<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">If I am not wrong, the smart TV is ridding on FxOS 2.5 train. If that's correct, the deadline is November. I don't think we can have any other thing than the current navigator.mozId without the password request for privileged apps. I just filed [1] for that BTW.<div class=""><br class=""></div><div class="">I agree that the appropriate next steps for FxA in FxOS are [2] (to get rid of the native flow) and [3] (to get rid of navigator.mozId). But I am afraid that it is not realistic to say that we can have that for 2.5. Specially with the lack of resources that we currently have.</div><div class=""><br class=""></div><div class="">I'll be happy to help integrating mozId into Pocket and helping to fix [1] if that's the final agreement.</div><div class=""><div class=""><br class=""></div><div class="">Cheers,</div><div class=""><br class=""></div><div class="">/ Fernando</div><div class=""><br class=""></div><div class="">[1] <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1199585" class="">https://bugzilla.mozilla.org/show_bug.cgi?id=1199585</a></div><div class="">[2] <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1198639" class="">https://bugzilla.mozilla.org/show_bug.cgi?id=1198639</a></div><div class="">[3] <a href="http://www.w3.org/TR/credential-management/" class="">http://www.w3.org/TR/credential-management/</a><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Aug 28, 2015, at 7:03 AM, Ryan Kelly <<a href="mailto:rfkelly@mozilla.com" class="">rfkelly@mozilla.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">On 28/08/2015 13:02, Shih-Chiang Chien wrote:<br class=""><blockquote type="cite" class="">Currently the Firefox Account doesn't provide an integrated login<br class="">experience on Firefox OS. For example, user need to typing password<br class="">again for using Pocket service even if they've already login in FxA in<br class="">settings app.<br class=""><br class="">On Firefox Desktop user can simply grant site permission on fx account<br class="">login page when FxA is already login in browser, without typing password<br class="">again. I think this is done by using IdentityManager API [1].<br class=""></blockquote><br class="">No, it doesn't use the IdentityManager API.<br class=""><br class="">The Pocket login flow is entirely web-based and performs an OAuth2 dance<br class="">with <a href="https://accounts.firefox.com" class="">https://accounts.firefox.com</a> [1].<br class=""><br class="">The reason this (usually) works seamlessly on Desktop, is that Desktop<br class="">uses web content from <a href="http://accounts.firefox.com" class="">accounts.firefox.com</a> for logging in to sync. So<br class="">if you've logged into sync on Desktop, then you have cookies and session<br class="">state on <a href="http://accounts.firefox.com" class="">accounts.firefox.com</a>, which it can use to log you in to Pocket<br class="">without re-entering your password.<br class=""><br class="">If Firefox OS moves to using web content for its login API [2] then it<br class="">may get a similar experience without much extra work.<br class=""><br class=""><blockquote type="cite" class="">I don't know why we didn't apply the same technology on Firefox OS in<br class="">the past, but it'll enable 3rd-party service on TV with better login<br class="">experience because typing is a painful task on TV. We can leverage<br class="">navigator.mozId with some adjustment of permission model of<br class="">"moz-firefox-accounts".<br class=""></blockquote><br class="">There are a couple of ways forward here.<br class=""><br class="">If you just want to get something up and running quickly, then your<br class="">privileged app could use navigator.mozId to drive the OAuth2 login dance<br class="">with Pocket, essentially taking over the work done by<br class=""><a href="https://accounts.firefox.com" class="">https://accounts.firefox.com</a> in the desktop integration. I'm happy to<br class="">suggest more details here if you want to explore it, but I suspect it<br class="">would be quite fragile.<br class=""><br class="">A cleaner approach would be to invest some time in designing and<br class="">building a replacement for navigator.mozId that supports OAuth2, as<br class="">hinted at in [3]. The navigator.credentials API [4] has been suggested<br class="">as a potential candidate for this. IIUC this would be a large amount of<br class="">work.<br class=""><br class="">Another option would be to get Pocket to add support for logging in via<br class="">FxA BrowserID assertions, rather than OAuth2, so that you could use<br class="">navigator.mozId directly. I think this is what the original email<br class="">subject line of this thread is getting at, but I'm not a fan of this<br class="">option because (1) it's partner work over which we don't have much<br class="">control, and (2) we're hoping to deprecate BrowserID assertions entirely<br class="">from Firefox Accounts and use OAuth2 exclusively in future.