Send "resume" parameter to supported auth server calls #1623
Comments
Landed in auth server in train-21: mozilla/fxa-auth-server@36f9e28 |
This is a *** feature in train-22. If the user creates an account, opens her verification link in a different browser, and then continues in that browser to the relier, our return request will lack the IMO, it's our responsibility to pass the state back regardless, and the relier's responsibility to respond to the different browser case. Also, the relier might be using the state for other reasons, and it's a flaw that we're not giving it back to them in this case. The auth server has added a FWIW, the reason this is important is to help make Marketplace's migration work when the user chooses to use a different email address for her FxA and then verifies and continues in a second browser. Corner case for sure, but as @ryanfeeley says, we need to make the Web less excruciatingly painful. |
That @ryanfeeley guy should work in marketing. Or at least get that printed on his business cards. |
I made it my Twitter tag line. |
* Remove the singleton FxaClient created in views/base.js, instead create one in app-start and pass it via the router to all objects that need it. * Update assertion.js to use a passed in fxaClient instead of creating its own. * Update the tests that need to be updated. Part of issue #1623
* Remove the singleton FxaClient created in views/base.js, instead create one in app-start and pass it via the router to all objects that need it. * Update assertion.js to use a passed in fxaClient instead of creating its own. * Update the tests that need to be updated. Part of issue #1623
* Remove the singleton FxaClient created in views/base.js, instead create one in app-start and pass it via the router to all objects that need it. * Update assertion.js to use a passed in fxaClient instead of creating its own. * Update the tests that need to be updated. Part of issue #1623
* Remove the singleton FxaClient created in views/base.js, instead create one in app-start and pass it via the router to all objects that need it. * Update assertion.js to use a passed in fxaClient instead of creating its own. * Update the tests that need to be updated. Part of issue #1623
* `resume` is imported from the URL and stored in the Relier. * fxa-client sends the token to the auth server in `signUp`, `signUpResend`, `passwordReset`, and `passwordResetResend` issue #1623
@ckarlof - once the verification email is opened and the user is back at the content server, what responsibilities does the content server have? Does it need to decode the resume JWT, pull out the encoded fields, and redirect? A question that should precede the following - how is the resume field generated? Does the RP take care of that, our client library, or do we do it in the Relier? |
* `resume` is imported from the URL and stored in the Relier. * fxa-client sends the token to the auth server in `signUp`, `signUpResend`, `passwordReset`, and `passwordResetResend` issue #1623
We discussed in the standup, but |
* `resume` is imported from the URL and stored in the Relier. * fxa-client sends the token to the auth server in `signUp`, `signUpResend`, `passwordReset`, and `passwordResetResend` issue #1623
* `resume` is imported from the URL and stored in the Relier. * fxa-client sends the token to the auth server in `signUp`, `signUpResend`, `passwordReset`, and `passwordResetResend` issue #1623
@ckarlof - I'm going to need a bit of hand holding and wanna get some clarity before you head out on vacation.
I am looking at how to create a JWT over on the jwcrypto docs. I can create a JWS as in the example: jwcrypto.sign(payload, keypair.secretKey, function(err, jws) {
// error in err?
// serialize it
console.log(jws.toString());
}); I can pass that jws to the auth server as the resume parameter. In the verification code, I can decode that jws using
To do that, I need the public key from the original keypair. If I create a key pair for the signing, I can store those in localStorage, and decode the jws - in the same browser. This doesn't really help the case where the user verifies in a second browser, unless the client can fetch the public key for the user from the server? On a second browser, I could manually decode the jws and not verify, but that doesn't seem like the right thing to do. |
Crap @shane-tomlinson, I'm dumb. I didn't mean JWT. I meant "web safe Base64 encoded JSON", e.g.,
It doesn't need to be signed. I'm sorry about the confusion. |
* `resume` is imported from the URL and stored in the Relier. * fxa-client sends the token to the auth server in `signUp`, `signUpResend`, `passwordReset`, and `passwordResetResend` issue #1623
* `resume` is imported from the URL and stored in the Relier. * fxa-client sends the token to the auth server in `signUp`, `signUpResend`, `passwordReset`, and `passwordResetResend` issue #1623
Copying over this comment from mozilla/fxa-auth-server#762 (comment).
