<p dir="ltr">That code would make the verifier error, stating wrong scheme. It's https. I'm submitting the assertion to the verifier we host, can't recall the URL, in case you want to see the response I receive with your assertion. </p>
<div class="gmail_quote">On May 22, 2014 1:57 PM, "JR Conlin" <<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Sounds absolutely reasonable. The problem I'm having is that sending the<br>
assertion from the device fails to validate on the server. On the<br>
client, we're using<br>
<br>
navigator.mozId.watch({<br>
wantIssuer: "firefox-accounts",<br>
audience: "<a href="http://oauth.dev.lcip.org" target="_blank">http://oauth.dev.lcip.org</a>",<br>
... })<br>
<br>
On the server, I'm currently using<br>
POST <a href="https://oauth.dev.lcip.org/v1/authorization" target="_blank">https://oauth.dev.lcip.org/v1/authorization</a><br>
{client_id: ... , assertion: ... , state: ... }<br>
<br>
Should I be using the browserid validation endpoint on the server instead?<br>
<br>
<br>
On 2014/5/22 10:01 AM, Chris Karlof wrote:<br>
> +dev-fxacct<br>
><br>
> Oauth isn't supported natively on device at the moment. It's a web only flow. I'd suggest that for 2.0, the FxOS apps rely on getting BiD assertions from navigator.mozId and submit those to our BiD verifier on the backend to get the logged in user. We can improve/unify these in the future.<br>
><br>
> -chris<br>
><br>
><br>
> On May 22, 2014, at 8:49 AM, JR Conlin <<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a>> wrote:<br>
><br>
>> I have set the audience on the code in the FxOS emulator to<br>
>> <a href="http://oauth.dev.lcip.org" target="_blank">oauth.dev.lcip.org</a> and still fail to validate the assertion (400/104).<br>
>><br>
>><br>
>><br>
>> On 2014/5/21 5:34 PM, Sean McArthur wrote:<br>
>>> The audience needs to match the oauth server, so in this case,<br>
>>> <a href="http://oauth.dev.lcip.org" target="_blank">oauth.dev.lcip.org</a> <<a href="http://oauth.dev.lcip.org" target="_blank">http://oauth.dev.lcip.org</a>>.<br>
>>><br>
>>> Roping in Karlof, cause I'm not sure about the flow. I imagine we'd want<br>
>>> FxOS to also go through the content server, but what do I know.<br>
>>><br>
>>> On May 21, 2014 7:19 PM, "JR Conlin" <<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a><br>
>>> <mailto:<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a>>> wrote:<br>
>>><br>
>>> Having talked with ggp, I think I kinda agree that WebApps should stick<br>
>>> with using navigator.mozId for some of this, rather than fall back to a<br>
>>> complicated set of iframes and postmessage hooks[1].<br>
>>><br>
>>> That leads me back to trying to validate the passed assertion using<br>
>>> POST <a href="https://oauth.dev.lcip.org/v1/authorization" target="_blank">https://oauth.dev.lcip.org/v1/authorization</a><br>
>>> <a href="https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md#post-v1authorization" target="_blank">https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md#post-v1authorization</a><br>
>>><br>
>>> This is currently failing for me:<br>
