<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Nov 24, 2015 at 4:25 PM, Ryan Kelly <span dir="ltr"><<a href="mailto:rfkelly@mozilla.com" target="_blank">rfkelly@mozilla.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 25/11/2015 05:43, Peter Bengtsson wrote:<br>
> On Tue, Nov 24, 2015 at 1:40 PM, Christopher Karlof <<a href="mailto:ckarlof@mozilla.com">ckarlof@mozilla.com</a><br>
</span><span class="">> <mailto:<a href="mailto:ckarlof@mozilla.com">ckarlof@mozilla.com</a>>> wrote:<br>
><br>
> FxA is a consumer account system, and for Mozilla services which are<br>
> available to the general public, it’s a viable option.<br>
><br>
> The above demonstration would be most viable for services which are<br>
> internal and require LDAP/Okta authentication.<br>
><br>
> If there are services which need *both* types of authentication, we<br>
> may not have a clean answer like we did with Persona, but we could<br>
> just offer both.<br>
><br>
><br>
> I want both. Nay, I *need* both types.<br>
<br>
</span>Can you please say more about the specific use-case here? I can imagine<br>
us directing many future queries to the archive of this thread.<br>
<span class=""><br></span></blockquote><div><br></div><div>Air Mozilla: Staff email's that log in automatically have access to private events/videos. Non-staff emails need their accounts tied to a vouched Mozillian account. Future, we want non-staff and non-vouched-mozillians to be able to log in. <br><br></div><div>Crash Stats: Staff who log in need to use their work email if they're going to be given PII access. Partners such as Adobe need to be able to sign in too. <br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
> FxA plus a tool that informs when LDAP statuses change (in particular<br>
> when someone ceases to have LDAP staff status) would suffice.<br>
<br>
</span>You could do what Persona does, ask for the email up-front and direct<br>
the login to whatever system is most appropriate - Okta for staff<br>
addresses, FxA for everyone else.<br>
<br></blockquote><div><br></div><div>Pardon my ignorance but why is Okta [for staff] any better than FxA?<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
(And if we were going to need this a lot, we could make a small utility<br>
lib/service to abstract it away).<br>
<br>
<br>
Ryan<br>
<span class=""><br>
<br>
> On Tue, Nov 24, 2015 at 5:43 AM, Peter Bengtsson<br>
</span><span class="">> <<a href="mailto:pbengtsson@mozilla.com">pbengtsson@mozilla.com</a> <mailto:<a href="mailto:pbengtsson@mozilla.com">pbengtsson@mozilla.com</a>>> wrote:<br>
><br>
> That's really cool and clearly works.<br>
> However, non-staff would be confused when they see that Okta<br>
> sign in. In fact, how do non-staff sign in at all?<br>
><br>
> Either way, I think I would like to use FxA. Isn't that a<br>
> project we're trying to promote in general in the company?<br>
><br>
> On Mon, Nov 23, 2015 at 6:23 PM, Daniel Coates<br>
</span><span class="">> <<a href="mailto:dcoates@mozilla.com">dcoates@mozilla.com</a> <mailto:<a href="mailto:dcoates@mozilla.com">dcoates@mozilla.com</a>>> wrote:<br>
><br>
> There's a demo of the current progress here:<br>
> <a href="https://123done-dcoates.dev.lcip.org" rel="noreferrer" target="_blank">https://123done-dcoates.dev.lcip.org</a> with code here:<br>
> <a href="https://github.com/dannycoates/123done/tree/google-auth" rel="noreferrer" target="_blank">https://github.com/dannycoates/123done/tree/google-auth</a><br>
><br>
> On Mon, Nov 23, 2015 at 1:59 PM, Ryan Kelly<br>
</span><span class="">> <<a href="mailto:rfkelly@mozilla.com">rfkelly@mozilla.com</a> <mailto:<a href="mailto:rfkelly@mozilla.com">rfkelly@mozilla.com</a>>> wrote:<br>
> > On 24/11/2015 05:07, Sean McArthur wrote:<br>
> >> +dev-fxacct<br>
> >><br>
> >> We are working on figuring this out for the company. It's<br>
> looking like<br>
> >> the solution for sites that require employee accounts can<br>
> use Google<br>
> >> Sign In, and require it to use okta.<br>
> ><br>
> > Indeed, IIUC Danny has put together a working demo of this<br>
> using<br>
> > Google's OpenID Connect login flow, which bridges to Okta<br>
