Firefox Accounts on Firefox OS
zcarter at mozilla.com
Thu Oct 10 08:00:55 PDT 2013
> From: "Dirkjan Ochtman" <dirkjan at ochtman.nl>
> To: "Lloyd Hilaiel" <lloyd at mozilla.com>
> Cc: sync-dev at mozilla.org
> Sent: Thursday, October 10, 2013 3:56:56 AM
> Subject: Re: Firefox Accounts on Firefox OS
> On Thu, Oct 10, 2013 at 11:56 AM, Lloyd Hilaiel <lloyd at mozilla.com> wrote:
> > https://id.etherpad.mozilla.org/fxa-on-fxos
> > Curious to hear thoughts and constructive criticism.
> Trying to make sense of this, after reading three times, but still
> struggling a bit.
> For the FTU experience, step 4, is that "normal" Persona
> authentication + provisioning?
Correct me if I'm wrong Lloyd, but this will be the special FxA flow, which is similar to how the fallback currently operates. It may not need the normal Persona authentication + provisioning phases, but the output is compatible with the normal Persona flow.
> For applications where FxA is the only way to sign in: why is FxA
> required for WheresMyFox and Marketplace? For WMF, I presume it's
> because you need to access a cloud service to wipe/find your device,
> but I don't really see the need for more than authentication. For
> Marketplace, is it because we're syncing application ownership data?
> Again, do we need more than authentication?
I assume Marketplace wants to associate app purchases with a stable Firefox Account ID, so that the user could log in to a new device and have their apps available (hand waiving over UX here). Retrieving the FxA ID would require an additional API request or bundling it with the Persona assertion (or maybe they will key by email after all).
I'm not sure of WheresMyFox's requirements, but the FxA server has a devices API that may be useful.
> I guess what I really don't understand is what FxA provides beyond
> secure storage. I thought FxA was email address + password (which is
> being challenged, I think, which is a good thing in my book, in favor
> of first time authn through Persona?) + key storage (stretched from
> password) + sync content storage. It seems like it's now being used in
> a much wider context ("Cloud Services"!), but it's very unclear to me
> what it's actually providing in that context.
FxA does not encompass data storage for sync, but does store encryption keys for use by authenticated sync clients.
It also provides SSO for apps that opt-in. Per Lloyd's doc there's a flag for services that require FxA and a permission for apps where it's optional. Marketplace's feature (installing apps) has a strong coupling with the device, so it's reasonable to have that tied to the identity signed into the device. Presumably other apps that require FxA will also have a strong coupling with the device (or perhaps they're connected to other apps associated with a user's FxA, or some other constraint requiring an FxA).
It'd be nice to have a list of all the apps that are looking into using FxA and why. Is it for the buttery smooth SSO or what?
More information about the Sync-dev