Closed
Bug 1161873
Opened 9 years ago
Closed 9 years ago
Switch pocket production credentials to trusted:false
Categories
(Cloud Services :: Operations: Miscellaneous, task, P1)
Cloud Services
Operations: Miscellaneous
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: rfkelly, Assigned: ckolos)
References
Details
This is a follow-up to Bug 1157578 Comment 7, where we temporarily provisioned the pocket oauth credentials with trusted:true. We need to coordinate on switching them over to the trusted:false status that we want to use for third-party reliers. Actions, in order: 1) Confirm that the flow from https://github.com/mozilla/fxa-oauth-server/pull/248 is working as expected now that train-36 has been deployed. 2) Change the way scopes are requested by pocket, in line with the restricted scopes provided to third-party reliers. We can deploy this on the pocket side without flipping the config on our side. 3) Switch the pocket dev credentials to trusted:false and test that it all works in a dev environment. 4) Switch the pocket prod credentials to trusted:false. I'll own the first action, and will follow up here when we're ready to push forward with the changes.
Comment 1•9 years ago
|
||
Not really sure of priority here, can you set the priority field so we can track it?
Flags: needinfo?(rfkelly)
Priority: -- → P1
Reporter | ||
Comment 2•9 years ago
|
||
P1 works for me, we really do need this done before release.
Flags: needinfo?(rfkelly)
Reporter | ||
Comment 3•9 years ago
|
||
OK, I've confirmed that the latest deployed code should work correctly with the restrictions we want to do here. The next step is for Pocket to switch over from requesting: { "scope": "profile" } To requesting the specific profile data that is needed: { "scope": "profile:uid profile:email profile:display_name"} We've patched the profile endpoints to return partial profile data when presented with such tokens, so things should Just Work without further changes on the Pocket side of things. All the changes should be live in both dev and prod environments. Matt, can you please try this out and let us know when you've got it switched over on your side?
Flags: needinfo?(matt)
Comment 4•9 years ago
|
||
:rfkelly - I've made the change on both dev and staging to use: profile:uid+profile:email+profile:display_name This is now live and confirmed working in both dev and prod on my end.
Flags: needinfo?(matt)
Reporter | ||
Comment 5•9 years ago
|
||
I've changed the config on oauth-stable.dev.lcip.org to use `trusted: false`. Once we confirm that this hasn't broken anything in dev, we'll give the OK to :ckolos to make the change in production.
Reporter | ||
Comment 6•9 years ago
|
||
Matt, what URL sould I hit to test this out in dev?
Flags: needinfo?(matt)
Reporter | ||
Comment 7•9 years ago
|
||
The answer was "firefox.dev.readitlater.com" and AFAICT it's working with the bit flipped.
Flags: needinfo?(matt)
Reporter | ||
Comment 8•9 years ago
|
||
OK, over to :ckolos. Please update the stage and production client records for Pocket to have `trusted: false`. (The soon-to-be-legacy `whitelisted` property can be safely ignored). We're pretty confident that this wont break anything, but at the slightest sign of trouble, it's safe to roll back to `trusted: true`.
Assignee: nobody → ckolos
Assignee | ||
Comment 9•9 years ago
|
||
this was completed in stage/prod and tested by mattk.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 10•9 years ago
|
||
> this was completed in stage/prod and tested by mattk. It doesn't seem to have stuck in stage: curl https://oauth.stage.mozaws.net/v1/client/749818d3f2e7857f { "id":"749818d3f2e7857f", "name":"Pocket", "trusted":true, "image_uri":"", "redirect_uri":"https://staging.getpocket.com/ff_auth", "terms_uri":"", "privacy_uri":"" } Versus in prod: curl https://oauth.accounts.firefox.com/v1/client/749818d3f2e7857f { "id":"749818d3f2e7857f", "name":"Pocket", "trusted":false, "image_uri":"", "redirect_uri": "https://getpocket.com/ff_auth", "terms_uri":"","privacy_uri":"" }
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Reporter | ||
Comment 11•9 years ago
|
||
Chris, please re-enable trusted:false in stage before deploying train-37 to production, so that we can test train-37 changes that do not apply to trusted reliers.
Comment 12•9 years ago
|
||
:rfkelly - I'm looking into this now.
Comment 13•9 years ago
|
||
I had rebuilt the oauth stack in production and switched to it. I reckon ckolos has a branch somewhere to change the config in puppet but it wasn't merged in. In the interim, I have set Pocket clients in stage to be `trusted = 0` (and `whitelisted = 0` fwiw).
Reporter | ||
Comment 14•9 years ago
|
||
Seems to be working as expected now, thanks :jrgm!
Status: REOPENED → RESOLVED
Closed: 9 years ago → 9 years ago
Resolution: --- → FIXED
Comment 15•9 years ago
|
||
Just to document: date; curl -s https://oauth.stage.mozaws.net/v1/client/749818d3f2e7857f | python -mjson.tool Sat May 16 02:12:04 UTC 2015 { "id": "749818d3f2e7857f", "image_uri": "", "name": "Pocket", "privacy_uri": "", "redirect_uri": "https://staging.getpocket.com/ff_auth", "terms_uri": "", "trusted": false }
Assignee | ||
Comment 16•9 years ago
|
||
:rfkelly :jrgm - this is exactly the case. I'm merging my branch this morning to avoid this going forward.
You need to log in
before you can comment on or make changes to this bug.
Description
•