> > Any amendments or additions to this list? > > One small one. When the user resets their password (and thus kB changes, and thus any derived OAuth keys change), there should be a well-documented way for applications to detect this.
The lifespan of a key should probably not be different to that of an authenticated session; if it is, we run the risk of allowing a client to write data with a key that no other client can read, until eventually its session expires and it learns the new key. In Sync we use X-Client-State to avoid this. Key changes shouldn't come down to an eventual HMAC error, else app developers will screw it up.
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
