If I am not wrong, the smart TV is ridding on FxOS 2.5 train. If that's correct, the deadline is November. I don't think we can have any other thing than the current navigator.mozId without the password request for privileged apps. I just filed [1] for that BTW.
I agree that the appropriate next steps for FxA in FxOS are [2] (to get rid of the native flow) and [3] (to get rid of navigator.mozId). But I am afraid that it is not realistic to say that we can have that for 2.5. Specially with the lack of resources that we currently have. I'll be happy to help integrating mozId into Pocket and helping to fix [1] if that's the final agreement. Cheers, / Fernando [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1199585 <https://bugzilla.mozilla.org/show_bug.cgi?id=1199585> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1198639 [3] http://www.w3.org/TR/credential-management/ > On Aug 28, 2015, at 7:03 AM, Ryan Kelly <[email protected]> wrote: > > On 28/08/2015 13:02, Shih-Chiang Chien wrote: >> Currently the Firefox Account doesn't provide an integrated login >> experience on Firefox OS. For example, user need to typing password >> again for using Pocket service even if they've already login in FxA in >> settings app. >> >> On Firefox Desktop user can simply grant site permission on fx account >> login page when FxA is already login in browser, without typing password >> again. I think this is done by using IdentityManager API [1]. > > No, it doesn't use the IdentityManager API. > > The Pocket login flow is entirely web-based and performs an OAuth2 dance > with https://accounts.firefox.com [1]. > > The reason this (usually) works seamlessly on Desktop, is that Desktop > uses web content from accounts.firefox.com for logging in to sync. So > if you've logged into sync on Desktop, then you have cookies and session > state on accounts.firefox.com, which it can use to log you in to Pocket > without re-entering your password. > > If Firefox OS moves to using web content for its login API [2] then it > may get a similar experience without much extra work. > >> I don't know why we didn't apply the same technology on Firefox OS in >> the past, but it'll enable 3rd-party service on TV with better login >> experience because typing is a painful task on TV. We can leverage >> navigator.mozId with some adjustment of permission model of >> "moz-firefox-accounts". > > There are a couple of ways forward here. > > If you just want to get something up and running quickly, then your > privileged app could use navigator.mozId to drive the OAuth2 login dance > with Pocket, essentially taking over the work done by > https://accounts.firefox.com in the desktop integration. I'm happy to > suggest more details here if you want to explore it, but I suspect it > would be quite fragile. > > A cleaner approach would be to invest some time in designing and > building a replacement for navigator.mozId that supports OAuth2, as > hinted at in [3]. The navigator.credentials API [4] has been suggested > as a potential candidate for this. IIUC this would be a large amount of > work. > > Another option would be to get Pocket to add support for logging in via > FxA BrowserID assertions, rather than OAuth2, so that you could use > navigator.mozId directly. I think this is what the original email > subject line of this thread is getting at, but I'm not a fan of this > option because (1) it's partner work over which we don't have much > control, and (2) we're hoping to deprecate BrowserID assertions entirely > from Firefox Accounts and use OAuth2 exclusively in future. > > > Cheers, > > Ryan > > > [1] > https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Firefox_Accounts/Introduction#Login_with_the_FxA_OAuth_HTTP_API > > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1198639 > > [3] https://mail.mozilla.org/pipermail/dev-fxacct/2015-August/001698.html > > [4] http://www.w3.org/TR/credential-management/ > > >> On Thu, Aug 27, 2015 at 7:27 PM, Tommy Kuo <[email protected] >> <mailto:[email protected]>> wrote: >> >> Add Evelyn Huang and Shih-Chiang Chien. >> >> -- >> >> Tommy Kuo / Software Engineer [email protected] >> <mailto:[email protected]> >> >> Mozilla Taiwan >> >> >> On August 25, 2015 at 21:35:26, Fernando Moreno ([email protected] >> <mailto:[email protected]>) wrote: >> >>> Hello, >>> >>> On Tue, Aug 25, 2015 at 7:38 AM, Ryan Kelly <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> On 21/08/2015 17:30, Tommy Kuo wrote: >>>>> Do you want to display the pocket website, make calls to the pocket API, >>>>> or both? Will you be running from a privileged system app or an >>>>> installable webapp? >>>> >>>> We want to use the Pocket API only in a privileged app. We’ll integrate >>>> Pocket service into our TV. >>>> >>>>> I'm not very familiar with the mozId API. Can you use it to generate >>>>> assertions for any audience? From what I can see in [3] it's only >>>>> possible to generate assertions for your app origin. >>>> >>>> I’m trying to decode the assertion generated from FindMyDevice. I found >>>> audience is "https://find.firefox.com”, so I think we can generate any >>>> audience in the assertion. >>>> >>>> If we can use the native mozId API, it is convenient to users that they >>>> don’t need to enter their username/password again. And we can exchange >>>> the assertion for a FxA OAuth token or a Pocket access token. Do you >>>> know someone is familiar with mozId? >>> >>> Casting a wide net here... >>> >>> IIRC Jared Hirsch (cc'd) did some work on it a while ago, but >>> the code >>> hasn't been very active for some time. Fernando Moreno and >>> Michiel de >>> Jong (also cc'd) are working on some Firefox Accounts >>> integrations in >>> FxOS so they might be able to offer some insight. >>> >>> Jared, Fernando, Michiel, there's extra context below, but the >>> broad ask >>> here is that Tommy's team would like to connect to Pocket from >>> Firefox >>> OS, and Pocket authenticates using the FxA OAuth API. >>> >>> Do you know of any existing code in Firefox OS that's using >>> the FxA >>> OAuth APIs? >>> >>> >>> I played with [1] a few months ago while working on a prototype >>> for the New Gaia Architecture project [2], but AFAIK there is no >>> any other existing FxOS code using the FxA OAuth APIs. >>> >>> >>> If not, a more specific question that would let us work >>> towards that is: >>> can a privileged app use the mozId API to produce a FxA >>> assertion for >>> any target audience? >>> >>> >>> Yes, you should be able to specify any target audience with some >>> restrictions. Check [3]. I think in your case your Pocket app will >>> be shipped as a certified app, so you should be able to use mozId >>> the same way FindMyDevice does. >>> >>> Cheers, >>> >>> / Fernando >>> >>> [1] https://github.com/mozilla/fxa-relier-client >>> [2] https://github.com/fxos/contacts >>> [3] >>> >>> https://mxr.mozilla.org/mozilla-central/source/dom/identity/nsDOMIdentity.js#617 >> >>
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
