Re: FxA application registration request: Firefox for Fire TV

[Vlad Filippov]

Michael,

We've chatted a bit on Slack to get this working. Let us know if you need
further assistance!

Vlad

On Wed, Jul 3, 2019 at 1:45 AM Michael Comella  wrote:

> Hi Shane,
>
> On Tue, Jul 2, 2019 at 4:22 AM Shane Tomlinson 
> wrote:
>
>> Hi Mike,
>> Those docs are a bit out of date now and need to be updated (on Q3's OKR
>> list), sorry for the confusion. It shouldn't be a problem to get you set up
>> with OAuth credentials.
>>
>> As mentioned in the docs development occurs against the
>> https://stable.dev.lcip.org FxA stack. stable is a prod-like stack that
>> is updated every Thursday. Note that it's user database is distinct to
>> https://accounts.firefox.com, so developers will need to create and
>> verify an account there to sign into the app. OAuth credentials for
>> https://accounts.firefox.com are reserved for your beta/production apps.
>>
>> I have created a PR to provision creds
>>  on
>> https://stable.dev.lcip.org for you. If that looks good to you, we can
>> get that deployed soon.
>>
>
> Given my limited knowledge, this looks good to me.
>
> When would create beta/production credentials?
>
>>
>> Will Firefox for Fire TV access Sync data? I'm assuming so.
>>
>
> In the short term (Q3), we only intend to receive tabs. We have no current
> plans to use sync data otherwise.
>
>>
>> I know from speaking to Chenxia that there are a few wriggles that need
>> to be ironed out for Fx for Fire TV, especially around navigation and
>> input. Email verification is going to be interesting too, I wonder if users
>> will find it obvious how to verify their email. We have been talking about
>> making all users verify their email address by typing a TOTP-like code
>>  that is sent to their email
>> address, in this case, since Firefox for Fire TV is input constrained, it
>> might make sense to have continue with the existing behavior and have users
>> click a link instead.
>>
>
> Our intent is to land a proof-of-concept FxA sign in integration ASAP to
> be able to test all the flows on device and figure out the optimal user
> experience. Bram, our UX designer, may have already done some research with
> your team here but fwiw, I'm missing context on it.
>
> Thanks for the quick response – let me know if you have any questions or
> suggestions for me! I don't have much context on the FxA integration so I'm
> currently in the process of figuring it out in this issue
> .
> - Mike
>
>>
>> Shane
>>
>> On Tue, Jul 2, 2019 at 2:17 AM Michael Comella 
>> wrote:
>>
>>> Hey dev-fxacct (CC firefox-tv list for context),
>>>
>>> The Firefox for Fire TV app is integrating FxA sign in and I'd like to
>>> get credentials to enable sign in. I don't fully understand the
>>> documentation
>>> 
>>> – it suggests that our app is an "OAuth relier" (what does that mean?) and
>>> that we have a "service" (is the app considered a service?) – but from
>>> reading the docs and looking at samples
>>> ,
>>> I think if we provide the following info, we can get credentials to allow
>>> users to log into FxA:
>>>
>>> name: "Firefox for Fire TV"
>>> redirect_uri: https://accounts.firefox.com/oauth/success/
>>>
>>> fwiw, like the sample linked above, we'd intend to intercept the
>>> redirect URL, grab the returned credentials, and redirect the user to a
>>> native UI screen (as per our mocks)
>>> . Additionally, since we
>>> can't create additional WebViews on Fire OS and we only support a single
>>> tab, we have to use the user's current browsing session so we'd consider
>>> removing the FxA sign in pages from the user's browsing history.
>>>
>>> Let me know if there are any issues. Thanks!
>>> - Mike
>>> ___
>>> Dev-fxacct mailing list
>>> Dev-fxacct@mozilla.org
>>> https://mail.mozilla.org/listinfo/dev-fxacct
>>>
>> ___
> Dev-fxacct mailing list
> Dev-fxacct@mozilla.org
> https://mail.mozilla.org/listinfo/dev-fxacct
>
___
Dev-fxacct mailing list
Dev-fxacct@mozilla.org
https://mail.mozilla.org/listinfo/dev-fxacct

Merging oauth-server into auth-server

[Vlad Filippov]

Hi all,

We are in the process of merging the oauth-server into auth-server[1]. This
has been a proposal for several years now. The best time to do this was
years ago, the second best time is now.

Short-term benefits:
- Support Reference Browser login flow
- Support Send Tab + OAuth projects
- Better developer ergonomics

Long-term benefits:
- Ability to send emails and push notifications based on OAuth actions
- Simplifying auth-server architecture
- Hopefully getting rid of assertions
- and more!

