TL;DR: we plan to add support for an OAuth protocol extension called "PKCE" to help webextensions and mobile apps get connected to FxA; feedback welcome.
Hi All, The OAuth reliers that we've added to FxA so far have all been what RFC6749 calls "confidential clients" - applications running in a secure environment such as a webserver where they can maintain confidentiality of a secret, and use that secret to authenticate themselves to our service. As we look towards integrating FxA into WebExtensions and standalone Mobile apps, we need to solidify our story for supporting "public clients" - applications that run entirely on the user's machine and so cannot embed any secret tokens with which to authenticate to our service. Such apps are, unfortunately, more vulnerable to having their OAuth login flow snooped by other code running on the user's device. The recommended approach is for public clients to use an extension to the OAuth code flow called "Proof Key for Code Exchange" (aka "PKCE", aka "pixie") to secure their login flows against other applications. You can read all the details in the RFC if you're curious: https://tools.ietf.org/html/rfc7636 But you might find these higher-level articles more approachable, since the core of the protocol is quite straightforward: https://auth0.com/docs/api-auth/grant/authorization-code-pkce https://medium.com/@justinsecurity/mobile-apps-and-oauths-implicit-flow-68e72c6515a1 We intend to add PKCE support to oauth.accounts.firefox.com as part of our webextension prototyping work this quarter. If you're curious about these things, or want to learn more about the implications from a security perspective, please give the above docs a read and follow up here on the list with any questions or concerns. :ulfr and :g-k, I've cc'd you for visibility on this change. It's a relatively small amount of code to implement a well-regarded spec, so it feels fairly low-risk to me, but let me know if you think it warrants more formal review with your team and I will set something up. Cheers, Ryan
_______________________________________________ Dev-fxacct mailing list Dev-fxacct@mozilla.org https://mail.mozilla.org/listinfo/dev-fxacct
