57 bytes, text/x-github-pull-request
|Details | Review|
Right now we: 1) ensure the Firefox Account is in a healthy state; 2) generate an FxA assertion; 3) exchange the assertion for an oauth token. All before syncing the RL! Oauth tokens are long lived. We should invert the flow of control to just "ask for an oauth token", and push the FxA mangling out of the RL sync flow.
rnewman: over to you. I elected to use the Android framework for this, mostly 'cuz I wanted to see how it worked in the case it was intended to handle. It's fine, although having to maintain the oauth token in order to invalidate it is irritating. Pay attention to the two layers of token invalidation (one at the oauth layer, one moving the account state backwards). It's challenging to test the latter because "obviously bogus" certificates (like those produced by the debug helper I added) trigger a 400 from the oauth endpoint, not a 401. (This is wrong, and rfkelly agrees, but c'est la vie for now.) This yields a nice simplification of the RL Sync Adapter which suggests the token approach is reasonable. The complete absence of automated tests is a function of the compressed schedule and the difficulty of testing the interactions across the full stack. Manual testing with the debug utilities gives me some confidence in the mechanism, however; and it will get more testing as I implement the remaining follow-ups.
Assignee: nobody → nalexander
Status: NEW → ASSIGNED
Attachment #8582918 - Flags: review?(rnewman)
Comment on attachment 8582918 [details] [review] Link to Github pull-request: https://github.com/mozilla-services/android-sync/pull/540 See GitHub comments.
Attachment #8582918 - Flags: review?(rnewman) → review+
Comment on attachment 8582918 [details] [review] Link to Github pull-request: https://github.com/mozilla-services/android-sync/pull/540 Batch uplift of Android RL to 38.
You need to log in before you can comment on or make changes to this bug.