On 2014-12-09, 3:40 PM, Simon Grätzer wrote:
An app would only need the authPW and the unwrapBkey, generated during the
credentials setup right?
https://github.com/mozilla/fxa-js-client/blob/master/client/lib/credentials.js#L66
Am 09.12.2014 um 18:34 schrieb Edwin Wong <[email protected]>:
It would be great if we could sign into FxA via OAuth in the firefox.com
domain. So users don’t have to hand their password to a 3rd party. I don’t know
of a facility that would enable this inside a iOS/android app.
There are two things being discussed here:
1) FxA provisioning OAuth credentials. This facilitates "scoped logins"
and is suitable for web use. It's a redirect-based flow, IIRC, and
there is a vague plan to make this usable to more than Mozilla web
properties.
2) FxA providing Sync keys. The scheme suggested above, where the App
"only needs" authPW and unwrapBkey gives the requesting App *complete
control of the Firefox Account*. That's not a thing that should be
handed to any 3rd party, ever.
We have discussed exposing "scoped cryptographic keys" to 3rd party Apps
and/or web content, but I have heard of no particular plans to implement
anything in this direction.
Nick
_______________________________________________
Sync-dev mailing list
[email protected]
https://mail.mozilla.org/listinfo/sync-dev
