1134312 - Finalize Fennec implicit grant oauth client_ids

Status: RESOLVED FIXED

(Android Background Services Graveyard :: Firefox Accounts, defect)

Description

[Nick Alexander :nalexander [he/him]]

Bug 1117829 landed the HTTP clients for fetching and exposing FxA oauth tokens.  These tokens are generated using the "implicit grant" mechanism with response_type="token" to POST /v1/authorization described at [1].

Before we use this in production, we need to agree on what the Fennec client_ids should be.  By design, these client_ids will be baked into Fennec at build time and are not private.  Changing these client_ids in the wild is virtually impossible, so we need to be confident we've chosen a reasonable scheme.  I see on desktop, we use a single client_id for all release channels [2].

Shall we do the same thing for Fennec?  Which is the correct token to use?

[1] https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md

[2] https://dxr.mozilla.org/mozilla-central/source/services/fxaccounts/FxAccountsCommon.js#98

Comment 1

[Nick Alexander :nalexander [he/him]]

ckarlof: I know there are lists of client_ids on the various endpoints.  Have other considered this so there is already one (multiple?) for Fennec, in which case this is cut and dried?

Comment 2

[Chris Karlof [:ckarlof]]

We allocated it back in Oct: https://bugzilla.mozilla.org/show_bug.cgi?id=1064505

The name looks wrong (it shouldn't be "Stage"), but it should otherwise be configured with implicit grant privs:

https://oauth.accounts.firefox.com/v1/client/3332a18d142636cb

Comment 3

[Chris Karlof [:ckarlof]]

That id (3332a18d142636cb) should work in all environments, btw.

Comment 4

[Nick Alexander :nalexander [he/him]]

We've landed this: https://dxr.mozilla.org/mozilla-central/source/mobile/android/base/reading/ReadingListSyncAdapter.java#51.

Thanks, ckarlof!