>>> {"assertion":"eyJhbGciOiJSUzI1NiJ9.eyJmeGEtZ2VuZXJhdGlvbiI6MTQwMDE5NDA0OTY5MiwiZnhhLWxhc3RBdXRoQXQiOjE0MDA3MTA5NzYsImZ4YS12ZXJpZmllZEVtYWlsIjoidGVzdCtiMmdAdW5pdGVkaGVyb2VzLm5ldCIsInB1YmxpYy1rZXkiOnsiYWxnb3JpdGhtIjoiRFMiLCJ5IjoiYWIxZGY4YTkxMzRmY2YzYWEwZGQ1OTJlZDg5MDNjMTAzZjA0YzQxMGYxMmQ5OGFiMGU1NjY4MDc0NDAzZjU1ZTZiM2NkOTRmN2EzNTA1MTI4ZDRiZmUyNWVhZGJlYjM0MzdkNmY0YTU5Y2ZiYjIzYTNiYTVlZjMxMmMzZDJlNWJlNDZjODAzMWQxMGY5NTQ0ZDNlMzhiOGZhOThjYmRjODQ1MmRmZjZiMDlkMjViMTU3ZWQ0ZDM1N2ZiNmU1MjU5OTM0YjI0Mjk0Y2E5MmU2NzZjZjFmZDUxNjdkMDg2ZTQyMDc3MjFjNzU3NTRlZWJiNTBiNjVhN2I4NDEzYWEzYSIsInAiOiJmZjYwMDQ4M2RiNmFiZmM1YjQ1ZWFiNzg1OTRiMzUzM2Q1NTBkOWYxYmYyYTk5MmE3YThkYWE2ZGMzNGY4MDQ1YWQ0ZTZlMGM0MjlkMzM0ZWVlYWFlZmQ3ZTIzZDQ4MTBiZTAwZTRjYzE0OTJjYmEzMjViYTgxZmYyZDVhNWIzMDVhOGQxN2ViM2JmNGEwNmEzNDlkMzkyZTAwZDMyOTc0NGE1MTc5MzgwMzQ0ZTgyYTE4YzQ3OTMzNDM4Zjg5MWUyMmFlZWY4MTJkNjljOGY3NWUzMjZjYjcwZWEwMDBjM2Y3NzZkZmRiZDYwNDYzOGMyZWY3MTdmYzI2ZDAyZTE3IiwicSI6ImUyMWUwNGY5MTFkMWVkNzk5MTAwOGVjYWFiM2JmNzc1OTg0MzA5YzMiLCJnIj<br>
o<br>
>> iYzUyY<br>
>>> TRhMGZmM2I3ZTYxZmRmMTg2N2NlODQxMzgzNjlhNjE1NGY0YWZhOTI5NjZlM2M4MjdlMjVjZmE2Y2Y1MDhiOTBlNWRlNDE5ZTEzMzdlMDdhMmU5ZTJhM2NkNWRlYTcwNGQxNzVmOGViZjZhZjM5N2Q2OWUxMTBiOTZhZmIxN2M3YTAzMjU5MzI5ZTQ4MjliMGQwM2JiYzc4OTZiMTViNGFkZTUzZTEzMDg1OGNjMzRkOTYyNjlhYTg5MDQxZjQwOTEzNmM3MjQyYTM4ODk1YzlkNWJjY2FkNGYzODlhZjFkN2E0YmQxMzk4YmQwNzJkZmZhODk2MjMzMzk3YSJ9LCJwcmluY2lwYWwiOnsiZW1haWwiOiIyOTY1OTU4Yjc3MmI0YjhiOGZhYzU0NWM1YmY3MWU1ZkBhcGkuYWNjb3VudHMuZmlyZWZveC5jb20ifSwiaWF0IjoxNDAwNzEwOTY4MTYxLCJleHAiOjE0MDA3MzI1NzgxNjEsImlzcyI6ImFwaS5hY2NvdW50cy5maXJlZm94LmNvbSJ9.CfzEQEJSBhfPyn7gzMpYIdGljUq1Hi8WaOOrfKs41Y1Zx0m9Tn2WciqgjYl6QhFvH7dXsHHfghxNYPCewt7l3pfCLuDhVdV1030L5dFtrebAsSJepXF5xkWpT0QgXCdMdkwk_hZYxdJZHufbtoBJCPozrwzl5PrelgYsne-8F_kCRk5LkKFqBKVh28aUiSOANPSA8-NZoADe0zIJ2iv_zUgX2pNYTZGJ5WxYCzI2QWSFR0xanGbtejRx8qBdjk9qBJ2sR9h8n2d87ITwiF8E4smFV4htfopkGrQsGBUWy91Tqc4LUVNlk55VHyOCwwWaPpVE7pgAAENjHM_K0eoUKA~eyJhbGciOiJEUzEyOCJ9.eyJleHAiOjIxODkxMTEzNDA1OTMsImF1ZCI6Imh0dHA6Ly9hcGkuYWNjb3VudHMuZmlyZWZveC5jb2<br>
0<br>
>> ifQ==.q<br>
>>> yvgrkEr2eipB2EKvd3q9OZqw54NtoEHKoteZ7VZTR7V1yv6lZJhTQ==","client_id":"344e8ade775e8b15","state":"state"}<br>
>>> ### parseBody: {"code":400,"errno":104,"error":"Bad<br>
>>> Request","message":"Invalid assertion"}<br>
>>><br>
>>> The assertion decompiles from base64 correctly (the body is:<br>
>>> {"fxa-generation":1400194049692,"fxa-lastAuthAt":1400696318,"fxa-verifiedEmail":"<a href="mailto:test%2Bb2g@unitedheroes.net">test+b2g@unitedheroes.net</a><br>
>>> <mailto:<a href="mailto:test%252Bb2g@unitedheroes.net">test%2Bb2g@unitedheroes.net</a>>","public-key":{"algorithm":"DS","y":"93c626d9e10c2f38cad40a9c8d10469da5e412b1f06f2410ec7a07d9b7081a9d839bbd8b4c29a4d385626efae8e8234dfecb6098d6bce1433eed6eb99381f0888d2e7bcfc2e8138e62ebe584f50c9e8e197ff77bc3aec30170b7e1a05ceb5b6c9cbd34d0b82c9cf8d3d5da553837a5a1405e05c0b1e15b8bc4c715572c81c9e0","p":"ff600483db6abfc5b45eab78594b3533d550d9f1bf2a992a7a8daa6dc34f8045ad4e6e0c429d334eeeaaefd7e23d4810be00e4cc1492cba325ba81ff2d5a5b305a8d17eb3bf4a06a349d392e00d329744a5179380344e82a18c47933438f891e22aeef812d69c8f75e326cb70ea000c3f776dfdbd604638c2ef717fc26d02e17","q":"e21e04f911d1ed7991008ecaab3bf775984309c3","g":"c52a4a0ff3b7e61fdf1867ce84138369a6154f4afa92966e3c827e25cfa6cf508b90e5de419e1337e07a2e9e2a3cd5dea704d175f8ebf6af397d69e110b96afb17c7a03259329e4829b0d03bbc7896b15b4ade53e130858cc34d96269aa89041f409136c7242a38895c9d5bccad4f389af1d7a4bd1398bd072dffa896233397a"},"principal":{"email":<br>
