<div dir="ltr"><div>The plan as of last fall was to move aggressively towards OAuth on device. OAuth support got better last summer. The problem is that logging in on device happens via mozId, and someone needs to replace that with OAuth (or integrate, though that is much kludgier and maybe not much easier).<br><br></div>I would talk to Fernando Jimenez or Francisco Jordano about getting FxOS resources for that work.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 24, 2015 at 10:38 PM, Ryan Kelly <span dir="ltr"><<a href="mailto:rfkelly@mozilla.com" target="_blank">rfkelly@mozilla.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 21/08/2015 17:30, Tommy Kuo wrote:<br>
>> Do you want to display the pocket website, make calls to the pocket API,<br>
>> or both? Will you be running from a privileged system app or an<br>
>> installable webapp?<br>
><br>
> We want to use the Pocket API only in a privileged app. We’ll integrate<br>
> Pocket service into our TV.<br>
><br>
>> I'm not very familiar with the mozId API. Can you use it to generate<br>
>> assertions for any audience? From what I can see in [3] it's only<br>
>> possible to generate assertions for your app origin.<br>
><br>
> I’m trying to decode the assertion generated from FindMyDevice. I found<br>
> audience is "<a href="https://find.firefox.com" rel="noreferrer" target="_blank">https://find.firefox.com</a>”, so I think we can generate any<br>
> audience in the assertion.<br>
><br>
> If we can use the native mozId API, it is convenient to users that they<br>
> don’t need to enter their username/password again. And we can exchange<br>
> the assertion for a FxA OAuth token or a Pocket access token. Do you<br>
> know someone is familiar with mozId?<br>
<br>
</span>Casting a wide net here...<br>
<br>
IIRC Jared Hirsch (cc'd) did some work on it a while ago, but the code<br>
hasn't been very active for some time. Fernando Moreno and Michiel de<br>
Jong (also cc'd) are working on some Firefox Accounts integrations in<br>
FxOS so they might be able to offer some insight.<br>
<br>
Jared, Fernando, Michiel, there's extra context below, but the broad ask<br>
here is that Tommy's team would like to connect to Pocket from Firefox<br>
OS, and Pocket authenticates using the FxA OAuth API.<br>
<br>
Do you know of any existing code in Firefox OS that's using the FxA<br>
OAuth APIs?<br>
<br>
If not, a more specific question that would let us work towards that is:<br>
can a privileged app use the mozId API to produce a FxA assertion for<br>
any target audience?<br>
<br>
Thanks for any insight you may be able to provide,<br>
<br>
<br>
Ryan<br>
<span class=""><br>
<br>
> On August 19, 2015 at 20:45:39, Ryan Kelly (<a href="mailto:rfkelly@mozilla.com">rfkelly@mozilla.com</a><br>
</span>> <mailto:<a href="mailto:rfkelly@mozilla.com">rfkelly@mozilla.com</a>>) wrote:<br>
<div class="HOEnZb"><div class="h5">><br>
>> On 19/08/2015 01:36, Tommy Kuo wrote:<br>
>> > We want to make Pocket can use the Firefox account already logged in<br>
>> > Firefox OS (mozId). We hope that user don’t need to type their<br>
>> > username/password again if they are already logged in. In other words,<br>
>> > we want to use a logged in Firefox account to get a access token from<br>
>> > Pocket.<br>
>><br>
>> This could be tricky, but I'm happy to help work through the details and<br>
>> see if we can find a way forward.<br>
>><br>
>> Do you want to display the pocket website, make calls to the pocket API,<br>
>> or both? Will you be running from a privileged system app or an<br>
>> installable webapp?<br>
>><br>
>> > Does Pocket need to setup something like browserid-verifier[1] in their<br>
>> > server? And I have looked up some information about the “assertion.”<br>
>><br>
>> Pocket authenticates Firefox Accounts users via our OAuth API [1] rather<br>
>> than using assertions. We're trying to discourage the use of assertions<br>
>> in new applications, and limit their existing use to tightly integrated<br>
>> device-specific apps like Sync and FindMyDevice.<br>
>><br>
>> They also use their own flavor of OAuth to authenticate to their backend<br>
>> API [2].<br>
>><br>
>> From your description, what I think you'd have to do is something like<br>
>> the following:<br>
>><br>
>> * Use the native mozId API to generate an assertion for the user<br>
>> * Exchange that assertion for a Firefox Accounts OAuth token<br>
>> * Exchange that token for a Pocket OAuth token<br>
>> * use that token to access the Pocket API<br>
>><br>
>> That's quite a few moving parts.<br>
>><br>
>> I'm not very familiar with the mozId API. Can you use it to generate<br>
>> assertions for any audience? From what I can see in [3] it's only<br>
>> possible to generate assertions for your app origin.<br>
>><br>
>> I think I answered your question with more questions, but this is an<br>
>> interesting use-case so I hope we can drill down and figure out the<br>
>> details.<br>
>><br>
>><br>
>> Cheers,<br>
>><br>
>> Ryan<br>
>><br>
>><br>
>> [1]<br>
>> <a href="https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Firefox_Accounts/Introduction#Login_with_the_FxA_OAuth_HTTP_API" rel="noreferrer" target="_blank">https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Firefox_Accounts/Introduction#Login_with_the_FxA_OAuth_HTTP_API</a><br>
>><br>
>><br>
>> [2] <a href="http://getpocket.com/developer/docs/authentication" rel="noreferrer" target="_blank">http://getpocket.com/developer/docs/authentication</a><br>
>><br>
>> [3]<br>
>> <a href="https://developer.mozilla.org/en-US/docs/Firefox-Accounts-on-FirefoxOS" rel="noreferrer" target="_blank">https://developer.mozilla.org/en-US/docs/Firefox-Accounts-on-FirefoxOS</a><br>
</div></div><div class="HOEnZb"><div class="h5">_______________________________________________<br>
Dev-fxacct mailing list<br>
<a href="mailto:Dev-fxacct@mozilla.org">Dev-fxacct@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/dev-fxacct" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/dev-fxacct</a><br>
</div></div></blockquote></div><br></div>