<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Hi Ryan,</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><blockquote type="cite" class="clean_bq">Do you want to display the pocket website, make calls to the pocket API, <br>or both? Will you be running from a privileged system app or an <br>installable webapp? </blockquote></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">We want to use the Pocket API only in a privileged app. We’ll integrate Pocket service into our TV.</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><div><blockquote type="cite" class="clean_bq" style="color: rgb(0, 0, 0); font-family: Helvetica, Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">I'm not very familiar with the mozId API. Can you use it to generate <br>assertions for any audience? From what I can see in [3] it's only <br>possible to generate assertions for your app origin. </blockquote></div><p>I’m trying to decode the assertion generated from FindMyDevice. I found audience is "<a href="https://find.firefox.com">https://find.firefox.com</a>”, so I think we can generate any audience in the assertion.</p><div><br class="Apple-interchange-newline"></div><div>If we can use the native mozId API, it is convenient to users that they don’t need to enter their username/password again. And we can exchange the assertion for a FxA OAuth token or a Pocket access token. Do you know someone is familiar with mozId?</div></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Thanks,</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Tommy</div> <div id="bloop_sign_1440140827641222912" class="bloop_sign"><div style="font-family:helvetica,arial;font-size:13px">-- <br><p style="font-family: Helvetica,Arial,sans-serif; font-size: 10px; line-height: 12px; color: rgb(33, 33, 33); -moz-user-select: text ! important;"><span style="font-weight: bold; display: inline; -moz-user-select: text ! important;" class="txt signature_name-target sig-hide">Tommy Kuo</span>
<span style="display: inline; -moz-user-select: text ! important;" class="title-sep sep">/</span> <span style="display: inline;" class="txt signature_jobtitle-target sig-hide">Software Engineer</span>
<span style="display: block; -moz-user-select: text ! important;" class="email-sep break"></span>
<a class="link email signature_email-target sig-hide" href="mailto:kuoe0@mozilla.com" style="color: rgb(71, 124, 204); text-decoration: none; display: inline;">kuoe0@mozilla.com</a><span class="txt signature_mobilephone-target sig-hide"></span></p>
<p style="font-family: Helvetica,Arial,sans-serif; font-size: 10px; line-height: 12px; -moz-user-select: text ! important;">
<span style="font-weight: bold; color: rgb(33, 33, 33); display: inline; -moz-user-select: text ! important;" class="txt signature_companyname-target sig-hide">Mozilla Taiwan</span></p></div></div> <br><p class="airmail_on" style="color:#000;">On August 19, 2015 at 20:45:39, Ryan Kelly (<a href="mailto:rfkelly@mozilla.com">rfkelly@mozilla.com</a>) wrote:</p> <blockquote type="cite" class="clean_bq"><span><div><div></div><div>On 19/08/2015 01:36, Mozilla wrote:
<br>> We want to make Pocket can use the Firefox account already logged in
<br>> Firefox OS (mozId). We hope that user don’t need to type their
<br>> username/password again if they are already logged in. In other words,
<br>> we want to use a logged in Firefox account to get a access token from
<br>> Pocket.
<br>
<br>This could be tricky, but I'm happy to help work through the details and
<br>see if we can find a way forward.
<br>
<br>Do you want to display the pocket website, make calls to the pocket API,
<br>or both? Will you be running from a privileged system app or an
<br>installable webapp?
<br>
<br>> Does Pocket need to setup something like browserid-verifier[1] in their
<br>> server? And I have looked up some information about the “assertion.”
<br>
<br>Pocket authenticates Firefox Accounts users via our OAuth API [1] rather
<br>than using assertions. We're trying to discourage the use of assertions
<br>in new applications, and limit their existing use to tightly integrated
<br>device-specific apps like Sync and FindMyDevice.
<br>
<br>They also use their own flavor of OAuth to authenticate to their backend
<br>API [2].
<br>
<br>From your description, what I think you'd have to do is something like
<br>the following:
<br>
<br>* Use the native mozId API to generate an assertion for the user
<br>* Exchange that assertion for a Firefox Accounts OAuth token
<br>* Exchange that token for a Pocket OAuth token
<br>* use that token to access the Pocket API
<br>
<br>That's quite a few moving parts.
<br>
<br>I'm not very familiar with the mozId API. Can you use it to generate
<br>assertions for any audience? From what I can see in [3] it's only
<br>possible to generate assertions for your app origin.
<br>
<br>I think I answered your question with more questions, but this is an
<br>interesting use-case so I hope we can drill down and figure out the details.
<br>
<br>
<br> Cheers,
<br>
<br> Ryan
<br>
<br>
<br>[1]
<br>https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Firefox_Accounts/Introduction#Login_with_the_FxA_OAuth_HTTP_API
<br>
<br>[2] http://getpocket.com/developer/docs/authentication
<br>
<br>[3] https://developer.mozilla.org/en-US/docs/Firefox-Accounts-on-FirefoxOS
<br></div></div></span></blockquote></body></html>