Hello! I'm studying the auth/sync flow and I have a problem with getting correct x-keyid value to make a GET request to https://token.services.mozilla.com/1.0/sync/1.5. During the authentication flow via api.accounts.firefox.com I got kB, keyRotationSecret(b'0x00'*32), keyRotationTimestamp, identifier(b"https://identity.mozilla.com/apps/oldsync") and user uid (from https://api.accounts.firefox.com/v1/account/login?keys=true). Then I'm trying to get the kid: tmp = derive_key(kB + keyRotationSecret, b"identity.mozilla.com/picl/v1/scoped_key\n" + identifier, 48, unhexlify(uid)) kid = str(keyRotationTimestamp) + '-' + base64.urlsafe_b64encode(tmp[:16]).decode('utf-8').rstrip("=")
where derive_key is the following function: def derive_key(secret, info, size, salt): kdf = HKDF( algorithm=hashes.SHA256(), length=size, salt=salt, info=info ) return kdf.derive(secret) So, i'm getting a value of kid but a GET-request to https://token.services.mozilla.com/1.0/sync/1.5 gives me an error message for wrong x-keyid. I also looked at the traffic in the Fiddler and the x-keyid of the original flow (from the browser with the same credentials) differs from the kid I had generated. I also had a look at the source code of Firefox 85.0 (FXAccountsKeys.jsm) and noticed that the first part of kid there (before the first '-') has the length 10 and in the original traffic from the Firefox i see in the Fiddler that the first part has the length 13. Can you explain me what's wrong with my kid generation? And how many characters should be before the first '-' symbol in the kid? _______________________________________________ Sync-dev mailing list Sync-dev@mozilla.org https://mail.mozilla.org/listinfo/sync-dev