Closed Bug 1632557 Opened 5 years ago Closed 4 years ago

Switch to direct use of session tokens to provision OAuth tokens

Categories

(Firefox :: Sync, task)

Product:
Firefox
Component:
Sync
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 78
Tracking Flags:
Tracking Status
firefox78 --- fixed

People

(Reporter: vladikoff, Assigned: vladikoff)

References

Details

Attachments

(1 file)

Bug 1632557 - Add pref and logic for direct use of session tokens to provision OAuth tokens r=rfkelly
47 bytes, text/x-phabricator-request
Details | Review

As part of fixing this bug we will stop using BrowserID for generating OAuth tokens, switching to direct use of the sessionToken (without changing the public API).

This is blocked a bit by https://jira.mozilla.com/browse/SYNC-1112 (Make sure the metric pipeline can handle the OAuth token volume) we should switch (possibly gradually?) to the new mechanism

Ref: https://phabricator.services.mozilla.com/D72092#inline-422706
Ref: https://jira.mozilla.com/browse/SYNC-1083

Copy paste from a review of 1631830:

"""
There's a security-related thing to watch out for here too. Ideally, we want to ensure that the access_token produced here has a lifetime that's comparable to the lifetime of the BrowserID assertion. That's not true by default - we generate BrowserID assertions that are good for 6 hours (see CERT_LIFETIME in FxAccountsCommon) but OAuth tokens default to being good for several days.

Ideally the FxA server would handle this for us and set an appropriate expiry time on the token, but that's proven complicated so far. We can help here on the client by explicitly requesting the OAuth tokens only live for CERT_LIFETIME seconds (via ttl argument in the request body when generating the token).

By making sure we do this on the client, we'll help ensure that the initial rollout of this gives an accurate picture of what the server load will look like in practice.
"""

I took the liberty of editing the bug title to more closely match watch I think is intended here, but please correct me if I've misunderstood :-)

There's a security-related thing to watch out for here too

This is more directly relevant to the "use OAuth tokens instead of BrowserID assertions" part, but it's good to keep in mind here as well.

Summary: Switch to direct use of session tokens to provision Sync tokens → Switch to direct use of session tokens to provision OAuth tokens
Depends on: 1633641
Assignee: nobody → vlad
Status: NEW → ASSIGNED

With the resolution of Bug 1632635 and the associated decrease in amplitude traffic, I believe it's now safe to enable this direct use of sessionTokens to grant OAuth tokens, without risking the bad side-effects noted in Bug 1591312.

Pushed by vlad@vladikoff.com: https://hg.mozilla.org/integration/autoland/rev/84c51f3b6e86 Add pref and logic for direct use of session tokens to provision OAuth tokens r=rfkelly

https://hg.mozilla.org/mozilla-central/rev/84c51f3b6e86

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox78: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 78
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: