Firefox syncserver + self-hosted auth server verification

Ryan Kelly rfkelly at
Wed Jan 10 04:53:15 UTC 2018

Hi Nikolaus,

Sorry for the delay in replying here, I'm still catching up on a few emails
from over the holiday break.

On 3 January 2018 at 12:44, Nikolaus Thümmel <fxacct-ml at>

> I'm experimenting with a self-hosted Firefox syncserver and auth server
> stack, which is working fine so far. I wonder, however, how the syncserver
> verifies the account assertions it gets from the browser / auth server. As
> I have not configured any auth-server-related information in the
> syncserver.ini, I doubt there is any verification at all - is that correct?
> Does that mean the syncserver trusts assertions created by _any_ auth
> server, not just the one I am hosting?

You're correct, by default it will allow (properly formatted and signed)
assertions from any issuer, and will namespace the users appropriately so
that they don't collide.  This is very helpful while getting up and
running, but indeed it should probably be locked down once a deployment is

> If so, how can I restrict the verification in such a way that only
> assertions from my own auth server will be accepted?

There's a setting called "allowed_issuers" to control this, which we use in
production to restrict things to just the main Firefox Accounts server.
But your email made me realize it's not well documented, so I've added a
note to the bundled config file here:

And to the self-hosting docs here:

Hope this helps!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Sync-dev mailing list