Closed Bug 1581709 Opened 11 months ago Closed 10 months ago

Stop using BrowserID for OAuth requests (to help the server emit accurate sync activity metrics)

Categories

(Firefox :: Firefox Accounts, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED FIXED
Firefox 71
Tracking Status
firefox71 --- fixed

People

(Reporter: rfkelly, Assigned: eoger)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

As described in Bug 1577690 Comment 7, we'd like to signal to the FxA backend whether or not the browser is using Sync. The initial proposal was to send a ?service=sync query param in requests to /certificate/sign, but from ensuing slack conversation I think there's a better way.

We eventually want to move away from BrowserID assertions, but can't boil that ocean all at once. What we can do is make it so that they're only used for sync. Then the server can safely assume that any call to /certificate/sign is in service of something that's connected to sync -- either an older browser for which being signed in means you're always syncing, or a new browser where the user has deliberately opted in to sync. That will give us enough info on the backend to continue emitting appropriate metrics in the short term.

AFAICT there are only two other places in the browser where we make BrowserID assertions, and both of them can be changed not to do that:

We should do this as part of the decoupling work, to help FxA emit accurate sync activity metrics.

Shane, could you please gut-check whether this proposal makes sense?

Flags: needinfo?(stomlinson)

Shane, could you please gut-check whether this proposal makes sense?

This proposal makes sense from the Desktop P.O.V. Does Fennec still use /certificate/sign? I can't find any obvious references to it, but am not particularly well versed at searching Fennec code.

There are however definite uses of assertions to create OAuth tokens in Firefox for iOS. See https://github.com/mozilla-mobile/firefox-ios/blob/de66de9f664a5dd0282961297fd2e15fac0ca5fc/Account/FxAClient10.swift#L601

Flags: needinfo?(stomlinson)

This proposal makes sense from the Desktop P.O.V. Does Fennec still use /certificate/sign?

Yes it does; however, Fennec is also not getting the "decouple" treatment, so I think it's fine to assume its uses of that endpoint are "sync-related" for metrics purposes.

Assignee: nobody → eoger
Depends on: 1582837
Pushed by eoger@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6852bdb8d8c5
Use sessionTokens for OAuth requests. r=vladikoff
Pushed by eoger@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b7f97ca6620e
Use sessionTokens for OAuth requests. r=vladikoff

FWIW the lint failure was not caused by my patch.

Flags: needinfo?(eoger)
Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 71
See Also: → 1591312
Duplicate of this bug: 1567814
You need to log in before you can comment on or make changes to this bug.