@dannycoates, @ckarlof - To resume on a second device, we need to be able to generate an assertion. Generating an assertion requires a signed certificate, which requires a |
@ckarlof and @dannycoates - @johngruen and @ryanfeeley say that it's OK to ask the user for their password in the second client, no new auth-server support needed. Thanks! |
* Create a `resume` token from the `state` search parameter. Pass it along to the fxa-js-client. * If `resume` is available on the URL search string, populate `state`. * fxa-client sends the token to the auth server in `signUp`, `signUpResend`, `passwordReset`, and `passwordResetResend` issue #1623
* Create a `resume` token from OAuth parameters. Pass it along to the fxa-js-client. * Re-populate OAuth parameters from resume token on email verification. * Bump fxa-js-client to 0.1.25 with the new `resume` hotness. issue #1623
* Create a `resume` token from OAuth parameters. Pass it along to the fxa-js-client. * Re-populate OAuth parameters from resume token on email verification. * Bump fxa-js-client to 0.1.25 with the new `resume` hotness. * Add functional tests for verifying in a second browser. * Only show the serviceName in the ready screen if the user can continue with the OAuth flow. issue #1623
* Create a `resume` token from OAuth parameters. Pass it along to the fxa-js-client. * Re-populate OAuth parameters from resume token on email verification. * Bump fxa-js-client to 0.1.25 with the new `resume` hotness. * Add functional tests for verifying in a second browser. * Only show the serviceName in the ready screen if the user can continue with the OAuth flow. issue #1623
* Create a `resume` token from OAuth parameters. Pass it along to the fxa-js-client. * Re-populate OAuth parameters from resume token on email verification. * Bump fxa-js-client to 0.1.25 with the new `resume` hotness. * Add functional tests for verifying in a second browser. * Only show the serviceName in the ready screen if the user can continue with the OAuth flow. issue #1623
* Create a `resume` token from OAuth parameters. Pass it along to the fxa-js-client. * Re-populate OAuth parameters from resume token on email verification. * Bump fxa-js-client to 0.1.25 with the new `resume` hotness. * Add functional tests for verifying in a second browser. * Only show the serviceName in the ready screen if the user can continue with the OAuth flow. Introduce the User model. * Create the User instance in app-start.js. Pass it to the router which passes it to the Views. * Update the complete_sign_up View to make use of the User model. * Update the OAuth Relier to set the email on the User model instead of itself. issue #1623
* Create a `resume` token from OAuth parameters. Pass it along to the fxa-js-client. * Re-populate OAuth parameters from resume token on email verification. * Bump fxa-js-client to 0.1.25 with the new `resume` hotness. * Add functional tests for verifying in a second browser. * Only show the serviceName in the ready screen if the user can continue with the OAuth flow. Introduce the User model. * Create the User instance in app-start.js. Pass it to the router which passes it to the Views. * Update the complete_sign_up View to make use of the User model. * Update the OAuth Relier to set the email on the User model instead of itself. issue #1623
* Create a `resume` token from OAuth parameters. Pass it along to the fxa-js-client. * Re-populate OAuth parameters from resume token on email verification. * Bump fxa-js-client to 0.1.25 with the new `resume` hotness. * Add functional tests for verifying in a second browser. * Only show the serviceName in the ready screen if the user can continue with the OAuth flow. Introduce the User model. * Create the User instance in app-start.js. Pass it to the router which passes it to the Views. * Update the complete_sign_up View to make use of the User model. * Update the OAuth Relier to set the email on the User model instead of itself. issue #1623
I didn't think this through enough. The If we have mozilla/fxa-auth-server#763 (have email verification call return a sessionToken), then we could do something like:
the last step would probably be some rule like, if
then we just auto-finish the OAuth login for that account without showing any UI. |
The `resume` token isn't actually used at the moment, this is setting us up to verify in a second browser. The resume token only contains the `state` token passed by the OAuth RP. fixes #1623
Context: mozilla/fxa-auth-server#762
With
resume
we'll be able to send whatever encoded OAuth context we want. I propose putting theclient_id
,state
, andredirect_uri
in an encoded JWT and putting it inresume
wherever we're settingservice
. We still need to setservice
because it's used for server side metrics, but we can stop settingredirectURL
.This should clean things up a bit.
Items remaining:
resume
parameter to the auth-server fxa-js-client#132Relier
andFxaClient
to each View and remove any singletons. - See refactor(client): Create one FxaClient and one Relier in app start. #1645resume
to theRelier
model on the client. - See feat(client): Forward theresume
token to the auth server #1646resume
parameter to the auth-server fxa-js-client#132 - - 0.1.25 created.resume
from URL search parameters and send to fxa-js-clientThe text was updated successfully, but these errors were encountered: