<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">(Ugh, my mails can't get through the list without moderation so I am replying again with my gmail account. Sorry for the duplication)<div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Aug 28, 2015, at 5:02 AM, Shih-Chiang Chien <<a href="mailto:schien@mozilla.com" class="">schien@mozilla.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class=""><div class=""><div class=""><div class="">Hi Ryan,<br class=""><br class=""></div>Currently the Firefox Account doesn't provide an integrated login experience on Firefox OS. For example, user need to typing password again for using Pocket service even if they've already login in FxA in settings app.<br class=""></div></div></div></div></div></blockquote><div><br class=""></div>Oh yeah, I forgot about this...<br class=""><br class="">If you are talking about navigator.mozId, we do have an integrated logic experience on Firefox OS. We have SSO. The thing is that for privileged applications, we ask the FxA password the first time the app requests an assertion via navigator.mozId because of privacy reasons. You shouldn't see this auth request dialog for certified apps though. This was a last minute hack before shipping Firefox OS 2.0. The problem was that navigator.mozId was providing the user's email to the app requesting the assertion via navigator.mozId without any user consent [1] (so we were doing Single Silent Sign On). When we noticed that, we were too late on the Firefox OS 2.0 timeline and we were already on a string frozen stage, so we couldn't add any new strings. Ideally, we shouldn't be asking for the password and instead we should just show a confirmation dialog so the user can accept to share or not his email address with the app. But the only option we had at that point that didn't require breaking the string frozen state was to use the refresh authentication dialog. So we did that. That was supposed to be only a temporary hack that we should (and can) remove for 2.5. I'll file a bug for that.<br class=""><br class="">[1] <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1028398" class="">https://bugzilla.mozilla.org/show_bug.cgi?id=1028398</a></div><div><br class=""></div><div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class=""><div class=""><div class=""><br class=""></div>On Firefox Desktop user can simply grant site permission on fx account login page when FxA is already login in browser, without typing password again. I think this is done by using IdentityManager API [1].<br class=""><br class=""></div>I don't know why we didn't apply the same technology on Firefox OS in the past, but it'll enable 3rd-party service on TV with better login experience because typing is a painful task on TV. We can leverage navigator.mozId with some adjustment of permission model of "moz-firefox-accounts".<br class=""></div><div class=""><div class=""><div class=""><br class="">[1] <a href="https://developer.mozilla.org/en-US/docs/Web/API/IdentityManager" class="">https://developer.mozilla.org/en-US/docs/Web/API/IdentityManager</a><br class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class="gmail_extra"><br clear="all" class=""><div class=""><div class=""><div dir="ltr" class=""><div class="">Best Regards,<br class="">Shih-Chiang Chien<br class=""></div>Mozilla Taiwan<br class=""></div></div></div>
<br class=""><div class="gmail_quote">On Thu, Aug 27, 2015 at 7:27 PM, Tommy Kuo <span dir="ltr" class=""><<a href="mailto:tokuo@mozilla.com" target="_blank" class="">tokuo@mozilla.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word" class=""><div style="font-family: Helvetica, Arial; font-size: 13px; margin: 0px;" class="">Add Evelyn Huang and Shih-Chiang Chien.</div> <br class=""> <div class=""><div style="font-family:helvetica,arial;font-size:13px" class="">-- <br class=""><p style="font-family:Helvetica,Arial,sans-serif;font-size:10px;line-height:12px;color:rgb(33,33,33)" class=""><span style="font-weight:bold;display:inline" class="">Tommy Kuo</span>
<span style="display:inline" class="">/</span> <span style="display:inline" class="">Software Engineer</span>
<span style="display:block" class=""></span>
<a href="mailto:kuoe0@mozilla.com" style="color:rgb(71,124,204);text-decoration:none;display:inline" target="_blank" class="">kuoe0@mozilla.com</a><span class=""></span></p><p style="font-family:Helvetica,Arial,sans-serif;font-size:10px;line-height:12px" class="">
