On 6/05/2014 6:58 AM, Chris Karlof wrote: > On May 5, 2014, at 3:26 AM, a. <[email protected]> wrote: >> Now that comes with the downside that I can't use some features of FXA. >> These are few at the moment (most notably the marketplace), but it seems >> to me that features like single-sign-on (including third-party websites) >> is planned/swirming around as an idea (see: >> https://wiki.mozilla.org/Identity/Firefox-Accounts#Can_I_use_my_Firefox_Account_to_log_in_to_non-Mozilla_services.3F)
It sounds like the short story is: you don't have to worry about that on Desktop Firefox for a while, using self-hosted FxA won't lock you out of anything else. Chris, can you clarify whether Android would behave any differently to Desktop in this scenario? The rest of this email is a bit a riff on while might happen after the "for a while" has expired. Folks who don't want to go there can safely stop reading at this point... > As far as Marketplace goes, logging into Marketplace via Desktop Firefox will > happen on the Web, which will be independent from your logged in state for > Sync Tangent: we should do a better job of clarifying this story and of telling it outside of the FxA/Marketplace group. There have been suggestions that the single-signin here would be more automatic, such that being logged into your FxA on firefox will automatically log you into marketplace with that browser-based identity. Example: https://bugzilla.mozilla.org/show_bug.cgi?id=989756#c12 Where Richard asks: """ Does one host only a Sync server, or a whole private Accounts instance? [...] If the latter, how can you also use FxA-powered services like Marketplace, given that the client only supports one Firefox Account? """ > There is an issue that you can only be logged into the desktop as one user > from one account provider. > This could become an issue when we start attaching more services to your > Desktop Firefox instance itself. Your careful qualification to "Desktop Firefox" is noted ;-) As I understand it the FxA integration for FirefoxOS goes a lot deeper, for (what I hope are) obvious user-experience reasons. In any case, these issues will hit first and hardest on mobile platforms with other services that people might want to self-host, like "Find My Device": https://wiki.mozilla.org/Services/WheresMyFox We're a whiles away from that being a pressing issue, but it would be nice to enable e.g. self-hosting find-my-device it in the long term. >> I want both, a self-hosted auth server and all the FXA features. And one >> way to achieve that would be that my self-hosted auth server could >> communicate with the "main" auth server at mozilla. A use-case would be >> that a user starts firefox, automatically logs into his self-hosted >> fxa-auth-server, then goes to firefox marketplace, marketplace asks for >> credentials, firefox forwards to the auth server, the local auth server >> accepts request, queries the main auth server, that one gives an okay, >> and firefox successfully lets the user login (automagically). We're in a nice place for this sort of thing due to our use of BrowserID as the underlying authentication technology, which was designed for decentralized operation. The asking back-and-forth between servers described above wouldn't have to happen, it could all be mediated by the client using signed auth tokens. One possibility could be something like: * authenticate to local auth-server and get a BrowserID token for [email protected] * use that to authenticate to mozilla auth-server and get a BrowserID token for [email protected] * use that to authenticate to marketplace or whatever That's all hypothetical though (and FxA doesn't currently *accept* BrowserID tokens for authentication, it only hands them out for downstream consumers). The real trick is knowing what accounts to use where, and teaching Firefox to manage all this state in a sensible manner. I've no idea what that would even look like or how you could present it to the user without making a horrible confusing mess out of things. >> Now apart from the very neat integration I can imagine by my use-case, >> something like this could very well [...] lead to a horizontal authentication >> scheme with an integrated chain-of-trust. Which could or could not >> be desirable. It's desirable, there are a lot of folks here who want that, and tried to build such an auth system independently of firefox and sync: https://login.persona.org/about Sadly, it wasn't a good fit for the browser-attached-service use-case, so now we have the much more centralized system of Firefox Accounts. I'm hopeful that, with some concrete use-cases such as self-hosting in hand, we can slowly work back towards a similarly distributed auth system. But it's a long and dimly-lit road. Alex, since this is obviously something you care about, I hope you'll stick around and help us figure it out as we go :-) Cheers, Ryan _______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