>>> "<a href="mailto:2965958b772b4b8b8fac545c5bf71e5f@api.accounts.firefox.com">2965958b772b4b8b8fac545c5bf71e5f@api.accounts.firefox.com</a><br>
>>> <mailto:<a href="mailto:2965958b772b4b8b8fac545c5bf71e5f@api.accounts.firefox.com">2965958b772b4b8b8fac545c5bf71e5f@api.accounts.firefox.com</a>>"},"iat":1400696310447,"exp":1400717920447,"iss":"<a href="http://api.accounts.firefox.com" target="_blank">api.accounts.firefox.com</a><br>
>>> <<a href="http://api.accounts.firefox.com" target="_blank">http://api.accounts.firefox.com</a>>"}'<br>
>>> which has the correct verifiedEmail in it.<br>
>>><br>
>>> I'm currently setting the audience to the oauth host<br>
>>> "<a href="https://accounts.dev.lcip.org" target="_blank">https://accounts.dev.lcip.org</a>", however I've tried just about every<br>
>>> other audience target I can think of and none of the assertions are<br>
>>> validating. Am I misunderstanding what the flow should be?<br>
>>><br>
>>> [1] the original app contract is to use mozId, mostly because then you<br>
>>> get the joy of the event handlers for login/logout, etc. While it's<br>
>>> possible to do that as well as do the iframe based login, it seems<br>
>>> redundant and requires significant reworking of the client code to get<br>
>>> this right. The docs provide a means for the server to get the<br>
>>> information using an assertion. Frankly, all I really care about is<br>
>>> validating the damn assertion and I'll rip the <expletive><br>
>>> "fxa-verifiedemail" out of it myself.<br>
>>><br>
>>><br>
>>> On 2014/5/20 4:23 PM, Sean McArthur wrote:<br>
>>>> Feels better to talk about Weapons of Mass Destruction...<br>
>>>><br>
>>>> Here's the validation that Hapi does before I ever get to touch the<br>
>>>> request:<br>
>>> <a href="https://github.com/mozilla/fxa-oauth-server/blob/master/lib/routes/authorization.js#L35-L40" target="_blank">https://github.com/mozilla/fxa-oauth-server/blob/master/lib/routes/authorization.js#L35-L40</a><br>
>>>><br>
>>>> The assertions I'm generating in the test suite pass, so what's<br>
>>> different?<br>
>>>>><br>
>>>>> On 5/20/2014 4:13:56 PM, Jed Parsons <<a href="mailto:jedp@jedparsons.com">jedp@jedparsons.com</a><br>
>>> <mailto:<a href="mailto:jedp@jedparsons.com">jedp@jedparsons.com</a>>>wrote:<br>
>>>>><br>
>>>>><br>
>>>>> Flan of Mass Destruction?<br>
>>>>><br>
>>>>> Flamingoes of Mass Diversity?<br>
>>>>> Fresnel lenses of Mass Defocus?<br>
>>>>><br>
>>>>><br>
>>>>> On Tue, May 20, 2014 at 4:09 PM, JR Conlin <<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a><br>
>>> <mailto:<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a>><br>
>>>>> <mailto:<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a> <mailto:<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a>>>> wrote:<br>
>>>>><br>
>>>>> Well, technically, it's now Find My Device.<br>