Let me know if you have thoughts on this change,
Vlad




[1] - https://github.com/mozilla/fxa-auth-server/issues/2668
___
Dev-fxacct mailing list
Dev-fxacct@mozilla.org
https://mail.mozilla.org/listinfo/dev-fxacct

Re: Testing Notes with the new Firefox Accounts Android component

[Vlad Filippov]

No worries! Take your time

Vlad

On Fri, Jul 27, 2018, 11:34 Paul Oiegas  wrote:

> Hey Vlad,
>
> Due to high amount of work today we somehow omitted to confirm via email
> that we have started looking over the flow. Sorry for that, but I assume
> you have seen the issues logged until now and you figured out this already.
> We'll continue testing it on Monday and will send the results at EOD.
>
> Have a nice weekend,
> Paul
>
> On 7/26/2018 20:14, Vlad Filippov wrote:
>
> Dear TestPilot-QA and others,
>
> "Notes by Firefox" has switched to the new Firefox Accounts Android
> component
> <https://github.com/mozilla-mobile/android-components/tree/master/components/service/firefox-accounts>
> for authentication starting with build v2859
> <https://s3-us-west-2.amazonaws.com/fxa-dev-bucket/notes/notes-1_0-qa-v2859.apk>.
>
>
> Please test the new login flow if possible,
>
> Vlad
>
>
> --
> Oiegas Paul Marius
> Team Lead, QA Community
> <http://www.softvision.com>
>
> The content of this communication is classified as Softvision Confidential
> and Proprietary Information.
>
___
Dev-fxacct mailing list
Dev-fxacct@mozilla.org
https://mail.mozilla.org/listinfo/dev-fxacct

Testing Notes with the new Firefox Accounts Android component

[Vlad Filippov]

Dear TestPilot-QA and others,

"Notes by Firefox" has switched to the new Firefox Accounts Android
component

for authentication starting with build v2859

.

Please test the new login flow if possible,

Vlad
___
Dev-fxacct mailing list
Dev-fxacct@mozilla.org
https://mail.mozilla.org/listinfo/dev-fxacct

Keeping fxa-local-dev up to date...

[Vlad Filippov]

fxa-local-dev  got several
component updates in the last month. At this time the `npm run update`
script won't fully pick up these changes. To make sure your local-dev works
properly I suggest the following:

0. Make sure you have Docker running.
1. Save your work in branches.
2. From the `fxa-local-dev` directory, run `npm run update` then `npm
install` then `npm run update` again.

The new check.sh

script should also tell you if any of your dependencies are missing.

Vlad
___
Dev-fxacct mailing list
Dev-fxacct@mozilla.org
https://mail.mozilla.org/listinfo/dev-fxacct

Please check your FxA WebSessions

[Vlad Filippov]

We want to bring back the "WebSession" view in the FxA settings.
Please visit
https://accounts.firefox.com/settings/clients?sessionsListVisible=true (special
query param) and see if there is anything weird in that view, such as very
old WebSessions, "null", "NaN" or other stranger things

Thank you!
Vlad
___
Dev-fxacct mailing list
Dev-fxacct@mozilla.org
https://mail.mozilla.org/listinfo/dev-fxacct

FxA + Notes + Lockbox Updates - November 22, 2017

[Vlad Filippov]

Hello all,

Some updates on Notes  + Lockbox
 + FxA "scoped key" integration:

   - FxA Scoped Keys
   

   are planned to be enabled in production on *November 27th.*
   - There is a new test environment at
https://latest-keys.dev.lcip.org. *Please
   switch* to that server instead of using the old `oct10` server. The
   derived keys on the new server will NOT match the old ones.
   - First QA build of Notes with Sync
   using production is planned
   for *November 28th.*
   - fxa-crypto-relier  2.1.0 has
   been published to npm
   - Python test vectors for scoped keys are also available
   
.
   (Thanks Ryan!)
   - /.well-known/openid-configuration endpoint is now available via CORS
   . Example:
*https://latest-keys.dev.lcip.org/.well-known/openid-configuration
   * (Thanks
   Shane!)
   - The plan is to use the same Kinto instance for Notes and Lockbox. This
   requires changes to Kinto, pull request
    is already in
   progress.


Remy, could you please switch the Kinto dev server to use the new dev
deploy `https://latest-keys.dev.lcip.org` instead of the old server?

Thanks!
Vlad
___
Dev-fxacct mailing list
Dev-fxacct@mozilla.org
https://mail.mozilla.org/listinfo/dev-fxacct

Firefox Notes + FxA Updates - October 10, 2017

[Vlad Filippov]

Hello all,

Some updates on Notes and FxA "scoped key" integration:

- *Notes 2.0.0a2 is available now with improved sync functionality.* You
can download it here: https://github.com/mozilla/notes/files/1371823/
addon-2.0.0a2.zip
Thanks to
everyone who tested this so far. Please file issues at
https://github.com/mozilla/notes/issues. (This still uses FxA *development*
servers).

- We have landed a lot of supporting code in fxa-oauth-server for the
scoped key flow. At this time there is no more pending work on the
fxa-oauth-server. There is a remaining fxa-content-server pull request
https://github.com/mozilla/fxa-content-server/pull/5569 that will make this
feature usable in production. However we will not be merging that pull
request until the security reviews are complete.