<br class=""><br class=""><br class=""> Cheers,<br class=""><br class=""> Ryan<br class=""><br class=""><br class="">[1]<br class=""><a href="https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Firefox_Accounts/Introduction#Login_with_the_FxA_OAuth_HTTP_API" class="">https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Firefox_Accounts/Introduction#Login_with_the_FxA_OAuth_HTTP_API</a><br class=""><br class="">[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1198639<br class=""><br class="">[3] https://mail.mozilla.org/pipermail/dev-fxacct/2015-August/001698.html<br class=""><br class="">[4] http://www.w3.org/TR/credential-management/<br class=""><br class=""><br class=""><blockquote type="cite" class="">On Thu, Aug 27, 2015 at 7:27 PM, Tommy Kuo <tokuo@mozilla.com<br class=""><mailto:tokuo@mozilla.com>> wrote:<br class=""><br class=""> Add Evelyn Huang and Shih-Chiang Chien.<br class=""><br class=""> -- <br class=""><br class=""> Tommy Kuo / Software Engineer kuoe0@mozilla.com<br class=""> <mailto:kuoe0@mozilla.com><br class=""><br class=""> Mozilla Taiwan<br class=""><br class=""><br class=""> On August 25, 2015 at 21:35:26, Fernando Moreno (fmoreno@mozilla.com<br class=""> <mailto:fmoreno@mozilla.com>) wrote:<br class=""><br class=""><blockquote type="cite" class=""> Hello,<br class=""><br class=""> On Tue, Aug 25, 2015 at 7:38 AM, Ryan Kelly <rfkelly@mozilla.com<br class=""> <mailto:rfkelly@mozilla.com>> wrote:<br class=""><br class=""> On 21/08/2015 17:30, Tommy Kuo wrote:<br class=""><blockquote type="cite" class=""><blockquote type="cite" class="">Do you want to display the pocket website, make calls to the pocket API,<br class="">or both? Will you be running from a privileged system app or an<br class="">installable webapp?<br class=""></blockquote><br class="">We want to use the Pocket API only in a privileged app. We’ll integrate<br class="">Pocket service into our TV.<br class=""><br class=""><blockquote type="cite" class="">I'm not very familiar with the mozId API. Can you use it to generate<br class="">assertions for any audience? From what I can see in [3] it's only<br class="">possible to generate assertions for your app origin.<br class=""></blockquote><br class="">I’m trying to decode the assertion generated from FindMyDevice. I found<br class="">audience is "https://find.firefox.com”, so I think we can generate any<br class="">audience in the assertion.<br class=""><br class="">If we can use the native mozId API, it is convenient to users that they<br class="">don’t need to enter their username/password again. And we can exchange<br class="">the assertion for a FxA OAuth token or a Pocket access token. Do you<br class="">know someone is familiar with mozId?<br class=""></blockquote><br class=""> Casting a wide net here...<br class=""><br class=""> IIRC Jared Hirsch (cc'd) did some work on it a while ago, but<br class=""> the code<br class=""> hasn't been very active for some time. Fernando Moreno and<br class=""> Michiel de<br class=""> Jong (also cc'd) are working on some Firefox Accounts<br class=""> integrations in<br class=""> FxOS so they might be able to offer some insight.<br class=""><br class=""> Jared, Fernando, Michiel, there's extra context below, but the<br class=""> broad ask<br class=""> here is that Tommy's team would like to connect to Pocket from<br class=""> Firefox<br class=""> OS, and Pocket authenticates using the FxA OAuth API.<br class=""><br class=""> Do you know of any existing code in Firefox OS that's using<br class=""> the FxA<br class=""> OAuth APIs?<br class=""><br class=""><br class=""> I played with [1] a few months ago while working on a prototype<br class=""> for the New Gaia Architecture project [2], but AFAIK there is no<br class=""> any other existing FxOS code using the FxA OAuth APIs.<br class=""><br class=""><br class=""> If not, a more specific question that would let us work<br class=""> towards that is:<br class=""> can a privileged app use the mozId API to produce a FxA<br class=""> assertion for<br class=""> any target audience?<br class=""><br class=""><br class=""> Yes, you should be able to specify any target audience with some<br class=""> restrictions. Check [3]. I think in your case your Pocket app will<br class=""> be shipped as a certified app, so you should be able to use mozId<br class=""> the same way FindMyDevice does.<br class=""><br class=""> Cheers,<br class=""><br class=""> / Fernando<br class=""><br class=""> [1] https://github.com/mozilla/fxa-relier-client<br class=""> [2] https://github.com/fxos/contacts<br class=""> [3]<br class=""> https://mxr.mozilla.org/mozilla-central/source/dom/identity/nsDOMIdentity.js#617<br class=""></blockquote><br class=""><br class=""></blockquote></div></blockquote></div><br class=""></div></div></div></body></html>