>>>>><br>
>>>>> So, you know, FMD.<br>
>>>>><br>
>>>>><br>
>>>>> ----- Original Message -----<br>
>>>>> From: "Jed Parsons" <<a href="mailto:jedp@jedparsons.com">jedp@jedparsons.com</a><br>
>>> <mailto:<a href="mailto:jedp@jedparsons.com">jedp@jedparsons.com</a>> <mailto:<a href="mailto:jedp@jedparsons.com">jedp@jedparsons.com</a><br>
>>> <mailto:<a href="mailto:jedp@jedparsons.com">jedp@jedparsons.com</a>>>><br>
>>>>> To: "Sean McArthur" <<a href="mailto:smcarthur@mozilla.com">smcarthur@mozilla.com</a><br>
>>> <mailto:<a href="mailto:smcarthur@mozilla.com">smcarthur@mozilla.com</a>><br>
>>>>> <mailto:<a href="mailto:smcarthur@mozilla.com">smcarthur@mozilla.com</a> <mailto:<a href="mailto:smcarthur@mozilla.com">smcarthur@mozilla.com</a>>>><br>
>>>>> Cc: "JR Conlin" <<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a><br>
>>> <mailto:<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a>> <mailto:<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a><br>
>>> <mailto:<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a>>>><br>
>>>>> Sent: Tuesday, May 20, 2014 4:08:51 PM<br>
>>>>> Subject: Re: FxA and assertions from mobile devices<br>
>>>>><br>
>>>>> Is our group the only one that calls this thing WMD? Because I<br>
>>>>> love that.<br>
>>>>><br>
>>>>><br>
>>>>> On Tue, May 20, 2014 at 4:04 PM, Sean McArthur<br>
>>>>> <<a href="mailto:smcarthur@mozilla.com">smcarthur@mozilla.com</a> <mailto:<a href="mailto:smcarthur@mozilla.com">smcarthur@mozilla.com</a>><br>
>>> <mailto:<a href="mailto:smcarthur@mozilla.com">smcarthur@mozilla.com</a> <mailto:<a href="mailto:smcarthur@mozilla.com">smcarthur@mozilla.com</a>>>>wrote:<br>
>>>>><br>
>>>>>> The `client_id` is the unique id I gave you for WMD. The OAuth<br>
>>>>> server<br>
>>>>>> needs to get this back, so it knows what application will<br>
>>> be getting<br>
>>>>>> permission to view a user's data.<br>
>>>>>><br>
>>>>>> On 5/20/2014 4:02:46 PM, Jed Parsons <<a href="mailto:jedp@jedparsons.com">jedp@jedparsons.com</a><br>
>>> <mailto:<a href="mailto:jedp@jedparsons.com">jedp@jedparsons.com</a>><br>
>>>>> <mailto:<a href="mailto:jedp@jedparsons.com">jedp@jedparsons.com</a> <mailto:<a href="mailto:jedp@jedparsons.com">jedp@jedparsons.com</a>>>>wrote:<br>
>>>>>><br>
>>>>>> Oh this is the oauth stuff! Ok. Welp, I really want to learn<br>
>>>>> more about<br>
>>>>>> this, too. I'm not sure how this is done on client, or will be<br>
>>>>> done. I<br>
>>>>>> would guess that, on desktop, this is all in the jelly<br>
>>>>> somewhere? But we<br>
>>>>>> don't have this on fxos, as far as I know.<br>
>>>>>><br>
>>>>>> Seanmonstar, do you know more about what bits are where?<br>
>>>>>><br>
>>>>>> Thanks<br>
>>>>>> j<br>
>>>>>><br>
>>>>>><br>
>>>>>> On Tue, May 20, 2014 at 3:13 PM, JR Conlin<br>
>>> <<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a> <mailto:<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a>><br>
>>>>> <mailto:<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a> <mailto:<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a>>>><br>
>>> wrote:<br>
>>>>>><br>
>>>>>>> Thanks, I'll dig into that.<br>
>>>>>>><br>
