single sign out with Firefox Accounts

Chris Karlof ckarlof at mozilla.com
Sun Nov 10 10:23:53 PST 2013


On Nov 8, 2013, at 8:00 PM, Sean McArthur wrote:

> An additional factor that made us decide to pull out session management is the new default cookie policy in Safari (OSX and iOS). It now defaults to *no* third party cookies, not even visited. Therefore, we couldn't provide session management to a significant portion of users. Using a JavaScript SSO system for FxAccounts will not satisfy the require of "and FxA has to work everywhere".

My understanding is that Safari's default policy is not as simple as "absolutely no third party cookies". 

Do we understand what Safari classifies as a "third party cookie"? E.g., are x.y.com and z.y.com considered to have a "third party relationship"?

Is our understanding of Safari's policy from the Persona context documented somewhere? I found this:

https://github.com/mozilla/browserid/issues/3905#issuecomment-25002218

I also realize that "SSO has to work everywhere" was a little vague. In case there was confusion, I meant all web browsers, not all web sites.

-chris



> On Fri, Nov 8, 2013 at 5:39 PM, Chris Karlof <ckarlof at mozilla.com> wrote:
> One of the goals of Firefox Accounts is to be a single sign on system for relying Mozilla Services. This means after logging in to your FxA, you will be automatically authenticated to all relying Mozilla Services (e.g., Marketplace, Where's My Fox). This should be true for both on FxOS and on the Web, on Firefox and non-Firefox browsers.
> 
> My understanding of our plan to support SSO with FxA is to use the Persona Watch API [1], or maybe something very close to it. After a user logs in to her FxA, relying Mozilla services will be notified via .onlogin().
> 
> So what happens when a user logs out of her FxA? I argue the user should be logged out of all relying Mozilla services on that device or browser. A straightforward way to do this with the watch API is use .onlogout().
> 
> My understanding is that Goldilocks API [2] removes .onlogout() due to some combination of Persona reliers not wanting it/not using it/having trouble using it. "Not wanting it" makes total sense to me. It's not obvious that a federated or delegated login system should act like a single sign on system in this regards. Logging out of one organization should not necessarily log you out of a totally different organization.
> 
> But we *are* building a SSO system. I argue we need .onlogout() or something similar to it to notify relying Mozilla services when the user has logged out. If there are issues with .onlogout() not working well, we should address those issues, but I think we "want" it.
> 
> An alternative I've heard is "session cookie assassination", where FxA kills the session cookies of relying Mozilla services on logout. IMO, this is more fragile approach and is insufficient. I'm not sure how to accomplish this across multiple domains without UA support, and FxA has to work everywhere (i.e., non-Firefox browsers).
> 
> Thoughts? 
> 
> -chris
> 
> [1] https://developer.mozilla.org/en-US/docs/Web/API/navigator.id.watch
> [2] https://groups.google.com/forum/#!topic/mozilla.dev.identity/6_C6JBT5zGw
> 
> _______________________________________________
> Dev-fxacct mailing list
> Dev-fxacct at mozilla.org
> https://mail.mozilla.org/listinfo/dev-fxacct
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/dev-fxacct/attachments/20131110/1e244374/attachment.html>


More information about the Dev-fxacct mailing list