<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On Apr 7, 2014, at 5:49 PM, Sean McArthur <<a href="mailto:smcarthur@mozilla.com">smcarthur@mozilla.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr"><div><div><div><div><div><div><div><div>We got a working oauth flow at the work week, starting from 123done, to login and 123done retrieving an access token! It only took running 6 servers of nchapman's laptop. \o/<br>
<br></div></div></div></div></div></div></div></div></div></blockquote><div><br></div><div>Awesome update Sean!</div><div><br></div><br><blockquote type="cite"><div dir="ltr"><div><div><div><div><div><div><div>- fxa-oauth-server<br></div><div> - working authorization, token, and verify endpoints<br></div><div> - lives at <a href="https://oauth.dev.lcip.org">https://oauth.dev.lcip.org</a><br></div><div> - exploring Ed25519 hawk signing with seanmonstar+warner<br>
</div><div> - sec/privacy review?<br><br></div>- fxa-profile-server<br></div><div> - first Attached Service using oauth<br></div><div> - lives at <a href="https://profile.dev.lcip.org">https://profile.dev.lcip.org</a><br>
</div><div> - has /email endpoint, to retrieve an endpoint once an RP has a token<br></div><div> - accepts scope of "profile" or "profile:email"<br></div><div> - sec/privacy review?<br><br></div>
<div>
- fxa-content-server<br></div><div> - sign-in workflow bare bones, nchapman is refactoring<br></div><div> - <b>[needs UX ]</b> for sign-up flow, permissions, forgot password (perhaps that order?)<br></div></div></div></div></div></div></div></blockquote><div><span class="Apple-tab-span" style="white-space:pre"> </span></div><div>I don't think we need a permission screen for the early May deadline. Forgot password should be prioritized above that. </div><br><blockquote type="cite"><div dir="ltr"><div><div><div><div><div><div> - needs l10n for scopes, but only when we have more scopes, and RPs that aren't whitelisted (whitelisted apps/scopes are automatically approved)<br>
</div><br></div></div></div></div></div></div></blockquote><div><br></div><div>We can start this effort, but it shouldn't block, since we won't have a permission screen for initial reliers.</div><div><br></div><br><blockquote type="cite"><div dir="ltr"><div><div><div><div>- 123done<br></div> - our example RP using oauth, and fetch the user's email from profile server<br></div> - needs an awsbox deploy, zaach<br><br></div>QA: How can I help you feel good about OAuth, besides having unit tests?<br>
</div><div>Metrics: Is there desirable metrics to be had?<br></div><div>RPs: Who's the first RP? Loop? Marketplace? Contacts? Anyway, <br><br></div>Goal for shipping OAuth to production is... first week of May? I don't remember, ckarlof probably does.<br>
<br></div></blockquote><div><br></div><div><br></div><div><br></div><div>The additional security concerns are probably minimal, since you need a client_id and secret to participate, but we could always deploy a production like clone if needed. And yes, we're targeting the first week of May for "something Marketplace and Where's My Device can start to play with". </div><div><br></div><blockquote type="cite"><div dir="ltr">Did I miss anything/anyone?<br><div><br></div></div></blockquote><div><br></div><div>One thing missing from this is "relier libraries", e.g., common FxA visual elements (Sign in/Sign up/Logout buttons, signed in state), JS libs, etc.</div><div><br></div><div>Time's looking tight on all this, but I'm optimistic. :)</div><div><br></div><div>-chris</div><div><br></div></div><br></body></html>