> and thus auths<br>
</span>> > against LDAP for @<a href="http://mozilla.com" rel="noreferrer" target="_blank">mozilla.com</a> <<a href="http://mozilla.com" rel="noreferrer" target="_blank">http://mozilla.com</a>> addresses.<br>
<span class="">> ><br>
> > We'll see about putting together a little how-to for other<br>
> folks to try<br>
> > out, I hear it was pretty painless to set up.<br>
> ><br>
> ><br>
> > Cheers,<br>
> ><br>
> > Ryan<br>
> ><br>
> ><br>
> >> On Mon, Nov 23, 2015, 9:49 AM Peter Bengtsson<br>
> <<a href="mailto:pbengtsson@mozilla.com">pbengtsson@mozilla.com</a> <mailto:<a href="mailto:pbengtsson@mozilla.com">pbengtsson@mozilla.com</a>><br>
</span>> >> <mailto:<a href="mailto:pbengtsson@mozilla.com">pbengtsson@mozilla.com</a><br>
<span class="">> <mailto:<a href="mailto:pbengtsson@mozilla.com">pbengtsson@mozilla.com</a>>>> wrote:<br>
> >><br>
> >> For the record, we wouldn't interface with Workday at<br>
> all. Only<br>
> >> <a href="http://ldap.mozilla.org" rel="noreferrer" target="_blank">ldap.mozilla.org</a> <<a href="http://ldap.mozilla.org" rel="noreferrer" target="_blank">http://ldap.mozilla.org</a>><br>
> <<a href="http://ldap.mozilla.org" rel="noreferrer" target="_blank">http://ldap.mozilla.org</a>>.<br>
> >> (How <a href="http://ldap.mozilla.org" rel="noreferrer" target="_blank">ldap.mozilla.org</a> <<a href="http://ldap.mozilla.org" rel="noreferrer" target="_blank">http://ldap.mozilla.org</a>><br>
> <<a href="http://ldap.mozilla.org" rel="noreferrer" target="_blank">http://ldap.mozilla.org</a>> gets populated is<br>
> >> out of context).<br>
> >><br>
> >> On Mon, Nov 23, 2015 at 12:18 PM, Schalk Neethling<br>
> >> <<a href="mailto:sneethling@mozilla.com">sneethling@mozilla.com</a><br>
> <mailto:<a href="mailto:sneethling@mozilla.com">sneethling@mozilla.com</a>><br>
</span>> <mailto:<a href="mailto:sneethling@mozilla.com">sneethling@mozilla.com</a> <mailto:<a href="mailto:sneethling@mozilla.com">sneethling@mozilla.com</a>>>><br>
<span class="">> >> wrote:<br>
> >><br>
> >> > As long as it does not do a 'if in workday' pass or<br>
> else you shall not<br>
> >> > pass :)<br>
> >> ><br>
> >> > Geo contractors are not in Workday.<br>
> >> ><br>
> >> > On Mon, Nov 23, 2015 at 6:47 PM, Peter Bengtsson<br>
> >> <<a href="mailto:pbengtsson@mozilla.com">pbengtsson@mozilla.com</a><br>
> <mailto:<a href="mailto:pbengtsson@mozilla.com">pbengtsson@mozilla.com</a>><br>
</span>> <mailto:<a href="mailto:pbengtsson@mozilla.com">pbengtsson@mozilla.com</a> <mailto:<a href="mailto:pbengtsson@mozilla.com">pbengtsson@mozilla.com</a>>>><br>
<span class="">> >> > wrote:<br>
> >> ><br>
> >> >> Suppose you use Persona to auth people to your<br>
> site. Given that<br>
> >> someone<br>
> >> >> manages to log in with a @<a href="http://mozilla.com" rel="noreferrer" target="_blank">mozilla.com</a><br>
</span>> <<a href="http://mozilla.com" rel="noreferrer" target="_blank">http://mozilla.com</a>> <<a href="http://mozilla.com" rel="noreferrer" target="_blank">http://mozilla.com</a>> (or<br>
<span class="">> >> foundation or mozilla-jp)<br>
> >> >> they've<br>
> >> >> proven they're active staff.<br>
> >> >> If they leave the company, most likely their<br>
> access to your site,<br>
> >> under a<br>
> >> >> staff email address, should cease. E.g. logging in<br>
> to Air Mozilla<br>
> >> to see<br>
> >> >> staff live events. Persona took care of that as<br>
> each new session got<br>
> >> >> checked against the provider (e.g. <a href="http://mozilla.com" rel="noreferrer" target="_blank">mozilla.com</a><br>
</span>> <<a href="http://mozilla.com" rel="noreferrer" target="_blank">http://mozilla.com</a>> <<a href="http://mozilla.com" rel="noreferrer" target="_blank">http://mozilla.com</a>>).<br>
<div><div class="h5">> >> >><br>
> >> >> If we switch to FxA we lose this automatic check<br>
> that Persona<br>
> >> used to do.<br>
> >> >> You OAuth sign in a user and set her cookie to<br>
> last X weeks and<br>
> >> she'll be<br>
> >> >> signed in for X weeks. How do you kill that<br>
> session cookie if she no<br>
> >> >> longer<br>
> >> >> has ability to check check email to her<br>
> @<a href="http://mozilla.com" rel="noreferrer" target="_blank">mozilla.com</a> <<a href="http://mozilla.com" rel="noreferrer" target="_blank">http://mozilla.com</a>><br>
> >> <<a href="http://mozilla.com" rel="noreferrer" target="_blank">http://mozilla.com</a>> address?<br>
> >> >><br>
> >> >> Is there already an established solution for this?<br>
> >> >><br>
> >> >> If not, I'd be up for writing a central solution<br>
> for talking to our<br>
> >> >> <a href="http://ldap.mozilla.org" rel="noreferrer" target="_blank">ldap.mozilla.org</a> <<a href="http://ldap.mozilla.org" rel="noreferrer" target="_blank">http://ldap.mozilla.org</a>><br>
> <<a href="http://ldap.mozilla.org" rel="noreferrer" target="_blank">http://ldap.mozilla.org</a>> (which is a derivative<br>
> >> of Workday).<br>
> >> >> We can either stand up a service that your server<br>
> can query or we can<br>
> >> >> stand<br>
> >> >> up a service that can webhook-post to you.<br>
> >> >><br>
> >> >> What do you think?<br>
> >> >><br>
> >> >><br>
> >> >> --<br>
> >> >> Peter Bengtsson<br>
> >> >> Mozilla Web Engineering<br>
> >> >> _______________________________________________<br>
> >> >> dev-webdev mailing list<br>
> >> >> <a href="mailto:dev-webdev@lists.mozilla.org">dev-webdev@lists.mozilla.org</a><br>
> <mailto:<a href="mailto:dev-webdev@lists.mozilla.org">dev-webdev@lists.mozilla.org</a>><br>
</div></div>> <mailto:<a href="mailto:dev-webdev@lists.mozilla.org">dev-webdev@lists.mozilla.org</a><br>
<span class="">> <mailto:<a href="mailto:dev-webdev@lists.mozilla.org">dev-webdev@lists.mozilla.org</a>>><br>
> >> >> <a href="https://lists.mozilla.org/listinfo/dev-webdev" rel="noreferrer" target="_blank">https://lists.mozilla.org/listinfo/dev-webdev</a><br>
> >> >><br>
> >> ><br>
> >> ><br>
> >> ><br>
> >> > --<br>
> >> > Kind Regards,<br>
> >> > Schalk Neethling<br>
> >> > Senior Front-End Engineer<br>
> >> > Mozilla ::-::<br>
> >> ><br>
> >><br>
> >><br>
> >><br>
> >> --<br>
> >> Peter Bengtsson<br>
> >> Mozilla Web Engineering<br>
> >> _______________________________________________<br>
> >> dev-webdev mailing list<br>
> >> <a href="mailto:dev-webdev@lists.mozilla.org">dev-webdev@lists.mozilla.org</a><br>
> <mailto:<a href="mailto:dev-webdev@lists.mozilla.org">dev-webdev@lists.mozilla.org</a>><br>
</span>> <mailto:<a href="mailto:dev-webdev@lists.mozilla.org">dev-webdev@lists.mozilla.org</a><br>
<span class="">> <mailto:<a href="mailto:dev-webdev@lists.mozilla.org">dev-webdev@lists.mozilla.org</a>>><br>
> >> <a href="https://lists.mozilla.org/listinfo/dev-webdev" rel="noreferrer" target="_blank">https://lists.mozilla.org/listinfo/dev-webdev</a><br>
> >><br>
> >><br>
> >><br>
> >> _______________________________________________<br>
> >> Dev-fxacct mailing list<br>
</span>> >> <a href="mailto:Dev-fxacct@mozilla.org">Dev-fxacct@mozilla.org</a> <mailto:<a href="mailto:Dev-fxacct@mozilla.org">Dev-fxacct@mozilla.org</a>><br>
<span class="">> >> <a href="https://mail.mozilla.org/listinfo/dev-fxacct" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/dev-fxacct</a><br>
> >><br>
> > _______________________________________________<br>
> > Dev-fxacct mailing list<br>
</span>> > <a href="mailto:Dev-fxacct@mozilla.org">Dev-fxacct@mozilla.org</a> <mailto:<a href="mailto:Dev-fxacct@mozilla.org">Dev-fxacct@mozilla.org</a>><br>
<span class="">> > <a href="https://mail.mozilla.org/listinfo/dev-fxacct" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/dev-fxacct</a><br>
><br>
><br>
><br>
><br>
> --<br>
> Peter Bengtsson<br>
> Mozilla Web Engineering<br>
><br>
> _______________________________________________<br>
> Dev-fxacct mailing list<br>
</span>> <a href="mailto:Dev-fxacct@mozilla.org">Dev-fxacct@mozilla.org</a> <mailto:<a href="mailto:Dev-fxacct@mozilla.org">Dev-fxacct@mozilla.org</a>><br>
<div class="HOEnZb"><div class="h5">> <a href="https://mail.mozilla.org/listinfo/dev-fxacct" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/dev-fxacct</a><br>
><br>
><br>
><br>
><br>
><br>
> --<br>
> Peter Bengtsson<br>
> Mozilla Web Engineering<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr">Peter Bengtsson<br>Mozilla Web Engineering<br></div></div>
</div></div>