The device manager is a service that maps a user's account to all her "Foxes." It exposes a RESTful API for devices to register and remove themselves, and update their information. Other backend services can also use the device manager to log a user out remotely, in case her device is lost or stolen. This ticket tracks the work needed to land a device manager client in Firefox. The server work will take place concurrently at https://github.com/mozilla-services/fxa-devmgr-server. Some background: * A vague plan outlining some of the scenarios: https://docs.google.com/a/mozilla.com/document/d/1kG3Zmpt_AYoZd1bqbcMwyZYd1OXMzZ0IlqoNdv9S4jM/edit?usp=sharing The implementation notes are out of date, but the use cases remain valid. * FxA mailing list thread: https://mail.mozilla.org/pipermail/dev-fxacct/2015-May/001514.html
Created attachment 8622582 [details] [diff] [review] 1174812.patch Work-in-progress sketch of the new API. This isn't actually useful yet, since we don't have a server to play with. Also, there are no tests. :-)
Created attachment 8627931 [details] [diff] [review] 0001-WIP-Add-a-device-manager-client.patch It works!
Attachment #8622582 - Attachment is obsolete: true
Now that FxA has refresh tokens, we should consider whether the "revoke oauth tokens owned by this device" aspect of this service is still necessary. I assume that the device will not issue itself any long-lived refresh tokens, since they'd be a pointless indirection around the power it already has. Rather, the device will only issue itself short-lived access tokens. Perhaps we can make these short-lived enough that there's no point in revoking them if the device is lost/stolen?
(In reply to Ryan Kelly [:rfkelly] from comment #3) > Perhaps we can make these short-lived enough that there's no point in > revoking them if the device is lost/stolen? +1. I could see the device issuing long-lived refresh tokens, and refreshing on a timer, to avoid extra round-trips...but maybe that's not too bad, especially if we already cache responses from our services.
> I could see the device issuing long-lived refresh tokens, and refreshing on a timer, > to avoid extra round-trips This wouldn't really buy you anything. The only thing you can do with a refresh_token is to trade it for an access_token, and the browser already has the power to do that directly using assertions.
Assignee: kcambridge → nobody
Status: ASSIGNED → NEW
(Adding Shane and Phil for context - this is Kit's initial work on implementing device registration inside Firefox)
Subsumed by Phil's much cleaner (and tested!) patch.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1227527
You need to log in before you can comment on or make changes to this bug.