Change refresh auth screen for a confirmation screen for privileged apps requesting a FxA assertion

RESOLVED WONTFIX

Status

RESOLVED WONTFIX
3 years ago
7 months ago

People

(Reporter: ferjm, Assigned: mbdejong)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
On bug 1028398 we had to add a hack to show the refresh auth screen the first time a privileged app requests an assertion via mozId so we don't silently provide the user's email to the app. We did it this way cause we couldn't add new strings at that point because we were on a string frozen stage for 2.0. Now we can remove that hack and add a proper screen asking the user if she wants to use her Firefox Accounts account to log into the requester app or not.
(Reporter)

Comment 1

3 years ago
Hello John, could you give us a hand here? We need to add a new screen to the FxA flow on FxOS. This screen should only be shown the first time that a new privileged app requests an assertion via mozId. On this screen we should ask the user if she wants to share his account information with the app. Thanks!
Flags: needinfo?(jgruen)
(Assignee)

Comment 2

3 years ago
> [we] show the refresh auth screen the first time a privileged app requests an assertion via mozId

How can I reproduce this in current master? The FindMyDevice app just shows a blank page, and the SynctoDemo app from https://github.com/ferjm/gaia/tree/syncto.poc has two behaviors:
* When not logged in to FxA, it will show the FxA login screen (as expected)
* When logged in to FxA through settings, it shows no dialog (neither confirmation screen, nor login screen, nor refresh auth screen).

Is there an app where I can see the current behavior (of showing the refresh-auth screen) that needs fixing?
(Assignee)

Updated

3 years ago
Flags: needinfo?(ferjmoreno)
(Reporter)

Comment 3

3 years ago
This is only happening on privileged apps. You can change the SynctoDemo app to privileged [1] and test the second case you describe ("When logged in to FxA...").

[1] https://github.com/ferjm/gaia/blob/syncto.poc/apps/kintodemo/manifest.webapp#L4

(In reply to Michiel de Jong [:michielbdejong] from comment #2)

> The FindMyDevice app just shows a blank page

This shouldn't happen. Can you describe how did you get there and attach an screenshot, please? This might be a bug.
Flags: needinfo?(ferjmoreno)
(Assignee)

Comment 4

3 years ago
> only happening on privileged apps

OK, got it. Thanks!

> Can you describe how did you get there and attach an screenshot

OK, I described it in bug 1202471.
(Assignee)

Updated

3 years ago
Assignee: nobody → mbdejong
(Assignee)

Comment 5

3 years ago
I still can't reproduce the current behavior. I'm trying these steps:

* Run Gaia master on B2G-42.0.
* Sign in to FxA from Settings.
* Open 'UI tests - Privileged App' from WebIDE
* Run this code in the console:

  navigator.mozId.watch({
    wantIssuer: 'firefox-accounts',
    audience: location.origin,
    onlogin: function(assertion) {
      console.log(assertion);
    },
    onerror: function(error) {
      console.error(error);
    },
    onlogout: function() {},
    onready: function() {}
  });
  navigator.mozId.request();
  
* Expected: It would open a refresh auth screen, as described in this bug.
* Actual: It reports 'ERROR_INVALID_ASSERTION_AUDIENCE' in the console.
If you run the same code again, it reports 'NS_UNEXPECTED_ERROR' instead.
Flags: needinfo?(ferjmoreno)
(Assignee)

Comment 6

3 years ago
Setting the firefox-accounts permission in the manifest makes no difference, by the way. I also tested this by setting the KintoDemo app to privileged, and by adding the firefox-accounts permission to the uitest-privileged app. All with the same result. Should I set a different audience than location.origin?
(Reporter)

Comment 7

3 years ago
You'll need the 'moz-firefox-accounts' permission and do not set the audience. The window origin is taken as the default one [1].

The NS_UNEXPECTED_ERROR is thrown because you cannot call .watch twice. Yeah, mozId sucks as an API :(

[1] https://mxr.mozilla.org/mozilla-central/source/dom/identity/nsDOMIdentity.js#617
Flags: needinfo?(ferjmoreno)
(Assignee)

Comment 8

3 years ago
OK, got it working now, thanks!

One thing I would like to add is that if the refreshAuthentication option is set in the call to navigator.mozId.request, then the password dialog should still appear. We only want to replace it with the simple OK/Cancel dialog mentioned in https://developer.mozilla.org/en-US/docs/Firefox-Accounts-on-FirefoxOS#Three_lobes_of_the_state_machine if this parameter is omitted.
(Reporter)

Updated

3 years ago
Flags: needinfo?(jgruen)

Comment 9

7 months ago
Firefox OS is not being worked on
Status: NEW → RESOLVED
Last Resolved: 7 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.