single sign out with Firefox Accounts

Sean McArthur smcarthur at
Fri Nov 8 20:01:24 PST 2013

An additional factor that made us decide to pull out session management is
the new default cookie policy in Safari (OSX and iOS). It now defaults to
*no* third party cookies, not even visited. Therefore, we couldn't provide
session management to a significant portion of users. Using a JavaScript
SSO system for FxAccounts will not satisfy the require of "and FxA has to
work eveywhere".

((sigh, replied from wrong account))

On Fri, Nov 8, 2013 at 5:39 PM, Chris Karlof <ckarlof at> wrote:

> One of the goals of Firefox Accounts is to be a single sign on system for
> relying Mozilla Services. This means after logging in to your FxA, you will
> be automatically authenticated to all relying Mozilla Services (e.g.,
> Marketplace, Where's My Fox). This should be true for both on FxOS and on
> the Web, on Firefox and non-Firefox browsers.
> My understanding of our plan to support SSO with FxA is to use the Persona
> Watch API [1], or maybe something very close to it. After a user logs in to
> her FxA, relying Mozilla services will be notified via .onlogin().
> So what happens when a user logs out of her FxA? I argue the user should
> be logged out of all relying Mozilla services on that device or browser. A
> straightforward way to do this with the watch API is use .onlogout().
> My understanding is that Goldilocks API [2] removes .onlogout() due to
> some combination of Persona reliers not wanting it/not using it/having
> trouble using it. "Not wanting it" makes total sense to me. It's not
> obvious that a federated or delegated login system should act like a single
> sign on system in this regards. Logging out of one organization should not
> necessarily log you out of a totally different organization.
> But we *are* building a SSO system. I argue we need .onlogout() or
> something similar to it to notify relying Mozilla services when the user
> has logged out. If there are issues with .onlogout() not working well, we
> should address those issues, but I think we "want" it.
> An alternative I've heard is "session cookie assassination", where FxA
> kills the session cookies of relying Mozilla services on logout. IMO, this
> is more fragile approach and is insufficient. I'm not sure how to
> accomplish this across multiple domains without UA support, and FxA has to
> work everywhere (i.e., non-Firefox browsers).
> Thoughts?
> -chris
> [1]
> [2]
> _______________________________________________
> Dev-fxacct mailing list
> Dev-fxacct at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Dev-fxacct mailing list