It looks like we need to both clean up and add documentation around scopes.
A scope, which is just a string, like “profile”, is a permission that is associated with a token. A token with a “profile” scope means that token has the permission to read and write the user’s profile. The authentication flow would for using such a token would be something like: 1) A client sends a request to the FxA Profile API, including the OAuth token as a bearer token. 2) The Profile server extracts the token, verifies it [1], and gets the lists of scopes associated with it. 3) The Profile server verifies that “profile” is on the list of scopes, which is the scope associated with the FxA Profile API. If the “profile" scope is missing, that means this token does not have the appropriate permission to use the FxA Profile API, and the request should be rejected. If you want to use FxA OAuth to authenticate your API, we need to agree on a scope that represents your API, e.g., “mozstumbler”. Then, in the login flow for your app you would request the scopes “mozstumbler profile” [2]. This means when the login completes, your application would obtain a token for the user with permission to use your backend API (i.e., “mozstumbler”) and permission to use the profile API for that user (i.e., “profile”). This token can now safely be used from the mobile app (i.e., to use the mozstumbler) or from the backend. A trusted relier (which I think MozStumbler would be) can currently request any scope it wants (I believe this is still the case), even if it doesn’t exist yet. Longer term we should probably lock this down a bit, to improve error messaging at the least. -chris [1] FxA OAuth tokens currently must be verified online with the FxA OAuth server, but we’re working on making them locally verifiable. [2] In OAuth, scopes are “ “ (i.e., space) separated. On Mon, Jun 1, 2015 at 11:04 AM, Victor Ng <[email protected]> wrote: > Hmm.. ok. > > I actually do need my phone to authenticate to the API. I'm not sure I > understand OAuth scopes, or how they relate to FxA. > > I think what I want is to create a 'mozstumbler' scope which has read-only > access to email address. When nicknames are supported, I'd like to have > read/write access to that as well. I'm currently using `profile:email` as > my scope. > > The part I'm confused about is how to create a new scope. > > I don't see how to do that in the OAuth dashboard over at : > https://oauth-stable.dev.lcip.org/console/login > > The docs don't seem to point to how to create a new scope, and it seems to > indicate that I can't create a new scope. > > > https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Firefox_Accounts/Introduction > > - *scope* - the requested scope of FxA user data or API access. > Currently, only *profile* and related sub-scopes (e.g., *profile:email*) > are supported. > > To be honest - I don't really understand why I need a new scope for > devices. I think I have a gap in my understanding of what the scope is > supposed to do other than restrict access to profile data. > vic > > On Mon, Jun 1, 2015 at 1:17 PM, Christopher Karlof <[email protected]> > wrote: > >> On Fri, May 29, 2015 at 12:59 PM, Victor Ng <[email protected]> wrote: >> >>> Doh. I didn't notice the reply-to doesn't go to the mailing list.... >>> >>> ---- >>> >>> Thanks Remy! >>> >>> I've got a client that seems to login now. I get a code, I pass that >>> into my EC2 box and in the end I end up getting a JSON blob with a bearer >>> token. >>> >>> I'm doing something wrong when I try to fetch the user profile though. >>> I'm doing something like this: >>> >>> curl -v \ >>> -H "Authorization: Bearer >>> c004f4d49008326dc873f0d19eef9ee371c788bea0b888fb7aafa422e1d72d30" \ >>> "https://oauth-stable.dev.lcip.org/v1/profile"; >>> >>> Can I use that bearer token from both my phone *and* my EC2 box? How >>> long can I expect the token to be valid for? >>> >>> >> Yes, you can use this token for talking to the FxA API from both the >> phone and the EC2 box. These tokens currently live indefinitely (until >> revoked), but we’re re-working the policies around this. >> >> This token is not appropriate for authenticating a phone to *your API*, >> unless it has an OAuth scope associated with it for your service. That’s >> something worth considering, though (i.e., adding a scope for your API), >> because then you wouldn’t need an additional authentication mechanism. >> >> -chris >> >> >> >> >> >>> vic >>> >>> On Wed, May 20, 2015 at 3:58 AM, Rémy Hubscher <[email protected]> >>> wrote: >>> >>>> Hello Vic, >>>> >>>> So basically all you want to do is to get the user id after the login, >>>> is that right? >>>> >>>> If I get it right, all you have to do is to register a client to >>>> Firefox Account (you can do it yourself for development here: >>>> https://oauth-stable.dev.lcip.org/console/clients (log with a @ >>>> mozilla.com email)) >>>> >>>> >>>> All the steps are defined here: >>>> https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Firefox_Accounts/Introduction >>>> >>>> The login flow is the following: >>>> >>>> >>>> 1. You open a browser view with the Firefox Account login page >>>> asking for a list of scopes (in your case it might be *mozstumbler*) >>>> If you need the email you may ask *profile:email* as well >>>> 1. You give a *state*, the *scope*s and your *client_id* >>>> 2. See >>>> >>>> https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md#get-v1authorization >>>> 2. Then the user logs in and is redirected to your service with a >>>> *code* and a *state* (a session that you gave him) >>>> 3. Then you talk to the Firefox Account server to exchange this >>>> code and state with a access token. >>>> 1. See >>>> >>>> https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md#post-v1token >>>> 4. This bearer token give you access to the FxA user id as well >>>> as the email if you need it. >>>> 1. >>>> >>>> https://github.com/mozilla/fxa-profile-server/blob/master/docs/API.md#get-v1email >>>> 5. You must also validate that this Bearer token have got the >>>> *mozstumbler* scope >>>> >>>> >>>> Since you are in an Android app, you will need to setup a redirect url >>>> that will be catched by your app after the login so that you get back the >>>> code and state and can handle them. (See >>>> http://stackoverflow.com/a/2958870/186202) >>>> >>>> Hope this helps you, >>>> >>>> Rémy >>>> >>>> >>>> >>>> Le 19/05/2015 22:16, Victor Ng a écrit : >>>> >>>> Hi! >>>> >>>> We'd like to look at getting FxA integration into the mozilla >>>> stumbler, but I'm pretty confused as to what I actually need to do. >>>> >>>> The use case we have is that we are launching localized >>>> leaderboards. Basically - geographically scoped score boards. >>>> >>>> The intent here is to login to the mobile application - not a >>>> particular web service. >>>> >>>> The name of our app is "Mozilla Stumbler" >>>> >>>> We're running our dev leaderboard instance on : >>>> ec2-52-1-93-147.compute-1.amazonaws.com , we can set the redirect_uri >>>> to whatever makes sense or is defacto standard for FxA. >>>> >>>> >>>> thanks! >>>> vic >>>> >>>> >>>> _______________________________________________ >>>> Dev-fxacct mailing >>>> [email protected]https://mail.mozilla.org/listinfo/dev-fxacct >>>> >>>> >>>> >>>> _______________________________________________ >>>> Dev-fxacct mailing list >>>> [email protected] >>>> https://mail.mozilla.org/listinfo/dev-fxacct >>>> >>>> >>> >>> _______________________________________________ >>> Dev-fxacct mailing list >>> [email protected] >>> https://mail.mozilla.org/listinfo/dev-fxacct >>> >>> >> >
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
