Closed Bug 1633641 Opened 5 years ago Closed 5 years ago

Provide a method to fetch an OAuth token and its key in a single operation

Categories

(Firefox :: Firefox Accounts, enhancement)

Product:
Firefox
Component:
Firefox Accounts
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 78
Tracking Flags:
Tracking Status
firefox78 --- fixed

People

(Reporter: rfkelly, Assigned: vladikoff)

References

Details

(Whiteboard: SACI)

Attachments

(1 file)

Bug 1633641 - Provide a method to fetch an OAuth token and its key in a single operation. r=rfkelly
47 bytes, text/x-phabricator-request
Details | Review

Over in Bug 1631830, we're refactoring the Sync client code to use OAuth tokens rather than BrowserID assertions. The code there needs to obtain an OAuth access with with "oldsync" scope as well as the FxA scoped key for the same scope, and it currently has to jump through a few awkward API hoops in order to do so.

By contrast, our FxA rust component and its bindings offer a nice getAccessToken method call that can return the OAuth token and its corresponding key in a single operation. I think the code from Bug 1631830 would be both cleaner and more performant if we added a similar method to the desktop codebase.

My strawman proposal would be to exactly mirror the API offered by the rust component:

fxa.getAccessToken(scope, ttl) => {
  scope, // the scope you requested
  token, // the access token for including in `Authorization` header
  key, // the corresponding JWK for that scope, if any
  expiresAt, // how long the token is good for, in seconds
}

Under the hood, this API would need to call fxa.keys.getScopedKeys in order to obtain the JWK for the requested scope, and would probably need to do a bit of caching in order to avoid hitting the network for /account/scoped-key-data on every call. But we should be able to hide that complexity from API consumers.

Blocks: 1632557

Thank you for filing this follow up bug!

Sketch of what I think we should do here:

  • Add a new field to signedInUser.json named, say, "scopedKeyData". Use it for caching the result of calling /account/scoped-key-data with the "oldsync" scope and our own client_id.
  • Add the new getAccessToken or equivalent bikeshedded method, so that it:
    • Have it share the same cache as the exising getOAuthToken method
    • If called with the "oldsync" scope, have it fetch (or populate) the "scopedKeyData" field from storage, and synthesize the appropriate scoped-key JWK.
Whiteboard: SACI
Assignee: nobody → vlad
Blocks: 1638359
Pushed by vlad@vladikoff.com: https://hg.mozilla.org/integration/autoland/rev/4dca574b5a53 Provide a method to fetch an OAuth token and its key in a single operation. r=rfkelly

https://hg.mozilla.org/mozilla-central/rev/4dca574b5a53

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox78: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 78
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: