<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
The use case I have in mind would be to give specific permissions to
an application while using Kinto [0].<br>
<br>
Currently we are using BasicAuth directly for that task:<br>
<ul>
<li>giving the permission to the payment app to write receipts for
a user and a seller app,</li>
<li>then giving the permission to the seller app to read all its
receipts.</li>
</ul>
Using a Firefox Account Bearer token instead would prevent us for
leaking the app credentials to the server (even if it is protected
bya SSL connection) but also let us revoke a token and create a new
one in case we need to (ie it has been compromised).<br>
<br>
Changing the BasicAuth credentials also change the userid which
prevent us from changing them easily.<br>
<br>
<br>
[0]
<a class="moz-txt-link-freetext" href="http://kinto.readthedocs.org/en/latest/tutorials/permission-setups.html">http://kinto.readthedocs.org/en/latest/tutorials/permission-setups.html</a><br>
<br>
<div class="moz-cite-prefix">Le 28/11/2015 21:53, Sean McArthur a
écrit :<br>
</div>
<blockquote
cite="mid:CAHrH6bP_Z+XwpQwsL-o_w+ZOCbm2qOi8-SemkCp4iiGLMkX1Eg@mail.gmail.com"
type="cite">
<p dir="ltr">That looks simple enough. It seems Twitter uses this
to increase rates limits if an application identifies itself
(instead of a lower limit based on IP). It doesn't provide
access to any private information, or allow the application to
act as a user. </p>
<p dir="ltr">What would be the desired effect for FxA? We don't
really have public APIs... Accessing a user's private
information will require getting their permission. </p>
<p dir="ltr">We do have Service Accounts, which allow access to
all information without user action, but they require explicit
registration with us, such as our use of Basket. </p>
<br>
<div class="gmail_quote">
<div dir="ltr">On Sat, Nov 28, 2015, 12:37 AM Rémy Hubscher <<a
moz-do-not-send="true" href="mailto:rhubscher@mozilla.com"><a class="moz-txt-link-abbreviated" href="mailto:rhubscher@mozilla.com">rhubscher@mozilla.com</a></a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hello,<br>
<br>
While reading the Twitter documentation, I realized they
have an <a moz-do-not-send="true"
href="https://dev.twitter.com/oauth/application-only"
target="_blank">Application-Only authentication mechanism</a>
that is quite easy.<br>
<br>
They are using client_id and client_secret in a BasicAuth
fashion in order to get a BearerToken on this URL <tt>/oauth2/token</tt><br>
<br>
This could be a quite easy solution to implement I guess
while reusing the current ecosystem we have.<br>
<br>
Best regards,<br>
<br>
Rémy<br>
</div>
_______________________________________________<br>
Dev-fxacct mailing list<br>
<a moz-do-not-send="true" href="mailto:Dev-fxacct@mozilla.org"
target="_blank">Dev-fxacct@mozilla.org</a><br>
<a moz-do-not-send="true"
href="https://mail.mozilla.org/listinfo/dev-fxacct"
rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/dev-fxacct</a><br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>