Hi all. This is for Ryan Kelly (or anyone) to check what we’d like to do for payments to see if it’s sane. We started talking about it before but this email adds a few more details.
The goal: provide generic payment processing via Firefox Accounts so that any Mozilla site can sell premium services. The user should only have to log in *once* to purchase the product. Abstract user flow: - User decides to purchase 20GB more of Mozilla Backup storage for $9.99 / month (just an example) - Click the purchase button - Sign in with Firefox Account - Enter credit card information - Enjoy enhanced storage Implementation proposal: - On backup.firefox.com <http://mozillabackup.com/> , the click of a purchase button begins an OAuth flow by requesting a code->token with the scope ‘profile payments’ - backup.firefox.com <http://mozillabackup.com/> opens an iframe (or redirect) to payments.mozilla.com <http://payments.mozilla.com/> and passes the OAuth token as a GET parameter - payments.mozilla.com <http://payments.mozilla.com/> verifies the token on the server and checks that it has the *payments* scope - payment processing proceeds… Does that sound sane? This makes token sharing sound scary: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Firefox_Accounts/Introduction#Security_considerations <https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Firefox_Accounts/Introduction#Security_considerations> -Kumar
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
