single sign out with Firefox Accounts

Chris Karlof ckarlof at mozilla.com
Fri Nov 8 17:39:51 PST 2013


One of the goals of Firefox Accounts is to be a single sign on system for relying Mozilla Services. This means after logging in to your FxA, you will be automatically authenticated to all relying Mozilla Services (e.g., Marketplace, Where's My Fox). This should be true for both on FxOS and on the Web, on Firefox and non-Firefox browsers.

My understanding of our plan to support SSO with FxA is to use the Persona Watch API [1], or maybe something very close to it. After a user logs in to her FxA, relying Mozilla services will be notified via .onlogin().

So what happens when a user logs out of her FxA? I argue the user should be logged out of all relying Mozilla services on that device or browser. A straightforward way to do this with the watch API is use .onlogout().

My understanding is that Goldilocks API [2] removes .onlogout() due to some combination of Persona reliers not wanting it/not using it/having trouble using it. "Not wanting it" makes total sense to me. It's not obvious that a federated or delegated login system should act like a single sign on system in this regards. Logging out of one organization should not necessarily log you out of a totally different organization.

But we *are* building a SSO system. I argue we need .onlogout() or something similar to it to notify relying Mozilla services when the user has logged out. If there are issues with .onlogout() not working well, we should address those issues, but I think we "want" it.

An alternative I've heard is "session cookie assassination", where FxA kills the session cookies of relying Mozilla services on logout. IMO, this is more fragile approach and is insufficient. I'm not sure how to accomplish this across multiple domains without UA support, and FxA has to work everywhere (i.e., non-Firefox browsers).

Thoughts? 

-chris

[1] https://developer.mozilla.org/en-US/docs/Web/API/navigator.id.watch
[2] https://groups.google.com/forum/#!topic/mozilla.dev.identity/6_C6JBT5zGw
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/dev-fxacct/attachments/20131108/f2878a25/attachment.html>


More information about the Dev-fxacct mailing list