Implement a client for the FxA device manager service

RESOLVED DUPLICATE of bug 1227527

Status

()

P2
normal
Rank:
15
RESOLVED DUPLICATE of bug 1227527
3 years ago
10 months ago

People

(Reporter: lina, Unassigned)

Tracking

unspecified
Points:
---
Dependency tree / graph
Bug Flags:
firefox-backlog +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fxsync])

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

3 years ago
The device manager is a service that maps a user's account to all her "Foxes." It exposes a RESTful API for devices to register and remove themselves, and update their information. Other backend services can also use the device manager to log a user out remotely, in case her device is lost or stolen.

This ticket tracks the work needed to land a device manager client in Firefox. The server work will take place concurrently at https://github.com/mozilla-services/fxa-devmgr-server.

Some background:

* A vague plan outlining some of the scenarios: https://docs.google.com/a/mozilla.com/document/d/1kG3Zmpt_AYoZd1bqbcMwyZYd1OXMzZ0IlqoNdv9S4jM/edit?usp=sharing The implementation notes are out of date, but the use cases remain valid.

* FxA mailing list thread: https://mail.mozilla.org/pipermail/dev-fxacct/2015-May/001514.html
(Reporter)

Comment 1

3 years ago
Created attachment 8622582 [details] [diff] [review]
1174812.patch

Work-in-progress sketch of the new API. This isn't actually useful yet, since we don't have a server to play with. Also, there are no tests. :-)
(Reporter)

Updated

3 years ago
Status: NEW → ASSIGNED
(Reporter)

Updated

3 years ago
Depends on: 1157529, 1156752
(Reporter)

Comment 2

3 years ago
Created attachment 8627931 [details] [diff] [review]
0001-WIP-Add-a-device-manager-client.patch

It works!
Attachment #8622582 - Attachment is obsolete: true
Now that FxA has refresh tokens, we should consider whether the "revoke oauth tokens owned by this device" aspect of this service is still necessary.

I assume that the device will not issue itself any long-lived refresh tokens, since they'd be a pointless indirection around the power it already has.  Rather, the device will only issue itself short-lived access tokens.  Perhaps we can make these short-lived enough that there's no point in revoking them if the device is lost/stolen?

Updated

3 years ago
Blocks: 1182288

Updated

3 years ago
Rank: 15
(Reporter)

Comment 4

3 years ago
(In reply to Ryan Kelly [:rfkelly] from comment #3)
> Perhaps we can make these short-lived enough that there's no point in
> revoking them if the device is lost/stolen?

+1. I could see the device issuing long-lived refresh tokens, and refreshing on a timer, to avoid extra round-trips...but maybe that's not too bad, especially if we already cache responses from our services.
> I could see the device issuing long-lived refresh tokens, and refreshing on a timer,
> to avoid extra round-trips

This wouldn't really buy you anything.  The only thing you can do with a refresh_token is to trade it for an access_token, and the browser already has the power to do that directly using assertions.

Updated

3 years ago
Whiteboard: [fxsync]
Flags: firefox-backlog+
Priority: -- → P2
(Reporter)

Updated

3 years ago
Assignee: kcambridge → nobody
Status: ASSIGNED → NEW
(Adding Shane and Phil for context - this is Kit's initial work on implementing device registration inside Firefox)
(Reporter)

Comment 7

3 years ago
Subsumed by Phil's much cleaner (and tested!) patch.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1227527

Updated

10 months ago
Product: Core → Firefox
You need to log in before you can comment on or make changes to this bug.