>>>>>>> The client_id is a parameter specified in the docs:<br>
>>>>>>><br>
>>>>>>><br>
>>>>><br>
>>> <a href="https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md#post-v1authorization" target="_blank">https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md#post-v1authorization</a><br>
>>>>>>><br>
>>>>>>> If I don't pass a client_id in the object, the assertion<br>
>>> returns an<br>
>>>>>>> error pointing to the assertion field. (my apologies, but I've<br>
>>>>> had to<br>
>>>>>>> switch branches due to a time constraint.)<br>
>>>>>>><br>
>>>>>>> On 2014/5/20 2:34 PM, Jed Parsons wrote:<br>
>>>>>>>><br>
>>>>>>>> This is where the RP's onlogin() method gets called, so you<br>
>>>>> could start<br>
>>>>>>>> monkey-patching here:<br>
>>>>>>>><br>
>>>>>>>><br>
>>>>>>><br>
>>>>><br>
>>> <a href="https://mxr.mozilla.org/mozilla-central/source/dom/identity/nsDOMIdentity.js#482" target="_blank">https://mxr.mozilla.org/mozilla-central/source/dom/identity/nsDOMIdentity.js#482</a><br>
>>>>>>>><br>
>>>>>>>> But what is this client_id of which you speak? Do you<br>
>>> mean a<br>
>>>>> unique<br>
>>>>>>>> device id? Or FxAccounts user id?<br>
>>>>>>>><br>
>>>>>>>><br>
>>>>>>>><br>
>>>>>>>> On Tue, May 20, 2014 at 2:25 PM, JR Conlin<br>
>>>>> <<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a> <mailto:<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a>><br>
>>> <mailto:<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a> <mailto:<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a>>><br>
>>>>>>>> <mailto:<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a><br>
>>> <mailto:<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a>> <mailto:<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a><br>
>>> <mailto:<a href="mailto:jrconlin@mozilla.com">jrconlin@mozilla.com</a>>>>><br>
>>>>> wrote:<br>
>>>>>>>><br>
>>>>>>>> Sorry if this is obvious, but I'm not at all clear<br>
>>> on the<br>
>>>>> flow, and<br>
>>>>>>> I'm<br>
>>>>>>>> trying to piece things together as best I can.<br>
>>>>>>>><br>
>>>>>>>> On FxOS, a webapp watches firefox-accounts and binds a<br>
>>>>> function to<br>
>>>>>>>> onlogin. That function gets an assertion record as<br>
>>> it's only<br>
>>>>>>> argument,<br>
>>>>>>>> which is then passed to it's server for login purposes.<br>
>>>>>>>><br>
>>>>><br>
>>> <a href="https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md" target="_blank">https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md</a><br>
>>>>>>>><br>
>>>>>>>> The server can then call POST /v1/authorization<br>
>>> passing the<br>
>>>>>>> assertion.<br>
>>>>>>>> I'm not sure how the server knows the client_id of the<br>
>>>>> request. (I'm<br>
>>>>>>>> trying to dig into it using the emulator, and I lack<br>
>>>>> knowledge of<br>
>>>>>>> the<br>
>>>>>>>> space.)<br>
>>>>>>>><br>
>>>>>>>> Is this correct? If not, can you point me to the docs<br>
>>>>> that might<br>
>>>>>>> show<br>
>>>>>>>> the app flow so I can try to chicken wire in the<br>
>>>>> client_id to get<br>
>>>>>>> passed<br>
>>>>>>>> down to the server?<br>
>>>>>>>><br>
>>>>>>>> thanks!<br>
<br>
</blockquote></div>