Firefox syncserver + self-hosted auth server verification

Nikolaus Thümmel fxacct-ml at
Wed Jan 3 01:44:49 UTC 2018

Hi everyone,

I'm experimenting with a self-hosted Firefox syncserver and auth server
stack, which is working fine so far. I wonder, however, how the
syncserver verifies the account assertions it gets from the browser /
auth server. As I have not configured any auth-server-related
information in the syncserver.ini, I doubt there is any verification at
all - is that correct? Does that mean the syncserver trusts assertions
created by _any_ auth server, not just the one I am hosting? If so, how
can I restrict the verification in such a way that only assertions from
my own auth server will be accepted?

Note: I am using a local BrowserID verifier, configured in
syncserver.ini as follows:


backend = tokenserver.verifiers.LocalVerifier

audiences = https://<my-syncserver-url>

Kind regards


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Sync-dev mailing list