dev deployments of sync1.1+tokenserver

Ryan Kelly rfkelly at mozilla.com
Mon Aug 19 05:50:47 PDT 2013


Hi All,


In support of moving fast on Milestone 1, I have stood up a simple dev
deployment of a tokensever-auth-enabled Sync1.1 server.  Hopefully this
will give us something concrete to develop and test against on the
storage integration side of things.

There are two servers, "auth" and "storage", available at:

   http://auth.oldsync.dev.lcip.org/
   http://db1.oldsync.dev.lcip.org/

Technical details below for those who need them.  Enjoy!


  Cheers,

    Ryan


-------------------------------


This setup comes in two pieces.  For dev they are just two EC2
instances; in production they'd be two separate clusters.

First is the "auth server", available here:

    http://auth.oldsync.dev.lcip.org/

This is running the tokenserver code we built for sync2.0, and speaks
the browserid auth dance documented here:

    http://docs.services.mozilla.com/token/user-flow.html

To authenticate, you produce a BrowserID assertion and send it to the
following service-specific URL:

    http://auth.oldsync.dev.lcip.org/1.0/sync/1.1

In return you will get a set of temporary authentication credentials
("id" and "key") along with the URL of a particular storage server that
you should use (the "endpoint_url").

In production there would be multiple storage servers, with users
sharded among them.  For the dev deployment, the auth server will always
direct you to:

     http://db1.oldsync.dev.lcip.org/1.1/{userid}

This storage server is running the sync1.1 storage code, with a special
auth plugin that speaks Hawk auth, and a master token-signing secret
that is shared with the auth server.

Use the id and key you got from the tokenserver, and make Hawk
authenticated requests following the existing Sync1.1 API:

    https://docs.services.mozilla.com/storage/apis-1.1.html


In theory, this should be all the server-side support you need to do
BrowserID-authenticated syncing on top of Sync1.1.

Good luck! :-)


Caveat:  I did a quick python implementation of Hawk based on my
previous work with MACAuth, and a cursory read of the quote-unquote
"Hawk Spec".  There may be incompatibilities; ping me and I'll squash
them ASAP.


More information about the Sync-dev mailing list