Registering Service Accounts

[seanmonstar]

The first part of mozilla/fxa#53, an ability to create client that can have a public/private keypair generated, with the public key saved in a configuration file. Since this requires explicit registration with out help, use of a database isn't quite needed.

As this client doesn't need most of the properties that a typical client does, create a new config value, service_clients, with the properties client_id, pubkey, scope.

[rfk]

can have a public/private keypair generated, with the public key saved in our database

We should consider using JKUs rather than generating keys and giving them to the client. This seemed to work nicely for pre-verified tokens in the auth-server [1] and it forces us to do the right thing w.r.t. secret rotation, key revocation, etc.

I also wonder if we can just list the allowed clients and their JKUs/pubkeys in a config file to start with, rather than using a dynamic table in the database. There won't be more than a handful of them, and unlike standard client_ids, there's currently no plans to allow people to self-service these credentials.

[1] https://github.com/mozilla/fxa-auth-server/blob/master/lib/preverifier.js

[seanmonstar]

Oh yea, I completely forgot we talked about this and decided on a config value instead. Major brain failure.

[seanmonstar]

@billmaggs Why was this moved to multi-device metrics?

[billmaggs]

trying to make it clickable. Switched back.