1117829 - Expose FxA oauth tokens to Fennec

Status: RESOLVED FIXED

(Android Background Services Graveyard :: Firefox Accounts, defect)

Description

[Nick Alexander :nalexander [he/him]]

A "full" Firefox Account, namely one with an "oauth client id", a session token, and the ability to sign assertions, can request oauth tokens for any oauth scope it desires.  See implicit_grant and response_type='token' at [1].

The next generation of Firefox Account-attached services, including reading list, will be authenticated using such oauth tokens.  This token model is what the Android Account system was designed to reflect, and as such we should decouple our services (reading list) from the backend (our Firefox Account AbstractAccountAuthenticator).

Important: these tokens should only be exposed to Fennec!  Don't expose this token type to a third party App under any circumstance.  This is both a huge security issue and a reduction of work: if we only expose to Fennec, we can avoid surfacing most (all?) UI when a token is requested.

Most of the oauth dance is already in place at Bug 1055264.  The Account/token dance needs to be implemented.

This is a much updated version of Bug 960880, I suppose.

[1] https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md#post-v1authorization

Comment 1

[Nick Alexander :nalexander [he/him]]

Attachment: Link to Github pull-request: https://github.com/mozilla-services/android-sync/pull/533

I rebased your RL stuff down to one commit for ease of reading.  Then I added the (mostly old, mostly functional) oauth commits, reworked the tests, and added RL tests.  Can I get review on the oauth commits?

Comment 2

[Nick Alexander :nalexander [he/him]]

https://hg.mozilla.org/integration/fx-team/rev/4d10b6a2cd5f

Comment 3

[Ryan VanderMeulen [:RyanVM][PTO June 24-28]]

https://hg.mozilla.org/mozilla-central/rev/4d10b6a2cd5f