Questions about using FirefoxAccount information
spenrose at mozilla.com
Wed Nov 13 14:09:24 PST 2013
Hey JR --
I'm not the right person to answer these, but I hate seeing a fellow left hanging, so I'm going to give it a shot. Let's start with a question you didn't ask.
0) Is Firefox Accounts ready for use by arbitrary services?
----- Original Message -----
From: "JR Conlin" <jrconlin at mozilla.com>
To: dev-fxacct at mozilla.org
Sent: Wednesday, November 13, 2013 11:51:53 AM
Subject: Questions about using FirefoxAccount information
I'm building a service that uses Firefox Accounts to log a user in and
associate data to that user. I was unable to discover the answers to
these questions viewing
https://wiki.mozilla.org/Identity/FirefoxAccounts, but will happily read
whatever docs you can point me at.
As I understand it, login is performed by a gherkin script on the
browser that returns a certificate. The server I'm building is not
node.js, so I have a few questions about certificate management:
1) Is the certificate sensitive information (should I protect it from
inadvertent exposure or is it encrypted such that it's not an issue)?
How easy would it be for an unauthorized agent to spoof being a user if
they have the certificate?
Yes, the certificate says "I, accounts.firefox.com, verify that this user agent owns the Firefox Account tied to this email address for this audience." You should not share that, although I believe the only (main?) threat is in the context of your service.
2) Is it possible to pass the certificate to a verification service
similar to the way that Persona verification worked?
We're going to stand one up for assertions generated by the certificate. See https://github.com/mozilla/picl-idp/issues/292
3) While I don't really care about the certificate per se, I do need to
generate a unique identifier for a given user and have that identifier
match on different devices. Is the certificate unique per machine (e.g.
certificates from firefoxos devices are different than certificates from
general servers)? Is it possible to generate a user unique identifier
from the certificate or it's content?
The system allows you to certificate (verb) the user's email address as unique for the purpose of Firefox Accounts.
Dev-fxacct mailing list
Dev-fxacct at mozilla.org
More information about the Dev-fxacct