed to Fennec! Don't expose this token type to a third party App under any circumstance. This is both a huge security issue and a reduction of work: if we only expose to Fennec, we can avoid surfacing most (all?) UI when a token is requested. Most of the oauth dance is already in place at Bug 1055264. The Account/token dance needs to be implemented. This is a much updated version of Bug 960880, I suppose.  https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md#post-v1authorization
I rebased your RL stuff down to one commit for ease of reading. Then I added the (mostly old, mostly functional) oauth commits, reworked the tests, and added RL tests. Can I get review on the oauth commits?
Assignee: nobody → nalexander
Status: NEW → ASSIGNED
Attachment #8565740 - Flags: review?(rnewman)
Attachment #8565740 - Flags: review?(rnewman) → review+
You need to log in before you can comment on or make changes to this bug.