single sign out with Firefox Accounts

Sean McArthur sean at seanmonstar.com
Fri Nov 8 20:00:06 PST 2013


An additional factor that made us decide to pull out session management is
the new default cookie policy in Safari (OSX and iOS). It now defaults to
*no* third party cookies, not even visited. Therefore, we couldn't provide
session management to a significant portion of users. Using a JavaScript
SSO system for FxAccounts will not satisfy the require of "and FxA has to
work eveywhere".


On Fri, Nov 8, 2013 at 5:39 PM, Chris Karlof <ckarlof at mozilla.com> wrote:

> One of the goals of Firefox Accounts is to be a single sign on system for
> relying Mozilla Services. This means after logging in to your FxA, you will
> be automatically authenticated to all relying Mozilla Services (e.g.,
> Marketplace, Where's My Fox). This should be true for both on FxOS and on
> the Web, on Firefox and non-Firefox browsers.
>
> My understanding of our plan to support SSO with FxA is to use the Persona
> Watch API [1], or maybe something very close to it. After a user logs in to
> her FxA, relying Mozilla services will be notified via .onlogin().
>
> So what happens when a user logs out of her FxA? I argue the user should
> be logged out of all relying Mozilla services on that device or browser. A
> straightforward way to do this with the watch API is use .onlogout().
>
> My understanding is that Goldilocks API [2] removes .onlogout() due to
> some combination of Persona reliers not wanting it/not using it/having
> trouble using it. "Not wanting it" makes total sense to me. It's not
> obvious that a federated or delegated login system should act like a single
> sign on system in this regards. Logging out of one organization should not
> necessarily log you out of a totally different organization.
>
> But we *are* building a SSO system. I argue we need .onlogout() or
> something similar to it to notify relying Mozilla services when the user
> has logged out. If there are issues with .onlogout() not working well, we
> should address those issues, but I think we "want" it.
>
> An alternative I've heard is "session cookie assassination", where FxA
> kills the session cookies of relying Mozilla services on logout. IMO, this
> is more fragile approach and is insufficient. I'm not sure how to
> accomplish this across multiple domains without UA support, and FxA has to
> work everywhere (i.e., non-Firefox browsers).
>
> Thoughts?
>
> -chris
>
> [1] https://developer.mozilla.org/en-US/docs/Web/API/navigator.id.watch
> [2]
> https://groups.google.com/forum/#!topic/mozilla.dev.identity/6_C6JBT5zGw
>
> _______________________________________________
> Dev-fxacct mailing list
> Dev-fxacct at mozilla.org
> https://mail.mozilla.org/listinfo/dev-fxacct
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/dev-fxacct/attachments/20131108/88f82fc4/attachment.html>


More information about the Dev-fxacct mailing list