push icon indicating copy to clipboard operation
push copied to clipboard
verified publisher icon jbalogh

work with tokenserver

Open jbalogh opened this issue 13 years ago • 0 comments 

1. User signs into Firefox with BrowserID.
2. Notifications are turned on for the first time, so Firefox sends a
BrowserID assertion to the token server.
3. Firefox gets a token and a node URL like
https://notifications01.services.mozilla.org/u/1234.
4. Firefox sends requests to the notifications server prefixed with
that URL and token and we authenticate user "1234" with their token.
5. Firefox sets up a long-running websocket connection with the same
URL prefix and token.

Yep, that's the basic flow. There's also these pages for reference if you haven't already seen them already:

https://wiki.mozilla.org/Services/Sagrada/ServiceClientFlow http://docs.services.mozilla.com/token/user-flow.html

You don't explicitly mention it above, so it's worth pointing out: the tokenserver gives you back both a token and a secret key, and you must use the secret key to sign requests to the node URL.

#5 won't work because the websocket servers live at different addresses than the HTTP API (they're not behind zeus). How would I do authentication there?

If the HTTP API and the websocket API are able to use the same "node master secret" then the auth token can be used at both locations:

https://wiki.mozilla.org/Services/Sagrada/TokenServer#Secrets

I've no idea how you would sign a websocket request though. If you need to, you can use the token as a simple "bearer token" authenticator instead of signing requests with the secret key, but this isn't recommended.

Does the token server make sure that the user's BrowserID assertion always maps to user id "1234" at notification01.services? Should I be using 1234 as my permanent user id in my User table?

Yes. The tokenserver ensures that each email address maps to a fixed userid and endpoint node. I don't believe there is any provision for the user to change their email address at this point.

At least for sync, it's possible for the user to be migrated to a different endpoint URL at any time due to e.g. hardware failure. How this applies to other services I don't know.

I found https://github.com/mozilla-services/mozservices/tree/master/mozsvc/user but I'm not sure how I'd use it in my code to get a user id.

This assuming you're building a pyramid app, not for the websockety thing. You can include it into your configurator like so:

config.include("mozsvc.user.whoauth")

You add a pointer to the file with the node master secrets in your configuration file:

[who.plugin.macauth] secrets_file = /var/notifications/secrets

And then you can grab the authenticated userid out of the request like this:

def some_view(request): uid = request.user["uid"]

Some more details here:

https://wiki.mozilla.org/Services/Sagrada/ServerDevGuide

jbalogh avatar May 04 '12 20:05 jbalogh