On 25/08/2015 15:53, Samuel Penrose wrote: > The plan as of last fall was to move aggressively towards OAuth on > device.
Thanks Sam! For the record, I like this plan a *lot*. > OAuth support got better last summer. The problem is that > logging in on device happens via mozId, and someone needs to replace > that with OAuth (or integrate, though that is much kludgier and maybe > not much easier). > > I would talk to Fernando Jimenez or Francisco Jordano about getting FxOS > resources for that work. We've had some parallel discussions about the possibility of FxOS moving from native UI to web-content for the login flow, so perhaps we can include an OAuth refactor in that work as well. Ryan > On Mon, Aug 24, 2015 at 10:38 PM, Ryan Kelly <[email protected] > <mailto:[email protected]>> wrote: > > On 21/08/2015 17:30, Tommy Kuo wrote: > >> Do you want to display the pocket website, make calls to the pocket > API, > >> or both? Will you be running from a privileged system app or an > >> installable webapp? > > > > We want to use the Pocket API only in a privileged app. We’ll integrate > > Pocket service into our TV. > > > >> I'm not very familiar with the mozId API. Can you use it to generate > >> assertions for any audience? From what I can see in [3] it's only > >> possible to generate assertions for your app origin. > > > > I’m trying to decode the assertion generated from FindMyDevice. I found > > audience is "https://find.firefox.com”, so I think we can generate any > > audience in the assertion. > > > > If we can use the native mozId API, it is convenient to users that they > > don’t need to enter their username/password again. And we can exchange > > the assertion for a FxA OAuth token or a Pocket access token. Do you > > know someone is familiar with mozId? > > Casting a wide net here... > > IIRC Jared Hirsch (cc'd) did some work on it a while ago, but the code > hasn't been very active for some time. Fernando Moreno and Michiel de > Jong (also cc'd) are working on some Firefox Accounts integrations in > FxOS so they might be able to offer some insight. > > Jared, Fernando, Michiel, there's extra context below, but the broad ask > here is that Tommy's team would like to connect to Pocket from Firefox > OS, and Pocket authenticates using the FxA OAuth API. > > Do you know of any existing code in Firefox OS that's using the FxA > OAuth APIs? > > If not, a more specific question that would let us work towards that is: > can a privileged app use the mozId API to produce a FxA assertion for > any target audience? > > Thanks for any insight you may be able to provide, > > > Ryan > > > > On August 19, 2015 at 20:45:39, Ryan Kelly ([email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>) wrote: > > > >> On 19/08/2015 01:36, Tommy Kuo wrote: > >> > We want to make Pocket can use the Firefox account already > logged in > >> > Firefox OS (mozId). We hope that user don’t need to type their > >> > username/password again if they are already logged in. In other > words, > >> > we want to use a logged in Firefox account to get a access > token from > >> > Pocket. > >> > >> This could be tricky, but I'm happy to help work through the > details and > >> see if we can find a way forward. > >> > >> Do you want to display the pocket website, make calls to the > pocket API, > >> or both? Will you be running from a privileged system app or an > >> installable webapp? > >> > >> > Does Pocket need to setup something like browserid-verifier[1] > in their > >> > server? And I have looked up some information about the > “assertion.” > >> > >> Pocket authenticates Firefox Accounts users via our OAuth API [1] > rather > >> than using assertions. We're trying to discourage the use of > assertions > >> in new applications, and limit their existing use to tightly > integrated > >> device-specific apps like Sync and FindMyDevice. > >> > >> They also use their own flavor of OAuth to authenticate to their > backend > >> API [2]. > >> > >> From your description, what I think you'd have to do is something > like > >> the following: > >> > >> * Use the native mozId API to generate an assertion for the user > >> * Exchange that assertion for a Firefox Accounts OAuth token > >> * Exchange that token for a Pocket OAuth token > >> * use that token to access the Pocket API > >> > >> That's quite a few moving parts. > >> > >> I'm not very familiar with the mozId API. Can you use it to generate > >> assertions for any audience? From what I can see in [3] it's only > >> possible to generate assertions for your app origin. > >> > >> I think I answered your question with more questions, but this is an > >> interesting use-case so I hope we can drill down and figure out the > >> details. > >> > >> > >> Cheers, > >> > >> Ryan > >> > >> > >> [1] > >> > > https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Firefox_Accounts/Introduction#Login_with_the_FxA_OAuth_HTTP_API > >> > >> > >> [2] http://getpocket.com/developer/docs/authentication > >> > >> [3] > >> > https://developer.mozilla.org/en-US/docs/Firefox-Accounts-on-FirefoxOS > _______________________________________________ > Dev-fxacct mailing list > [email protected] <mailto:[email protected]> > https://mail.mozilla.org/listinfo/dev-fxacct > > _______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
