Questions about using FirefoxAccount information

Ryan Kelly rfkelly at mozilla.com
Wed Nov 13 14:14:47 PST 2013


On 14/11/2013 6:51 AM, JR Conlin wrote:
> Hi,
> 
> I'm building a service that uses Firefox Accounts to log a user in and
> associate data to that user. I was unable to discover the answers to
> these questions viewing
> https://wiki.mozilla.org/Identity/FirefoxAccounts, but will happily read
> whatever docs you can point me at.
> 
> As I understand it, login is performed by a gherkin script on the
> browser that returns a certificate. The server I'm building is not
> node.js, so I have a few questions about certificate management:

At a high level, the login flow from the server's perspective is
completely identical to the exiting BrowserID login flow (which probably
explains why we haven't documented it separately):

  * Client talks to FxA server to obtain an identity certificate

  * Client uses certificate to sign an identity assertion

  * Client delivers identity assertion to the server to login

  * Server verifies the identity assertion and exchanges it for
    e.g. a session cookie

> 1) Is the certificate sensitive information (should I protect it from
> inadvertent exposure or is it encrypted such that it's not an issue)?

Yes it is, but the certificate itself should never leave the client
device, so the server shouldn't need to worry about it.  Only signed
identity assertions are seen by the server.

> How easy would it be for an unauthorized agent to spoof being a user if
> they have the certificate?

They would need the corresponding private key, which doesn't leave the
client device.

> 2) Is it possible to pass the certificate to a verification service
> similar to the way that Persona verification worked?

Yes, in fact you will need to do this in exactly the same way as persona
verification.  We'll have a separate verifier service, details are being
hashed out in:

  https://github.com/mozilla/picl-idp/issues/292

> 3) While I don't really care about the certificate per se, I do need to
> generate a unique identifier for a given user and have that identifier
> match on different devices. Is the certificate unique per machine (e.g.
> certificates from firefoxos devices are different than certificates from
> general servers)? Is it possible to generate a user unique identifier
> from the certificate or it's content?

FxA will provide you with a "uid" in addition to the user's email.  This
is a UUID and is intended as a stable user identifier for exactly this
purpose.

I'll work on getting some of these details a bit clearer in the wiki.

And for context for the rest of the list...

> 0) Is Firefox Accounts ready for use by arbitrary services?
> Not yet.

JR's gearing up to work on WheresMyFox, so while the above is good
advice, it doesn't apply in this case ;-)


  Cheers,

    Ryan



More information about the Dev-fxacct mailing list