Is the enforcement of "allowed_issuers" being tested in the token server anywhere?
Longer term it would be nice for "allowed_issuers" to be supported in the verifier. There are lots of opportunities for mistakes here. We're asking reliers to use a more general purpose verifier for a specific use case, and relying on them to do the right security checks. Recipe for problems. -chris On Mar 6, 2014, at 9:59 PM, Ryan Kelly <[email protected]> wrote: > On 7/03/2014 4:41 PM, Benson Wong wrote: >> Small correction. The proper URL is https://token.STAGE.mozaws.net > > Ugh, indeed, thanks. There could not have been a worse spot for a typo > in that entire email! Let me practice that one more time: > > https://token.stage.mozaws.net > > > Cheers, > > Ryan > > >> On Mar 6, 2014, at 8:00 PM, Ryan Kelly <[email protected]> wrote: >> >>> >>> Hi All, >>> >>> >>> The latest production push of tokenserver brought a subtle change in >>> behaviour that might impact folks testing our various staging and dev >>> environments. It now *only* accepts assertions issued by the production >>> Firefox Accounts server, rather than accepting BrowserID assertions from >>> any valid issuer. >>> >>> Normal users should not see any difference due to this change, but it >>> will be visible if e.g. you've previously tested the dev FxA server in >>> combination with the prod Tokenserver. >>> >>> The details of the change are discussed here: >>> >>> https://github.com/mozilla-services/tokenserver/issues/50 >>> >>> To test the entire login+sync flow from the FxA dev or staging >>> environments, please use the staging tokenserver instance at: >>> >>> https://token.state.mozaws.net >>> >>> This will happily accept assertions from the following issuers: >>> >>> api.accounts.firefox.com >>> api-accounts.stage.mozaws.net >>> api-accounts-dev.stage.mozaws.net >>> mockmyid.com >>> >>> >>> Cheers, >>> >>> Ryan >>> _______________________________________________ >>> Sync-dev mailing list >>> [email protected] >>> https://mail.mozilla.org/listinfo/sync-dev >> > > _______________________________________________ > Sync-dev mailing list > [email protected] > https://mail.mozilla.org/listinfo/sync-dev _______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
