Hi Nikolaus, Sorry for the delay in replying here, I'm still catching up on a few emails from over the holiday break.
On 3 January 2018 at 12:44, Nikolaus Thümmel <[email protected]> wrote: > I'm experimenting with a self-hosted Firefox syncserver and auth server > stack, which is working fine so far. I wonder, however, how the syncserver > verifies the account assertions it gets from the browser / auth server. As > I have not configured any auth-server-related information in the > syncserver.ini, I doubt there is any verification at all - is that correct? > Does that mean the syncserver trusts assertions created by _any_ auth > server, not just the one I am hosting? You're correct, by default it will allow (properly formatted and signed) assertions from any issuer, and will namespace the users appropriately so that they don't collide. This is very helpful while getting up and running, but indeed it should probably be locked down once a deployment is stable. > If so, how can I restrict the verification in such a way that only > assertions from my own auth server will be accepted? > There's a setting called "allowed_issuers" to control this, which we use in production to restrict things to just the main Firefox Accounts server. But your email made me realize it's not well documented, so I've added a note to the bundled config file here: https://github.com/mozilla-services/syncserver/commit/1cd91041a4dba877c6e526e01770e514e2ba0d45 And to the self-hosting docs here: https://github.com/mozilla-services/docs/commit/2a06ff1c705864a8e930255d15c7cac17dc8c3dd Hope this helps! Ryan
_______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
