dynamic well-known #2078

Closed
benadida opened this Issue Jul 17, 2012 · 22 comments

Projects

None yet

8 participants

@benadida
Contributor

To support BigTent and generally provide a bit more flexibility, we should tweak the protocol such that, when a well-known file is requested at a URL whose domain does NOT match the email for which the request is made, a domain GET parameter is added to the well-known request.

@lloyd lloyd was assigned Jul 19, 2012
@warner
Member
warner commented Aug 7, 2012

does this need to be nailed down before the beta1 release? Or are you comfortable making protocol changes after it?

@ozten
Member
ozten commented Aug 7, 2012

I think this is after Beta 1.

@warner
Member
warner commented Aug 7, 2012

righto

@ozten ozten was assigned Oct 9, 2012
@lloyd
Contributor
lloyd commented Oct 16, 2012

GET parameter? Or HTTP header?

Remind me, why does bigtent require this? (Ideally this context would be in the issue description for forgetful people like me)

@benadida
Contributor

BigTent could be implemented in a number of ways:

(a) sharing the secret key (uggh)

(b) cert chaining (really complicated)

(c) GET parameter on well-known

In general, during the meeting we had about this where we discussed various ways in which a domain could logistically deploy different keys for different sets of users, we agreed (and I think you were enthusiastic) about (c) as the simplest way.

HTTP header is a no-go, that would break REST / caching / web arch in a serious way. It should be a diff URL.

@callahad
Member

@lloyd Our fallback needs a way to optionally route requests to BigTent. BigTent is designed to function just like a normal IdP.

The safest and simplest option on the table involved querying the well-known file with the user's domain as a GET parameter, so that we could use standard authority delegation to hand control over to BigTent.

As Ben mentioned, we're trying to avoid cert chaining or sharing the secret key. We'd also like to be able to easily add or remove BigTent for certain domains / addresses, so that B2G and the native Firefox implementation can use it without having explicit knowledge of BigTent and its supported domains.

Unfortunately, it turns out that we can't actually support all Yahoo addresses with BigTent, and thus domain-based partitioning won't work for all currently-supported Yahoo addresses. This is thanks to a "disposable address" (pseudonymous alias) feature in Yahoo! Mail Plus. Which sucks a lot.

I really need design help in figuring out a good way to make this thing work. @lloyd, here's your opportunity for a re-think of this thing. :)

@benadida
Contributor

@callahad fascinating! Those addresses are at the same domain? yahoo.com?

@callahad
Member

@benadida Yep! More info in mozilla/persona-yahoo-bridge#12, but the way you can tell a real Yahoo address from a disposable one is the presence of a hyphen in the address. Normal accounts can't have one, disposable aliases must have one.

@callahad
Member

@ozten Do we have a tracking bug for adding dynamic well-known lookup to our verifier?

@ozten
Member
ozten commented Oct 22, 2012

@warner is working on this in mozilla/persona#2623

Brian, any other bug #s to mention?

@callahad
Member
callahad commented Mar 6, 2013

I'm under the impression that this is in, and is how BigTent is currently working. Could someone verify, and I'll take care of the spec side?

@6a68
Member
6a68 commented Mar 6, 2013

@callahad yah, looks like #2623 is the dynamic well-known implementation in browserid, and was merged in.

@ozten
Member
ozten commented Mar 6, 2013

Yes it is in the implementation, but probably not in the spec.
Here is the open pull request

@ozten
Member
ozten commented Mar 6, 2013
@callahad
Member
callahad commented Mar 7, 2013

Awesome. Feel free to leave the spec to me -- it'll be my main focus after I give my talk.

@6a68
Member
6a68 commented Apr 3, 2013

@callahad ping :-)

@callahad
Member
callahad commented Apr 3, 2013

We're like, 99% there.

@6a68
Member
6a68 commented Apr 3, 2013

\o/ 🍻

@sesam
sesam commented Apr 12, 2013

Since Beta 2 has been launched, is this issue done?

@6a68
Member
6a68 commented Apr 12, 2013

I don't think so, since the specs repo hasn't been updated recently:
https://github.com/mozilla/id-specs

On Thu, Apr 11, 2013 at 11:43 PM, Simon B. notifications@github.com wrote:

Since Beta 2 has been launched, is this issue done?


Reply to this email directly or view it on GitHubhttps://github.com/mozilla/browserid/issues/2078#issuecomment-16278158
.

@callahad
Member

Taking this. Sleeping in tomorrow, will tackle that evening.

@callahad callahad was assigned Apr 12, 2013
@seanmonstar
Member

This is done. If specs need updating, file a bug of there.

@seanmonstar seanmonstar closed this Mar 2, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment