Closed Bug 949093 Opened 11 years ago Closed 10 years ago

[User Story] FxA - Forced Authentication

Categories

(Firefox OS Graveyard :: Gaia, defect)

Product:
Firefox OS Graveyard
Component:
Gaia
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(feature-b2g:2.0)

Status:
RESOLVED FIXED
Project Flags:
feature-b2g 2.0

People

(Reporter: arogers, Unassigned)

References

Details

(Whiteboard: [ucid:FxA5, 2.0:p2, ft:FirefoxAccounts][qa+][dependency:Marketplace]) 

User Story:

As a developer, I want to be able to initiate a re-authenciation using the users firefox accounts credentials if they are performing a taks that is deemed to be secure. For example, making a purchase in marketplace or dissabling where's my fox.

Assumptions: 

A failure of a 3rd party initiated Forced authentication should not log out the user.

Acceptance Criteria:

1. A 3rd party service can request a forced authentication from Firefox Accounts
2. Firefox Accounts will perform a forced authentication independently of the calling application, it will use it's own ui and login scheme.
3. A notification of a successful challenge will be provided to the calling application (if required)
4. In the case of a success the user will stay logged in to Firefox Accounts.
5. A notification of a failure will be provided to the calling application (if required)
6. In the case of a failure during a 3rd party initiated forced auth, the user should not be logged out of Firefox accounts, however the initiating action should not be allowed.
7. In the case of a Firefox Accounts initiated forced auth the user should be logged out after a failure (see: FxA45)
Depends on: 938635
Jared, is there a way I can simulate a case where 3rd party requests a forced authentication when I'm already logged in?  Or should I talk to the Find my device devs?
Flags: needinfo?(6a68)
Whiteboard: [ucid:FxA5, 1.4:p2, ft:FirefoxAccounts] → [ucid:FxA5, 1.4:p2, ft:FirefoxAccounts][qa+]
Hmm, great question.

As part of bug 938635, ferjm added a "refresh authentication" button to the fxa test app. So, I think you should be able to switch to that app, trigger the force auth via that button, cancel out of the force auth dialog, and then verify that you haven't been logged out.
Flags: needinfo?(6a68)
Depends on: 996016
Depends on: 1000318
Depends on: 1000395
Hi Adam,
What would be the case for Firefox Account initiated force auth, as opposed to 3rd-party initiated force auth?  I can see marketplace initiating (to check before purchase) and FMD initiating (when asked to disable FMD), but not sure when Firefox Account itself will initiate force auth.  Could you provide example use case please?
Flags: needinfo?(arogers)
This would be for future use cases and would all have to do with account management. For example:

1) As a user I would like to change my password directly through the phone client for FxA.
2) As a user I would like to change my ID or add a new ID to my FxA 

These cases will be obviously difficult to test as the relying features are not available.  I think it is OK to skip that AC for the time being.
Flags: needinfo?(arogers)
Manual Test cases are in MozTrap here:
https://moztrap.mozilla.org/manage/case/12933/
Whiteboard: [ucid:FxA5, 1.4:p2, ft:FirefoxAccounts][qa+] → [ucid:FxA5, 2.0:p2, ft:FirefoxAccounts][qa+]
Whiteboard: [ucid:FxA5, 2.0:p2, ft:FirefoxAccounts][qa+] → [ucid:FxA5, 2.0:p2, ft:FirefoxAccounts][qa+][dependency:Marketplace]
Flags: in-moztrap?
feature-b2g: --- → 2.0
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Flags: in-moztrap? → in-moztrap+
You need to log in before you can comment on or make changes to this bug.