On 7/04/2015 10:57, Kumar McMillan wrote: > On Apr 5, 2015, at 10:02 PM, Ryan Kelly <[email protected] > <mailto:[email protected]>> wrote: > >> On 4/04/2015 00:05, Andy McKay wrote: >>> tl;dr we need somewhere people can query to see if a purchase has >>> been completed. >>> >>> 1) payments stands up an API that can receive the appropriate bearer >>> token for that user or >> >> I suspect it's not the solution you intend to advocate, but at first >> glance, this feels like the right shape for the public-facing API of >> this thing. >> >> What downsides do you see to implementing this as a special-purpose API? > > The downside I see is that the app selling products needs to talk to two > parties: 1) FxA for authentication and 2) the payments service for > receipt validation. Why not just talk to FxA? It seems simpler. > Everything about a user owning a product points to FxA as a logical > authority on product ownership in my mind.
I agree that it makes sense for this to live "within FxA". But we kinda already have this problem within FxA. A relying service may need to talk to one or more of the following endpoints already: oauth.accounts.firefox.com for login profile.accounts.firefox.com for user profile data (soon) notificaitions.accounts.firefox.com for notifications And so on. The incremental complexity of adding "payments.accounts.firefox.com" as another ecosystem service doesn't seem too high. There's an obvious discovery problem here, which FxA needs to do a better job of solving. See e.g. https://github.com/mozilla/fxa-auth-server/issues/738 But again, we already have that problem, adding payments to the mix would not make it any worse IMHO. Cheers, Ryan _______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
