CloudServices/FirefoxAccount/TokenServerFlows

From MozillaWiki
Jump to: navigation, search

Firefox Account Token Server flows

The following flows are for Token Server authenticated services, such as AitC and next-generation Sync.

Create Firefox Account

  • provide UI for choosing user:pass pair
  • perform the FxAP Account Creation dance to register a user:pass pair, possibly providing UI for accepting TOS
  • perform the FxAP Authentication dance to authenticate as user:pass

Initialize Firefox Account

  • locally generate keypair
  • perform the FxAP Provisioning dance to certify keypair
  • locally wrap keypair (using entropy from pass)
  • perform the (as-yet-unspecified) FxAP Wrapping dance to PUT the wrapped keypair

Initialize Token Server

  • locally generate assertion for Token Server
  • perform the Token Server exchange dance to get token from assertion, possibly providing UI for accepting TOS

Use Firefox Account to access Token Server authenticated Service

  • locally verify certificate is valid; if not, either re-provision existing key or re-Initialize Account
  • perform the FxAP Authentication dance to authenticate as user:pass
  • perform the (as-yet-unspecified) FxAP wrapping dance to GET the wrapped keypair
  • locally unwrap keypair (using entropy from pass)
  • locally generate assertion for Service
  • perform the Token Server exchange dance to get token from assertion
  • use token to HMAC authenticate HTTP requests to Service

Whiteboard captures

The flows above were distilled from the following whiteboards:

End to end flow.
Desktop account creation detail.
Desktop login detail.
Key wrapping detail.

These were all discussed during the Oct. 1-5 services-integration non-work-week.