<span style="font-weight:bold;color:rgb(33,33,33);display:inline" class="">Mozilla Taiwan</span></p></div></div> <br class=""><p style="" class="">On August 25, 2015 at 21:35:26, Fernando Moreno (<a href="mailto:fmoreno@mozilla.com" target="_blank" class="">fmoreno@mozilla.com</a>) wrote:</p> <blockquote type="cite" class=""><span class=""><div class=""><div class=""></div><div class="">
<div dir="ltr" class="">Hello,<br class="">
<div class="gmail_extra"><br class=""></div>
<div class="gmail_extra">
<div class="gmail_quote">On Tue, Aug 25, 2015 at 7:38 AM, Ryan
Kelly <span dir="ltr" class=""><<a href="mailto:rfkelly@mozilla.com" target="_blank" class="">rfkelly@mozilla.com</a>></span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
On 21/08/2015 17:30, Tommy Kuo wrote:<br class="">
>> Do you want to display the pocket website, make calls to
the pocket API,<br class="">
>> or both? Will you be running from a privileged system app
or an<br class="">
>> installable webapp?<br class="">
><br class="">
> We want to use the Pocket API only in a privileged app. We’ll
integrate<br class="">
> Pocket service into our TV.<br class="">
><br class="">
>> I'm not very familiar with the mozId API. Can you use it
to generate<br class="">
>> assertions for any audience? From what I can see in [3]
it's only<br class="">
>> possible to generate assertions for your app origin.<br class="">
><br class="">
> I’m trying to decode the assertion generated from
FindMyDevice. I found<br class="">
> audience is "<a href="https://find.firefox.com/" rel="noreferrer" target="_blank" class="">https://find.firefox.com</a>”, so I
think we can generate any<br class="">
> audience in the assertion.<br class="">
><br class="">
> If we can use the native mozId API, it is convenient to users
that they<br class="">
> don’t need to enter their username/password again. And we can
exchange<br class="">
> the assertion for a FxA OAuth token or a Pocket access token.
Do you<br class="">
> know someone is familiar with mozId?<br class="">
<br class="">
Casting a wide net here...<br class="">
<br class="">
IIRC Jared Hirsch (cc'd) did some work on it a while ago, but the
code<br class="">
hasn't been very active for some time. Fernando Moreno and
Michiel de<br class="">
Jong (also cc'd) are working on some Firefox Accounts integrations
in<br class="">
FxOS so they might be able to offer some insight.<br class="">
<br class="">
Jared, Fernando, Michiel, there's extra context below, but the
broad ask<br class="">
here is that Tommy's team would like to connect to Pocket from
Firefox<br class="">
OS, and Pocket authenticates using the FxA OAuth API.<br class="">
<br class="">
Do you know of any existing code in Firefox OS that's using the
FxA<br class="">
OAuth APIs?<br class=""></blockquote>
<div class=""><br class=""></div>
<div class="">I played with [1] a few months ago while working on a
prototype for the New Gaia Architecture project [2], but AFAIK
there is no any other existing FxOS code using the FxA OAuth
APIs.<br class=""></div>
<div class=""><br class=""></div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br class="">
If not, a more specific question that would let us work towards
that is:<br class="">
can a privileged app use the mozId API to produce a FxA assertion
for<br class="">
any target audience?<br class="">
<br class=""></blockquote>
<div class=""><br class=""></div>
<div class="">Yes, you should be able to specify any target audience with
some restrictions. Check [3]. I think in your case your Pocket app
will be shipped as a certified app, so you should be able to use
mozId the same way FindMyDevice does.<br class="">
<br class=""></div>
<div class="">Cheers,<br class="">
<br class=""></div>
<div class="">/ Fernando<br class=""></div>
<div class=""><br class="">
[1] <a href="https://github.com/mozilla/fxa-relier-client" target="_blank" class="">https://github.com/mozilla/fxa-relier-client</a><br class="">
[2] <a href="https://github.com/fxos/contacts" target="_blank" class="">https://github.com/fxos/contacts</a><br class="">
[3] <a href="https://mxr.mozilla.org/mozilla-central/source/dom/identity/nsDOMIdentity.js#617" target="_blank" class="">
https://mxr.mozilla.org/mozilla-central/source/dom/identity/nsDOMIdentity.js#617</a><br class="">
</div>
</div>
</div>
</div>
</div></div></span></blockquote></div></blockquote></div><br class=""></div></div></div></div></div></div></div></div></div></div></div>
</div></blockquote></div><br class=""></div></body></html>