New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[PROPOASL] SSO: Support to prevent asking password again to already authenticated users on supported reliers #2637

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
6 participants
@renoirb
Contributor

renoirb commented Jun 26, 2015

How about separate, trusted+supported, web application could just "log you in" without asking your password more than once. a.k.a. SSO

The following patch would make FxA able to give an OAuth2 one time code string so a configured relier would be able to get an OAuth Bearer token.

Idea is that each relier could then use the token, ask a "source of truth" (i.e. fxa-profile-server), the relier could then make sure a user exists locally and start a session. This has to be done in two separate components. [An initializer JavaScript module](#An initializer JavaScript module), and [Set in place two HTTP handlers on web app relier](#Set in place two HTTP handlers on web app relier)

To see the idea in action, see this video where you'll see two separate wikis, on different domains, ensures the session state is in sync with FxA.

Synchronize session state accross separate web applications

More notes about the feature

Dependencies

OAuth server patch

ref: mozilla/fxa-oauth-server#279

An initializer JavaScript module

Refer to this this gist

Set in place two HTTP handlers on web app relier

  • Each web application has to be registered to the OAuth server as both: {trusted: true, canSso: true}
  • Backend has to support reading from a "source of truth" (i.e. fxa-profile-server)
    • If FxA has no session, ensure relier web app kills any session (done through [JavaScript initializer module](An initializer JavaScript module))
    • If FxA has session, it MUST match session it has locally
  • Ensure possible user data changes are reflected on relier web application locally

PHP Backend strawaman

The following is planned to be factored out as a PHP module so that other systems would take care of the specifics the [JavaScript initializer module](An initializer JavaScript module) would trigger via xhr HTTP calls from its iframe.

@GitCop

This comment has been minimized.

Show comment
Hide comment
@GitCop

GitCop Jun 26, 2015

There were the following issues with your Pull Request

  • Commit: 645d8bf
    • Commits must be in the following format: %{type}(%{scope}): %{description}

Guidelines are available at https://github.com/mozilla/fxa-content-server/blob/master/CONTRIBUTING.md#git-commit-guidelines


This message was auto-generated by https://gitcop.com

GitCop commented Jun 26, 2015

There were the following issues with your Pull Request

  • Commit: 645d8bf
    • Commits must be in the following format: %{type}(%{scope}): %{description}

Guidelines are available at https://github.com/mozilla/fxa-content-server/blob/master/CONTRIBUTING.md#git-commit-guidelines


This message was auto-generated by https://gitcop.com

feat(sso): Allow fxa-oauth’s canSso seamless login
Rebased under current master
@vladikoff

This comment has been minimized.

Show comment
Hide comment
@vladikoff

vladikoff Jul 2, 2015

Member

Thanks for sending this PR, working on this and showing a demo at Whistler! it was great!

 We are going to hold of on working this because no one requested SSO functionality. However we will keep this PR in mind.

Member

vladikoff commented Jul 2, 2015

Thanks for sending this PR, working on this and showing a demo at Whistler! it was great!

 We are going to hold of on working this because no one requested SSO functionality. However we will keep this PR in mind.

@rfk

This comment has been minimized.

Show comment
Hide comment
@rfk

rfk Jul 2, 2015

Member

Seconded, it was really great to see this come together at Whistler.

We can't justify merging this to mainline without a compelling use-case within the Firefox connected experience, but two notes:

  • I'm really pleased to see that this was cleaner than the previous approach you took for SSO, that's a good sign of healthily evolving code
  • I'd be happy to consider any refactorings that would make this easier to maintain in an ongoing fork

IIUC, the core of the experience here is just skipping the "signin" prompt entirely for a certain set of reliers. I wonder if that could be useful more broadly than just the sso scope you outline here. Worth thinking about.

Member

rfk commented Jul 2, 2015

Seconded, it was really great to see this come together at Whistler.

We can't justify merging this to mainline without a compelling use-case within the Firefox connected experience, but two notes:

  • I'm really pleased to see that this was cleaner than the previous approach you took for SSO, that's a good sign of healthily evolving code
  • I'd be happy to consider any refactorings that would make this easier to maintain in an ongoing fork

IIUC, the core of the experience here is just skipping the "signin" prompt entirely for a certain set of reliers. I wonder if that could be useful more broadly than just the sso scope you outline here. Worth thinking about.

@renoirb

This comment has been minimized.

Show comment
Hide comment
@renoirb

renoirb Jul 2, 2015

Contributor

Thanks for the feedback.

I'm OK to not merge right away, i will find time to create relier module in
JavaScript, and create backend PHP and Python modules too. With that in a
usable state we could have concrete use cases
On Thu, Jul 2, 2015 at 17:19 Ryan Kelly notifications@github.com wrote:

Seconded, it was really great to see this come together at Whistler.

We can't justify merging this to mainline without a compelling use-case
within the Firefox connected experience, but two notes:

  • I'm really pleased to see that this was cleaner than the previous
    approach you took for SSO, that's a good sign of healthily evolving code
  • I'd be happy to consider any refactorings that would make this
    easier to maintain in an ongoing fork

IIUC, the core of the experience here is just skipping the "signin" prompt
entirely for a certain set of reliers. I wonder if that could be useful
more broadly than just the sso scope you outline here. Worth thinking about.


Reply to this email directly or view it on GitHub
#2637 (comment)
.

Contributor

renoirb commented Jul 2, 2015

Thanks for the feedback.

I'm OK to not merge right away, i will find time to create relier module in
JavaScript, and create backend PHP and Python modules too. With that in a
usable state we could have concrete use cases
On Thu, Jul 2, 2015 at 17:19 Ryan Kelly notifications@github.com wrote:

Seconded, it was really great to see this come together at Whistler.

We can't justify merging this to mainline without a compelling use-case
within the Firefox connected experience, but two notes:

  • I'm really pleased to see that this was cleaner than the previous
    approach you took for SSO, that's a good sign of healthily evolving code
  • I'd be happy to consider any refactorings that would make this
    easier to maintain in an ongoing fork

IIUC, the core of the experience here is just skipping the "signin" prompt
entirely for a certain set of reliers. I wonder if that could be useful
more broadly than just the sso scope you outline here. Worth thinking about.


Reply to this email directly or view it on GitHub
#2637 (comment)
.

@groovecoder

This comment has been minimized.

Show comment
Hide comment
@groovecoder

groovecoder Aug 12, 2015

Member

FWIW, we may need/want this for MDN-BrowserCompat SSO via Firefox Accounts.

Member

groovecoder commented Aug 12, 2015

FWIW, we may need/want this for MDN-BrowserCompat SSO via Firefox Accounts.

@renoirb

This comment has been minimized.

Show comment
Hide comment
@renoirb

renoirb Aug 12, 2015

Contributor

\0/

Contributor

renoirb commented Aug 12, 2015

\0/

@renoirb

This comment has been minimized.

Show comment
Hide comment
@renoirb

renoirb Aug 12, 2015

Contributor

I’ve described, once more, how it all works together in Bugzilla 1050399 comment.

Contributor

renoirb commented Aug 12, 2015

I’ve described, once more, how it all works together in Bugzilla 1050399 comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment