This repository has been archived by the owner on Apr 3, 2019. It is now read-only.
Add an /oauth/token route, authenticated with a sessionToken #2954
Assignees
Milestone
Comments
This was referenced Mar 12, 2019
|
To support the Fennec -> Fenix migration, if this route is used to grant the app a token with "oldsync" scope, then it should ensure the app has a device record in a similar way to #2955. If the route is used to generate a refreshToken, that refreshToken should be added to the device record. |
This was referenced Mar 15, 2019
Closed
ghost
removed
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
As part of our quest simplify our OAuth infastructure and remove BrowserID, let's move the OAuth /token endpoint over to the auth-server and allow it to be authenticated directly with a sessionToken. This will let clients that already hold a sessionToken grant themselves OAuth tokens directly, rather than having to indirect through a separate services with a BrowserID assertion.
This supports the Fennec -> Fenix migration flow (since Fenix can use the existing sessionToken from Fenix to mint new OAuth tokens for itself) as well as furthering broader architectural efforts to make OAuth the primary mechanism of authorizing things via FxA. Other potential consumers include Desktop when it grants itself tokens for accessing profile data, and Firefox for iOS when it grants itself tokens for syncing the Logins rust component.
The new route should also support the existing
authorization_codeandrefresh_tokengrant types, so that we can do interesting auth-server things with them (such as registering placeholder device records and sending emails, as described in #2880).Blocks #2880; Requires #2962
The text was updated successfully, but these errors were encountered: