Skip to content

Provide a way for reliers to confirm a user's login state without re-entering password #590

@rfk

Description

@rfk

This is a followup to mozilla/fxa-content-server#6658 and in service of mozilla/addons#732.

To support enforcing 2FA on developer accounts in AMO, they'd like to do a flow like the following:

  1. Have the user do an initial FxA OAuth flow without requiring 2FA.
  2. Lookup the resulting userid in the AMO database to see if they're a developer.
  3. If so, check whether they used 2FA during the login at (1).
  4. If not, have the user do another FxA OAuth flow, this time passing query parameters to insist that they use 2FA

Such a flow is possible as of train-124, thanks to #6545 which added support for the acr_values query parameter. However, due to various rough edges in our session handling (#5916), the user will be forced to enter their password twice - once for the OAuth flow at (1) and again for the OAuth flow at (4).

Can we provide a way for the relier to avoid a second password prompt at (4), that doesn't allow them to skip the initial authorization step at (1)?

┆Issue is synchronized with this Jira Task
┆Issue Number: FXA-736

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions