Firefox syncserver + self-hosted auth server verification

Ryan Kelly rfkelly at mozilla.com
Wed Jan 10 04:53:15 UTC 2018


Hi Nikolaus,

Sorry for the delay in replying here, I'm still catching up on a few emails
from over the holiday break.

On 3 January 2018 at 12:44, Nikolaus Thümmel <fxacct-ml at ntcomputer.de>
wrote:

> I'm experimenting with a self-hosted Firefox syncserver and auth server
> stack, which is working fine so far. I wonder, however, how the syncserver
> verifies the account assertions it gets from the browser / auth server. As
> I have not configured any auth-server-related information in the
> syncserver.ini, I doubt there is any verification at all - is that correct?
> Does that mean the syncserver trusts assertions created by _any_ auth
> server, not just the one I am hosting?


You're correct, by default it will allow (properly formatted and signed)
assertions from any issuer, and will namespace the users appropriately so
that they don't collide.  This is very helpful while getting up and
running, but indeed it should probably be locked down once a deployment is
stable.


> If so, how can I restrict the verification in such a way that only
> assertions from my own auth server will be accepted?
>

There's a setting called "allowed_issuers" to control this, which we use in
production to restrict things to just the main Firefox Accounts server.
But your email made me realize it's not well documented, so I've added a
note to the bundled config file here:


https://github.com/mozilla-services/syncserver/commit/1cd91041a4dba877c6e526e01770e514e2ba0d45

And to the self-hosting docs here:


https://github.com/mozilla-services/docs/commit/2a06ff1c705864a8e930255d15c7cac17dc8c3dd

Hope this helps!


  Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/sync-dev/attachments/20180110/f78c328a/attachment.html>


More information about the Sync-dev mailing list