- The latest code is now deployed to
https://scoped-keys-oct10.dev.lcip.org/ and
used by Notes in this commit of the Notes Sync pull request:
https://github.com/mozilla/notes/pull/241/commits/38f06432b86069038afc84b4dca9751eb2eb38e7



Have a great week!

Vlad
___
Dev-fxacct mailing list
Dev-fxacct@mozilla.org
https://mail.mozilla.org/listinfo/dev-fxacct

Article: Google launches new security features to protect users from unverified OAuth apps

[Vlad Filippov]

"Based on this risk assessment, some web applications will require a manual
review. Until the review is complete, users will not be able to approve the
data permissions, and we will display an error message instead of the
permissions consent page."

See article:
https://developers.googleblog.com/2017/05/updating-developer-identity-guidelines.html?m=1
___
Dev-fxacct mailing list
Dev-fxacct@mozilla.org
https://mail.mozilla.org/listinfo/dev-fxacct

meeting summary: FxA Web Coordination, 2017-02-02

[Vlad Filippov]

* Train-79 release
  coming soon..., a few config changes remain
  Do we need a new SQS queue? We are going to create one...

* Train-80 cut - next week
  Quick fix for empty sessionToken:
https://github.com/mozilla/fxa-content-server/pull/4666
  Token error fix: https://github.com/mozilla/fxa-content-server/pull/4688
  iOS Fix: https://github.com/mozilla/fxa-content-server/pull/4682

* Send SMS
  pb has a couple of PRs
  auth-mailer: https://github.com/mozilla/fxa-auth-mailer/pull/254 (this
needs changes, i didn't realise the auth mailer is called in-process)
  auth-server: https://github.com/mozilla/fxa-auth-server/pull/1635 (work
is happening in a different branch now)
  vbudhram has a customs-server patch -
https://github.com/mozilla/fxa-customs-server/pull/161
  JS client patch coming soon
  stomlinson and rfeeley met to discuss existing UI
  rfeeley requests everything but digits be ignored, so a user could type
"320a215  !@#  1233" and that'd be a valid phone number. o_O

  Time to move the feature doc to GitHub?
Sure, why not, stomlinson to do.
  Connect-another-device test plan has been updated to make use of tables
and images - much nicer - https://github.com/mozilla/fxa/pull/214
  Thanks for the feedback rfeeley and adavis

* Firefox for iOS
  Send `login` in more cases to Fx for iOS
  https://github.com/mozilla/fxa-content-server/pull/4682
  st3fan said it works!
  asked vbudhram to review

* Helping other teams test against FxA prod servers
  Kit Cambridge is asking how to do it
Can they use stable instead?
  FxiOS asked similar question (skip confirmation)
  From devops, it would be better to test against stable and not prod.

* ulfr wants to dockerize and fuzz FxA with Microsoft's Springfield

* rfeeley wants to discuss the password strength meter
___
Dev-fxacct mailing list
Dev-fxacct@mozilla.org
https://mail.mozilla.org/listinfo/dev-fxacct

Soon Google will no longer allow OAuth requests to Google in web-views

[Vlad Filippov]

Hello all,

See article here:
https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html

```
In contrast, the outdated method of using embedded browsers for OAuth means
a user must sign-in to Google each time, instead of using the existing
logged-in session from the device. The device browser also provides
improved security as apps are able to inspect and modify content in a
web-view, but not content shown in the browser.
```

Vlad
___
Dev-fxacct mailing list
Dev-fxacct@mozilla.org
https://mail.mozilla.org/listinfo/dev-fxacct

Re: Project call overlaps with Web Coordination & Bug Scrub

[Vlad Filippov]

> Well, today is also the end of train-44. Zaach (or other) can you tag
fxa-content-server? Thanks.

Wait, what? Didn't we just have a train planning meeting last week?

Vlad.

On Mon, Aug 17, 2015 at 11:12 AM, John Morrison 
wrote:

> Well, today is also the end of train-44. Zaach (or other) can you tag
> fxa-content-server? Thanks.
>
> John
>
>
> On 08/17/15 07:53, Shane Tomlinson wrote:
>
>> Heya!
>>
>> Vlad just brought up that today's Mozilla internal meeting overlaps with
>> the FxA Web Coordination and Bug Scrub meetings.
>>
>> Since we have an FxA wide meeting later today, there seems to be no real
>> harm in canceling the web coordination meeting and asynchronously filling
>> out our status in the etherpad [1].
>>
>> I propose we move bug scrub to tomorrow at the same time. What do folks
>> think?
>>
>> Shane
>>
>> ---
>>
>> [1] - https://id.etherpad.mozilla.org/fxa-web-coordination
>>
>
>
___
Dev-fxacct mailing list
Dev-fxacct@mozilla.org
https://mail.mozilla.org/listinfo/dev-fxacct