-
Notifications
You must be signed in to change notification settings - Fork 40
Remove ability to fetch email address from the oauth-server API #352
Comments
Is anyone getting the user's email from the Also if so, then I imagine the verify route will need to be able to detect recursion, since when verify is called, it would have to ask the auth-server, passing the token, which would turn around and ask the oauth-server to verify the token (wanting to fetch the email again)... |
IIRC the basket proxy does, but that's an easy fix on our side. Sadly, it is part of our documented API, so others could legitimately be looking for it and we'll have to move carefully if we want to remove it. |
Hm, I don't see how to stop the recursion without the auth-server sending an additional parameter when it wants to verify a token... |
Agree. We should try to remove it, since I really don't think anyone should be using this endpoint except for our own services. |
@vladikoff I tried just chopping the email out, and found out that developers use the email address everywhere... Any change would require the console to update as well. It looks like the developer routes require oauth authorization, and the developer's email is used from the verified token. What if instead we just keyed everything regarding developers with their FxA uid? |
@seanmonstar we need to validate that the user is |
@vladikoff oh right. Hmm, but that validation only needs to happen once, when logging in, right? |
@seanmonstar Yeap! |
Having mulled this over a little, I feel like we should try to set a good habit here of moving cautiously with changes to our public-facing APIs, even if it means eating a bit of short-term complexity/ugliness internally. I'm pretty sure that nothing outside our own systems will break if we yank Strawman:
That's more work for us, but not too much more, and it keeps us moving forward. @seanmonstar what do you think, worth it, or no? |
That seems fine to me. I'll create an issue and bump this one back to next. |
I think the title of this issue now out of date, and we plan to just completely drop the ability to retrieve an email from the oauth-server API. I'm changing it, but @seanmonstar please change it back if that doesn't reflect your current understanding of the situation. |
@rfk https://kibana-fxa-us-west-2.prod.mozaws.net/#dashboard/temp/AWK1heimTlXM2FwOOFau i think there is a single client that asks for this atm |
Looks like this is kintowe:
@glasserc could you please point us to the code kintowe uses for oauth token verification? Is it using https://github.com/Kinto/kinto-fxa/ or something else? |
Yes, that's it! |
Hrm. As far as I can tell, kinto-fxa just calls OAuthClient.verify_token here: https://github.com/mozilla/PyFxA/blob/master/fxa/oauth.py#L176 Which doesn't explicitly request the "email" field. So at first glance I'm not sure what's actually causing it to request this. |
On reflection, the |
On further reflection, I think I'm misinterpreting things here. The linked kibana dashboard shows a sudden drop in these events at around 04:00 04/11, which I believe corresponds pretty closely to train-109 going to production. If you filter out events for the client_id of "5882386c6d801776", there are in fact a much smaller number of events in there from other clients. So what I think this indicates is, prior to train-109 we were logging the "routes.verify.email.requested" event for basically every request, since the @vladikoff does that make sense? |
@rfk ah that makes sense , i just thought kibana was behind, but it actually was empty. |
@deeptibaghel wanna try closing this out? Basically we need to remove support for this parameter: https://github.com/mozilla/fxa-oauth-server/blob/master/lib/routes/verify.js#L15 Some tests will probably start failing, for example this test could probably be removed or changed to assert a "unknown payload email": https://github.com/mozilla/fxa-oauth-server/pull/533/files#diff-9265a69d5e81bfaab4edbd417a33a626R2707 @rfk confirm? |
Yep. We'll also need to stop auth-server from sending an explicit https://github.com/mozilla/fxa-auth-server/blob/master/config/index.js#L544 We'll probably need to continue to accept the "email: false" parameter for a train cycle until we can confirm that everything has stopped sending it, but we can certainly remove all the logic for "email: true" at this time. |
@vladikoff sure , happy to work this :) |
…ess from the API
Has an issue on the auth-server been added for this? |
@deeptibaghel the PR is a good start but we need to do 1-2 other PRs before merging it.
So fxa-auth-server needs a change for that first |
@vladikoff i will work on removing it from fxa-auth-server |
When mozilla/fxa-auth-server#1053 lands, tokens with "profile:email" scope can be used to fetch the user's email address directly from the auth-server. We should do so rather than keeping a copy of it in our own db. This will allow us to drop the "email" column from the "tokens" table, unblocking the final landing of service tokens.
The text was updated successfully, but these errors were encountered: