Closed Bug 1174812 Opened 5 years ago Closed 4 years ago

Implement a client for the FxA device manager service

Categories

(Firefox :: Firefox Accounts, defect, P2)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1227527

People

(Reporter: Lina, Unassigned)

References

Details

(Whiteboard: [fxsync])

Attachments

(1 file, 1 obsolete file)

The device manager is a service that maps a user's account to all her "Foxes." It exposes a RESTful API for devices to register and remove themselves, and update their information. Other backend services can also use the device manager to log a user out remotely, in case her device is lost or stolen.

This ticket tracks the work needed to land a device manager client in Firefox. The server work will take place concurrently at https://github.com/mozilla-services/fxa-devmgr-server.

Some background:

* A vague plan outlining some of the scenarios: https://docs.google.com/a/mozilla.com/document/d/1kG3Zmpt_AYoZd1bqbcMwyZYd1OXMzZ0IlqoNdv9S4jM/edit?usp=sharing The implementation notes are out of date, but the use cases remain valid.

* FxA mailing list thread: https://mail.mozilla.org/pipermail/dev-fxacct/2015-May/001514.html
Attached patch 1174812.patch (obsolete) — Splinter Review
Work-in-progress sketch of the new API. This isn't actually useful yet, since we don't have a server to play with. Also, there are no tests. :-)
Status: NEW → ASSIGNED
Depends on: 1157529, 1156752
It works!
Attachment #8622582 - Attachment is obsolete: true
Now that FxA has refresh tokens, we should consider whether the "revoke oauth tokens owned by this device" aspect of this service is still necessary.

I assume that the device will not issue itself any long-lived refresh tokens, since they'd be a pointless indirection around the power it already has.  Rather, the device will only issue itself short-lived access tokens.  Perhaps we can make these short-lived enough that there's no point in revoking them if the device is lost/stolen?
Blocks: 1182288
Rank: 15
(In reply to Ryan Kelly [:rfkelly] from comment #3)
> Perhaps we can make these short-lived enough that there's no point in
> revoking them if the device is lost/stolen?

+1. I could see the device issuing long-lived refresh tokens, and refreshing on a timer, to avoid extra round-trips...but maybe that's not too bad, especially if we already cache responses from our services.
> I could see the device issuing long-lived refresh tokens, and refreshing on a timer,
> to avoid extra round-trips

This wouldn't really buy you anything.  The only thing you can do with a refresh_token is to trade it for an access_token, and the browser already has the power to do that directly using assertions.
Whiteboard: [fxsync]
Flags: firefox-backlog+
Priority: -- → P2
Assignee: kcambridge → nobody
Status: ASSIGNED → NEW
(Adding Shane and Phil for context - this is Kit's initial work on implementing device registration inside Firefox)
Subsumed by Phil's much cleaner (and tested!) patch.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1227527
Product: Core → Firefox
You need to log in before you can comment on or make changes to this bug.