Closed Bug 1117829 Opened 5 years ago Closed 5 years ago

Expose FxA oauth tokens to Fennec

Categories

(Android Background Services Graveyard :: Firefox Accounts, defect)

All
Android
defect
Not set

Tracking

(firefox38 fixed)

RESOLVED FIXED
Firefox 38
Tracking Status
firefox38 --- fixed

People

(Reporter: nalexander, Assigned: nalexander)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

A "full" Firefox Account, namely one with an "oauth client id", a session token, and the ability to sign assertions, can request oauth tokens for any oauth scope it desires.  See implicit_grant and response_type='token' at [1].

The next generation of Firefox Account-attached services, including reading list, will be authenticated using such oauth tokens.  This token model is what the Android Account system was designed to reflect, and as such we should decouple our services (reading list) from the backend (our Firefox Account AbstractAccountAuthenticator).

Important: these tokens should only be exposed to Fennec!  Don't expose this token type to a third party App under any circumstance.  This is both a huge security issue and a reduction of work: if we only expose to Fennec, we can avoid surfacing most (all?) UI when a token is requested.

Most of the oauth dance is already in place at Bug 1055264.  The Account/token dance needs to be implemented.

This is a much updated version of Bug 960880, I suppose.

[1] https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md#post-v1authorization
I rebased your RL stuff down to one commit for ease of reading.  Then I added the (mostly old, mostly functional) oauth commits, reworked the tests, and added RL tests.  Can I get review on the oauth commits?
Assignee: nobody → nalexander
Status: NEW → ASSIGNED
Attachment #8565740 - Flags: review?(rnewman)
https://hg.mozilla.org/mozilla-central/rev/4d10b6a2cd5f
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 38
Attachment #8565740 - Flags: review?(rnewman) → review+
You need to log in before you can comment on or make changes to this bug.