[freaky friday] assertion verification gone wild

Ryan Kelly rfkelly at mozilla.com
Sun Nov 24 23:20:08 PST 2013


On 23/11/2013 3:36 AM, Lloyd Hilaiel wrote:
> So I set out to write a local verification library in node.js that has full parity with our existing hosted verifier, but is completely standalone.  My criteria for success was to be able to provide only the domain of the fallback as a parameter and be able to discover all configuration via the browserid protocol.
> 
> code’s here for now: https://github.com/lloyd/browserid-local-verify
> 
> Here’s command line lookup via fallback and then bridge:
> https://gist.github.com/lloyd/7602532

Very nice.  Detailed operations and debug info here will be very handy
for folks seting up their own IdPs.  From the code it looks like you've
got very comprehensive output for error cases as well.

> c. How do folks feel about secondary support?  (client expresses an array of trustedIssuers, #0 above)

:thumbsup: to an array here.

I do wonder if it will ever be used with more than one secondary in
practice.  For example, discussion about whether identity-attached
services should trust both persona.org and accounts.firefox.com as
secondaries:


https://github.com/mozilla/fxa-auth-server/issues/292#issuecomment-28614619

But it seems right to make that a policy question rather than a
technical one.

> I did *not* get to the final bit, which is to actually build a server around the library that conforms to the existing REST api of our verifier.

Is the output object from your library essentially what will be output
by the verifier API?  So the top-level keys would be "email",
"idpClaims", "rpClaims", etc?


  Cheers,

    Ryan




More information about the Dev-fxacct mailing list