Realms #3854
Realms #3854
Conversation
This adds realm support to Persona, specifically using the watch() api.
Realms allow a group of sites to state they are connected as part of a
group,
and if a user logs into 1 site of the group, or realm, the user should
be logged
into all the sites in realm.
This can be done by passing an extra parameter to watch():
navigator.id.watch({
realm: 'http://realm.123done.org'
});
The second part of the puzzle is that the watched realm must publish a
well-known file describing everyone that is part of the realm.
GET http://realm.123done.org/.well-known/browserid-realm
{
realm: ['http://foo.123done.org', 'http://bar.123done.org']
}
If the site's origin is found in the list of the realms found at the
well-known file,
then Persona will believe it is part of the realm. If a user had logged
in to
foo.123done.org, and then visited bar.123done.org, and that site also
watches
the same realm, the user will be automatically logged in upon page load.
| const allowed_kpi = /^https:\/\/[a-zA-Z0-9\.\-_]+\/wsapi\/interaction_data(\?.*)?$/; | ||
|
|
||
| var server = http.createServer(function (req, res) { | ||
| var url = req.url; | ||
| if (!allowed.test(url) && !allowed_kpi.test(url) ) { | ||
| if (!allowed.test(url) && !allowed_realm.test(url) && !allowed_kpi.test(url) ) { |
There was a problem hiding this comment.
will this also require changes to our production proxy?
There was a problem hiding this comment.
@shane-tomlinson Will this change result in persona initiating outbound connections out to the internet to new destinations (destinations other than sites' well-known/.browserid files and identity bridge endpoints [yahoo, gmail, etc])?
There was a problem hiding this comment.
@gene1wood - indeed, the new outbound request will search for realm files at <rp_location>/.well-known/browserid-realm
There was a problem hiding this comment.
Proxy server support added here mozilla/identity-ops@e6e2931
When QA wants to see this code in stage they'll need to request that new proxy server AMIs be built with this new code in the process. (cc @jrgm)
to use a realm, pass a query parameter Example: localhost:10001/?realm=http://localhost:10001
|
@ozten I can, but I dislike it. hacks away |
|
You can use something like stunnel[1] to get https working with the local environment. |
|
Word. I also dislike SHIMMED_PRIMARIES ( I think a config file or something would be nicer), but something like it. |
|
Yea, I've just now make a |
|
New commit requires that the browserid-realm file be served over HTTPS. |
|
|
||
| // Support for "shimmed realms" for local development. | ||
| // CSV values: | ||
| // <realm>|<browserid-realm filepath>, |
There was a problem hiding this comment.
This took me a while to figure out how to do from bash command line:
SHIMMED_REALMS=127.0.0.1\|example/rp/.well-known/browserid-realm npm startCan you add a comment about how to make it so? This info should probably go into the front end wiki as well.
|
While testing this, I came across a problem: I can't log out! STR
|
|
@shane-tomlinson ah, I just found out why. The communication_iframe doesn't call |
- fixes navigator.id.logout() to logout of realm - tests for storage.realmInfo - code style change for lib/realm - comments - realm no longer can include port - consolidating fixupIssuer and fixupRealm
|
@shane-tomlinson Newest commit tries to address your concerns. Please berate if I forgot any. |
|
@seanmonstar anything I can do to push this thing along? |
request does tunneling with proxies, and our proxies don't support tunneling. until request provides an option to disable tunnels, we'll have to use our own http code
|
There are some interesting issues with b2g. (What else is new?) I think we're going to need some platform code to make this work. Basically, the removal of items from localStorage fires events that we can catch on normal web sites, but on b2g, data siloing and the discarding of the persona iframe when RPs are not using it (a we-will-kill-you-if-you-do-not-do-this requirement from platform) conspire to make it impossible for other RPs to hear about the logout unless we write some native code to fire I've filed this bug for FirefoxOS: https://bugzilla.mozilla.org/show_bug.cgi?id=919157 @shane-tomlinson maybe we can pow-wow quickly about this for a sanity check? Make sure I've not got this completely wrong? |
with multiple tabs open on sites that all belong to a realm, when logging into one, all the others should also be logged in
|
wild question. If we didn't have to worry about logout events, how much simpler would this code be? In that case, we would simply flip the logged-on bit at login time, and users would logout of each realm independently... right? |
|
See my nay-saying re: logout events in #3915 (comment) :) |
|
@seanmonstar I think, as far as automated tests go, having 2-3 long-lived subdomains of 123done is perfectly fine. They're distinct from the perspective of the same-origin policy, and that's the simplest solution I can think of. I'd check that box and get on with the other 5. Do you need help with writing automated tests? |
|
Closing because upcoming API changes (see #3961) remove realms support. @seanmonstar please reopen if I'm off base. |
This adds realm support to Persona, specifically using the watch() api.
Realms allow a group of sites to state they are connected as part of a group, and if a user logs into 1 site of the group, or realm, the user should be logged into all the sites in realm.
This can be done by passing an extra parameter to watch():
The second part of the puzzle is that the watched realm must publish a well-known file describing everyone that is part of the realm.
If the site's origin is found in the list of the realms found at the well-known file, then Persona will believe it is part of the realm. If a user had logged in to
foo.123done.org, and then visitedbar.123done.org, and that site also watches the same realm, the user will be automatically logged in upon page load.fixes #2555
Blockers to merging