-
Notifications
You must be signed in to change notification settings - Fork 40
Registering Service Accounts #327
Comments
We should consider using JKUs rather than generating keys and giving them to the client. This seemed to work nicely for pre-verified tokens in the auth-server [1] and it forces us to do the right thing w.r.t. secret rotation, key revocation, etc. I also wonder if we can just list the allowed clients and their JKUs/pubkeys in a config file to start with, rather than using a dynamic table in the database. There won't be more than a handful of them, and unlike standard client_ids, there's currently no plans to allow people to self-service these credentials. [1] https://github.com/mozilla/fxa-auth-server/blob/master/lib/preverifier.js |
Oh yea, I completely forgot we talked about this and decided on a config value instead. Major brain failure. |
@billmaggs Why was this moved to multi-device metrics? |
trying to make it clickable. Switched back. |
The first part of mozilla/fxa#53, an ability to create client that can have a public/private keypair generated, with the public key saved in a configuration file. Since this requires explicit registration with out help, use of a database isn't quite needed.
As this client doesn't need most of the properties that a typical client does, create a new config value,
service_clients
, with the propertiesclient_id
,pubkey
,scope
.The text was updated successfully, but these errors were encountered: