Firefox syncserver + self-hosted auth server verification
Nikolaus Thümmel
fxacct-ml at ntcomputer.de
Wed Jan 3 01:44:49 UTC 2018
Hi everyone,
I'm experimenting with a self-hosted Firefox syncserver and auth server
stack, which is working fine so far. I wonder, however, how the
syncserver verifies the account assertions it gets from the browser /
auth server. As I have not configured any auth-server-related
information in the syncserver.ini, I doubt there is any verification at
all - is that correct? Does that mean the syncserver trusts assertions
created by _any_ auth server, not just the one I am hosting? If so, how
can I restrict the verification in such a way that only assertions from
my own auth server will be accepted?
Note: I am using a local BrowserID verifier, configured in
syncserver.ini as follows:
[browserid]
backend = tokenserver.verifiers.LocalVerifier
audiences = https://<my-syncserver-url>
Kind regards
Nikolaus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/sync-dev/attachments/20180103/68463877/attachment.html>
More information about the Sync-dev
mailing list