CloudServices/FirefoxAccount/TokenServerFlows
From MozillaWiki
Contents
Firefox Account Token Server flows
The following flows are for Token Server authenticated services, such as AitC and next-generation Sync.
Create Firefox Account
- provide UI for choosing user:pass pair
- perform the FxAP Account Creation dance to register a user:pass pair, possibly providing UI for accepting TOS
- perform the FxAP Authentication dance to authenticate as user:pass
Initialize Firefox Account
- locally generate keypair
- perform the FxAP Provisioning dance to certify keypair
- locally wrap keypair (using entropy from pass)
- perform the (as-yet-unspecified) FxAP Wrapping dance to PUT the wrapped keypair
Initialize Token Server
- locally generate assertion for Token Server
- perform the Token Server exchange dance to get token from assertion, possibly providing UI for accepting TOS
Use Firefox Account to access Token Server authenticated Service
- locally verify certificate is valid; if not, either re-provision existing key or re-Initialize Account
- perform the FxAP Authentication dance to authenticate as user:pass
- perform the (as-yet-unspecified) FxAP wrapping dance to GET the wrapped keypair
- locally unwrap keypair (using entropy from pass)
- locally generate assertion for Service
- perform the Token Server exchange dance to get token from assertion
- use token to HMAC authenticate HTTP requests to Service
Whiteboard captures
The flows above were distilled from the following whiteboards:
These were all discussed during the Oct. 1-5 services-integration non-work-week.