Hi! TL;DR: We (the Push team) are considering an FxA-based device manager service to support upcoming projects. We'd love some guidance on how to best integrate this with FxA, particularly for supporting remote logout.
There's already been some discussion about this, mostly in GitHub comment threads and Google Docs. Ryan suggested starting a thread on the mailing list, so that other folks can chime in. Over the past few weeks, we've talked about adding push notifications to other projects and services. We're also looking at implementing broadcast and multicast push. A lot of these need a way to map a user's account to all her "Foxes." To that end, we're thinking of building a device manager service that exposes the following: * Endpoints for a device to register and de-register itself (when a user signs in to, or out of, Firefox). * An endpoint for updating an existing device record, such as when its name (in Sync prefs) or push endpoint changes. * Endpoints for other services to list the devices attached to a user's account. This can be used for multicast push, as well as services like Find My Device and the content server app. * An endpoint for remote logout, in case a device is lost or stolen. * An endpoint for deleting a device, which logs the user out remotely and deletes the device record from the service. The first three can be handled by a separate service, but remote logout will require some changes to FxA. We'd like this to be equivalent to calling `fxAccounts.signOut(true)` on the client [1], where we destroy the session token and all OAuth tokens issued to that client. The difference is that this call will be made by the device manager service, instead of the client. So, to support remote logout, we'll likely need: * A call to destroy an FxA session token for an account, given an OAuth token. * Calls to destroy all OAuth tokens issued for a particular session. AIUI, the OAuth server currently doesn’t know anything about sessions, so this would be tricky. Danny mentioned pulling fxa-oauth-server into fxa-auth-server; would this help at all with that? It looks like the only way to make remote logout work now is for the device manager server to persist the user's session token (and any issued OAuth tokens!) in its database. This sounds scary—and probably negates the benefits of the OAuth server only storing token hashes—but maybe it's not so bad. Some general questions for discussion: * Does device manager make sense as a separate service, or should it be part of existing FxA services? * What's the best way to handle remote logout? * Do we punt on remote logout for device manager entirely? Not a great user experience, and makes stale devices more of an issue (particularly for multicast push). But, if it's a pain to support currently, we can shave this yak another day. Sorry for the long missive. Hopefully, at least some of it made sense. We're happy to move this forward any way we can! Cheers, - kit [1]: https://dxr.mozilla.org/mozilla-central/source/services/fxaccounts/FxAccounts.jsm#810 _______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
