-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/10/2015 19:51, Rémy Hubscher wrote:
>> After a user logs into Sync, many users expect to be able to log
>> into other FxA relying services (e.g., Hello, Pocket) without
>> re-entering their password.
>
> I am wondering if access-token could help us fix this issue in some
> ways.
>
> 1. You log into Firefox using your FxA credentials and get an
> Access Token. 2. As soon as you need to log into another service,
> you ask for a Bearer token with the app scopes. 3. A FxA content
> server page exposing the list of scopes you need to grant to give
> access to this new app shows up 4. If you accept it, the Access
> Token is you to build a new Bearer Token for this specific app.
>
> I think we already have a page for Pocket that ask for this.
Indeed. In fact we mostly have all the pieces for this already, if
you sub "session token" for "access token". The trick is that you're
sometimes logging in from web content instead of from browser code,
and that web content doesn't know about the logged-in state of the
browser.
IMO the one missing piece is: when you visit accounts.firefox.com in
a signed-in Firefox, the web content should be able to know about the
signed-in state of the browser. This is the "device handshake" stuff
we've talked about previously.
Once you have that, everything else will fall into place via standard
oauth login experience.
Cheers,
Ryan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlYcZPkACgkQfI5S64uP50rySACg0LJ+9cnhpx6acTXkVxBNkbMJ
TykAn2ACU6gmjlRBC0lc9sfrWaSFBAWt
=uLvz
-----END PGP SIGNATURE-----
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
