Hmm.. ok. I actually do need my phone to authenticate to the API. I'm not sure I understand OAuth scopes, or how they relate to FxA.
I think what I want is to create a 'mozstumbler' scope which has read-only access to email address. When nicknames are supported, I'd like to have read/write access to that as well. I'm currently using `profile:email` as my scope. The part I'm confused about is how to create a new scope. I don't see how to do that in the OAuth dashboard over at : https://oauth-stable.dev.lcip.org/console/login The docs don't seem to point to how to create a new scope, and it seems to indicate that I can't create a new scope. https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Firefox_Accounts/Introduction - *scope* - the requested scope of FxA user data or API access. Currently, only *profile* and related sub-scopes (e.g., *profile:email*) are supported. To be honest - I don't really understand why I need a new scope for devices. I think I have a gap in my understanding of what the scope is supposed to do other than restrict access to profile data. vic On Mon, Jun 1, 2015 at 1:17 PM, Christopher Karlof <[email protected]> wrote: > On Fri, May 29, 2015 at 12:59 PM, Victor Ng <[email protected]> wrote: > >> Doh. I didn't notice the reply-to doesn't go to the mailing list.... >> >> ---- >> >> Thanks Remy! >> >> I've got a client that seems to login now. I get a code, I pass that >> into my EC2 box and in the end I end up getting a JSON blob with a bearer >> token. >> >> I'm doing something wrong when I try to fetch the user profile though. >> I'm doing something like this: >> >> curl -v \ >> -H "Authorization: Bearer >> c004f4d49008326dc873f0d19eef9ee371c788bea0b888fb7aafa422e1d72d30" \ >> "https://oauth-stable.dev.lcip.org/v1/profile"; >> >> Can I use that bearer token from both my phone *and* my EC2 box? How >> long can I expect the token to be valid for? >> >> > Yes, you can use this token for talking to the FxA API from both the phone > and the EC2 box. These tokens currently live indefinitely (until revoked), > but we’re re-working the policies around this. > > This token is not appropriate for authenticating a phone to *your API*, > unless it has an OAuth scope associated with it for your service. That’s > something worth considering, though (i.e., adding a scope for your API), > because then you wouldn’t need an additional authentication mechanism. > > -chris > > > > > >> vic >> >> On Wed, May 20, 2015 at 3:58 AM, Rémy Hubscher <[email protected]> >> wrote: >> >>> Hello Vic, >>> >>> So basically all you want to do is to get the user id after the login, >>> is that right? >>> >>> If I get it right, all you have to do is to register a client to Firefox >>> Account (you can do it yourself for development here: >>> https://oauth-stable.dev.lcip.org/console/clients (log with a @ >>> mozilla.com email)) >>> >>> >>> All the steps are defined here: >>> https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Firefox_Accounts/Introduction >>> >>> The login flow is the following: >>> >>> >>> 1. You open a browser view with the Firefox Account login page >>> asking for a list of scopes (in your case it might be *mozstumbler*) >>> If you need the email you may ask *profile:email* as well >>> 1. You give a *state*, the *scope*s and your *client_id* >>> 2. See >>> >>> https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md#get-v1authorization >>> 2. Then the user logs in and is redirected to your service with a >>> *code* and a *state* (a session that you gave him) >>> 3. Then you talk to the Firefox Account server to exchange this code >>> and state with a access token. >>> 1. See >>> >>> https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md#post-v1token >>> 4. This bearer token give you access to the FxA user id as well >>> as the email if you need it. >>> 1. >>> >>> https://github.com/mozilla/fxa-profile-server/blob/master/docs/API.md#get-v1email >>> 5. You must also validate that this Bearer token have got the >>> *mozstumbler* scope >>> >>> >>> Since you are in an Android app, you will need to setup a redirect url >>> that will be catched by your app after the login so that you get back the >>> code and state and can handle them. (See >>> http://stackoverflow.com/a/2958870/186202) >>> >>> Hope this helps you, >>> >>> Rémy >>> >>> >>> >>> Le 19/05/2015 22:16, Victor Ng a écrit : >>> >>> Hi! >>> >>> We'd like to look at getting FxA integration into the mozilla stumbler, >>> but I'm pretty confused as to what I actually need to do. >>> >>> The use case we have is that we are launching localized leaderboards. >>> Basically - geographically scoped score boards. >>> >>> The intent here is to login to the mobile application - not a particular >>> web service. >>> >>> The name of our app is "Mozilla Stumbler" >>> >>> We're running our dev leaderboard instance on : >>> ec2-52-1-93-147.compute-1.amazonaws.com , we can set the redirect_uri >>> to whatever makes sense or is defacto standard for FxA. >>> >>> >>> thanks! >>> vic >>> >>> >>> _______________________________________________ >>> Dev-fxacct mailing >>> [email protected]https://mail.mozilla.org/listinfo/dev-fxacct >>> >>> >>> >>> _______________________________________________ >>> Dev-fxacct mailing list >>> [email protected] >>> https://mail.mozilla.org/listinfo/dev-fxacct >>> >>> >> >> _______________________________________________ >> Dev-fxacct mailing list >> [email protected] >> https://mail.mozilla.org/listinfo/dev-fxacct >> >> >
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
