Closed Bug 1161873 Opened 9 years ago Closed 9 years ago

Switch pocket production credentials to trusted:false

Categories

(Cloud Services :: Operations: Miscellaneous, task, P1)

Product:
Cloud Services
Component:
Operations: Miscellaneous
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: rfkelly, Assigned: ckolos)

References

Details

This is a follow-up to Bug 1157578 Comment 7, where we temporarily provisioned the pocket oauth credentials with trusted:true.  We need to coordinate on switching them over to the trusted:false status that we want to use for third-party reliers.

Actions, in order:

1) Confirm that the flow from https://github.com/mozilla/fxa-oauth-server/pull/248 is working as expected now that train-36 has been deployed.

2) Change the way scopes are requested by pocket, in line with the restricted scopes provided to third-party reliers.  We can deploy this on the pocket side without flipping the config on our side.

3) Switch the pocket dev credentials to trusted:false and test that it all works in a dev environment.

4) Switch the pocket prod credentials to trusted:false.

I'll own the first action, and will follow up here when we're ready to push forward with the changes.
Blocks: Pocket
Not really sure of priority here, can you set the priority field so we can track it?
Flags: needinfo?(rfkelly)
Priority: -- → P1
P1 works for me, we really do need this done before release.
Flags: needinfo?(rfkelly)
OK, I've confirmed that the latest deployed code should work correctly with the restrictions we want to do here.  The next step is for Pocket to switch over from requesting:

  { "scope": "profile" }

To requesting the specific profile data that is needed:

  { "scope": "profile:uid profile:email profile:display_name"}

We've patched the profile endpoints to return partial profile data when presented with such tokens, so things should Just Work without further changes on the Pocket side of things.

All the changes should be live in both dev and prod environments.  Matt, can you please try this out and let us know when you've got it switched over on your side?
Flags: needinfo?(matt)
:rfkelly - I've made the change on both dev and staging to use: profile:uid+profile:email+profile:display_name

This is now live and confirmed working in both dev and prod on my end.
Flags: needinfo?(matt)
I've changed the config on oauth-stable.dev.lcip.org to use `trusted: false`.  Once we confirm that this hasn't broken anything in dev, we'll give the OK to :ckolos to make the change in production.
Matt, what URL sould I hit to test this out in dev?
Flags: needinfo?(matt)
The answer was "firefox.dev.readitlater.com" and AFAICT it's working with the bit flipped.
Flags: needinfo?(matt)
OK, over to :ckolos.  Please update the stage and production client records for Pocket to have `trusted: false`.  (The soon-to-be-legacy `whitelisted` property can be safely ignored).

We're pretty confident that this wont break anything, but at the slightest sign of trouble, it's safe to roll back to `trusted: true`.
Assignee: nobody → ckolos
this was completed in stage/prod and tested by mattk.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
> this was completed in stage/prod and tested by mattk.

It doesn't seem to have stuck in stage:

   curl https://oauth.stage.mozaws.net/v1/client/749818d3f2e7857f

     {
      "id":"749818d3f2e7857f",
      "name":"Pocket",
      "trusted":true,
      "image_uri":"",
      "redirect_uri":"https://staging.getpocket.com/ff_auth",
      "terms_uri":"",
      "privacy_uri":""
     }

Versus in prod:

   curl https://oauth.accounts.firefox.com/v1/client/749818d3f2e7857f

      {
        "id":"749818d3f2e7857f",
        "name":"Pocket",
        "trusted":false,
        "image_uri":"",
        "redirect_uri":
        "https://getpocket.com/ff_auth",
        "terms_uri":"","privacy_uri":""
      }
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Chris, please re-enable trusted:false in stage before deploying train-37 to production, so that we can test train-37 changes that do not apply to trusted reliers.
:rfkelly - I'm looking into this now.
I had rebuilt the oauth stack in production and switched to it. I reckon ckolos has a branch somewhere to change the config in puppet but it wasn't merged in. In the interim, I have set Pocket clients in stage to be `trusted = 0` (and `whitelisted = 0` fwiw).
Seems to be working as expected now, thanks :jrgm!
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → FIXED
Just to document:

date; curl -s https://oauth.stage.mozaws.net/v1/client/749818d3f2e7857f | python -mjson.tool
Sat May 16 02:12:04 UTC 2015
{
    "id": "749818d3f2e7857f", 
    "image_uri": "", 
    "name": "Pocket", 
    "privacy_uri": "", 
    "redirect_uri": "https://staging.getpocket.com/ff_auth", 
    "terms_uri": "", 
    "trusted": false
}
:rfkelly :jrgm - this is exactly the case. I'm merging my branch this morning to avoid this going forward.
You need to log in before you can comment on or make changes to this bug.