[freaky friday] assertion verification gone wild

Lloyd Hilaiel lhilaiel at mozilla.com
Fri Nov 22 08:36:10 PST 2013


So I set out to write a local verification library in node.js that has full parity with our existing hosted verifier, but is completely standalone.  My criteria for success was to be able to provide only the domain of the fallback as a parameter and be able to discover all configuration via the browserid protocol.

code’s here for now: https://github.com/lloyd/browserid-local-verify

Here’s command line lookup via fallback and then bridge:
https://gist.github.com/lloyd/7602532

Further, I wanted to do the following:

0. support secondaries (also provide a clean way to support legacy forceIssuer):
results: https://github.com/lloyd/browserid-local-verify/blob/8b51f42e/lib/verify.js#L173-L177

1. support extended idp claims (needed for FxA and to support features like unverified-email, also desired by our payswarm friends)
results: https://github.com/lloyd/browserid-local-verify/blob/8b51f42/tests/idp-claims.js

2. extended rp claims (wanted by our webrtc brethren)
(supported but not yet tested, return object includes uaClaims object)

3. create a minimalistic pile of code from which a spec can be derived. (and which lays bare need for improvements)
645 lines

4. create rigorous tests so that we can evolve jwcrypto with confidence that we won’t break anything
1161 lines
includes regression tests: https://github.com/lloyd/browserid-local-verify/tree/8b51f42e/tests/regression-cases
92% test coverage: http://people.mozilla.org/~lhilaiel/coverage.html

5. support metrics and logging requirements of our existing verifier (see event stuff in README.md)

Here are the questions that I have:
a. how does the API feel?  - https://github.com/lloyd/browserid-local-verify/blob/8b51f42/README.md
b. How do folks feel about IdP claims extraction: https://github.com/lloyd/browserid-local-verify/blob/8b51f42e/lib/verify.js#L31-L58
c. How do folks feel about secondary support?  (client expresses an array of trustedIssuers, #0 above)
d. How do folks feel about the non-standard support document in our fallback and the required gyrations to deal with it: https://github.com/lloyd/browserid-local-verify/commit/8b51f42e

I did *not* get to the final bit, which is to actually build a server around the library that conforms to the existing REST api of our verifier.  I do think that’s going to be quick.

that’s all for now!
lloyd




More information about the Dev-fxacct mailing list