Firefox syncserver + self-hosted auth server verification

Nikolaus Thümmel fxacct-ml at ntcomputer.de
Wed Jan 3 01:44:49 UTC 2018


Hi everyone,

I'm experimenting with a self-hosted Firefox syncserver and auth server
stack, which is working fine so far. I wonder, however, how the
syncserver verifies the account assertions it gets from the browser /
auth server. As I have not configured any auth-server-related
information in the syncserver.ini, I doubt there is any verification at
all - is that correct? Does that mean the syncserver trusts assertions
created by _any_ auth server, not just the one I am hosting? If so, how
can I restrict the verification in such a way that only assertions from
my own auth server will be accepted?

Note: I am using a local BrowserID verifier, configured in
syncserver.ini as follows:

[browserid]

backend = tokenserver.verifiers.LocalVerifier

audiences = https://<my-syncserver-url>


Kind regards

Nikolaus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/sync-dev/attachments/20180103/68463877/attachment.html>


More information about the Sync-dev mailing list