Identity/Firefox Accounts

From MozillaWiki
Jump to: navigation, search
Last updated: 2014/10/09

What Is Firefox Accounts?

Firefox Accounts is a consumer account system which provides access to services run by Mozilla, such as Firefox Marketplace and the next version of Firefox Sync. A user can sign in with a Firefox Account to all her "Foxes": Firefox on Desktop, Firefox for Android, and Firefox OS. Signing into a Firefox browser or device gives the user access to integrated Mozilla Services on that browser or device that requires authentication (e.g., Firefox Sync). Longer term we envision that non-Mozilla services and applications will be able to delegate authentication to Firefox Accounts. Relying services will manage their own data, but rely on Firefox Accounts for authentication services.

FAQ

Will I be required to create a Firefox Account to use Firefox?

No, of course not! Firefox Accounts will only be required for Mozilla Services that require authentication, such as Firefox Sync and advanced features on Firefox Marketplace like purchasing paid apps, adding app reviews etc.

How does a user create and sign in to a Firefox Account?

Firefox Accounts will work much like authentication works just about everywhere else. You create a Firefox Account with a verified email and password. You sign in to Firefox Accounts with your email and password.

Why does Firefox Accounts require me to choose a password?

The first relying service we're targeting with Firefox Accounts is Firefox Sync. Current Firefox Sync encrypts all your data in our servers, and we will continue to do so in the Firefox Accounts backed version of Sync. However, in the FxA backed version of Firefox Sync, we will encrypt your Sync data with a key derived from your Firefox Account password, instead a random key managed by the J-PAKE pairing protocol. This technique of using a password derived sync key is similar to how data protection in Chrome Sync works.

How do relying Mozilla services authenticate an FxA user?

https://developer.mozilla.org/en-US/Firefox_Accounts

How does a user reset her Firefox Account password?

https://support.mozilla.org/en-US/kb/ive-lost-my-firefox-sync-account-information#w_iaove-forgotten-my-sync-password-ae-how-do-i-reset-it_2

What information does Firefox Accounts store about the user?

https://developer.mozilla.org/en-US/Firefox_Accounts#Firefox_Accounts_user_data

Can I use Firefox Accounts to store user data for my application or service?

Firefox Accounts only stores information that will deliver significant user value across applications or is tightly related to the user's identity. It will not store user data for relying services. Relying Mozilla services can use Firefox Accounts for authentication, but application data storage is the responsibility of the individual applications.

What's the difference between Persona and Firefox Accounts?

Persona is not intended to provide you with a new account, and it's not a new account system. Persona is a federated login protocol. You use Persona to log in to relying sites, and it's not intended that you need to "sign up" for Persona before you can use it. If you would need to sign up for anything, you would need to create an account at an IdP that supports Persona.

One confusing point about Persona today is a service called the "Persona Fallback", which serves as a proxy IdP if your actual IdP doesn't support Persona (or isn't bridged), which just about every IdP except for Google and Yahoo. In this case, you currently have to sign up for a "Persona Fallback Account" (i.e. choose a password and verify your email) to use Persona.

But a Persona Fallback Account is not a Persona Account, it's not the long term vision of Persona, and that's not supposed to be the happy path of the Persona login experience.

More importantly, for the purposes of this question, a Persona Fallback Account is definitely not a Firefox Account.

So why Firefox Accounts and what will one do?

Mozilla needs an account database to deliver a fantastic, integrated experience across all its products. Unfortunately, delivering awesome services involves some less exciting, but still important aspects, like making sure users have had a chance to inspect our terms of service and privacy policies. We must also comply with local laws and regulations, e.g., COPPA. It would be inconvenient for users to have to verify a terms of service, a privacy policy, and COPPA at each individual Mozilla service. We believe that users should only have to inspect our terms of service, privacy policy, and go through COPPA verification once for all our services. Firefox Accounts enables us to do that. One we get the basics down and enable single sign-on for relying Mozilla Services with your Firefox Account, we hope integrate Firefox Accounts with Persona on the Web and Firefox user agents to make logging in everywhere as painless as it should be.

Can I use Persona to log in to my Firefox Account?

Not initially, but it's something we're investigating to add in the future.

Can I use my Firefox Account to log in to non-Mozilla services?

Not initially, but it's something we're investigating to support in the future.

Does Firefox Accounts provide email?

No.

What services will use Firefox Accounts?

https://developer.mozilla.org/en-US/Firefox_Accounts#Services_that_use_Firefox_Accounts

What do these terms mean?

  • FTU, FTE: First Time Experience on Firefox OS
  • FxA : Firefox Accounts. It may also refer to a user's particular Firefox Account.
  • RP : Relying Party. Services that use Firefox Accounts for authentication and identity. Currently these are limited to services run by Mozilla.
  • PiCL : Profile in the Cloud. This is a deprecated term that was used to refer to Firefox Accounts + attached services (i.e., relying parties).


Is it possible to host your own Firefox accounts, like with Firefox Sync?

Yes.

Have a question not covered here? Add it in this section and we'll answer it!

Where is the FxA for Web addition to the Arch section below?

What are the similarities/differences between FxA for Web and the Dev work already being done for desktop and android?

Architecture

Firefox Accounts Architecture.png

Firefox Accounts and Sync Architecture.png

https://mana.mozilla.org/wiki/display/services/Firefox+Accounts+Architecture


Cloud Services

Firefox Accounts Cloud Services is composed of several sub-services, including an auth server and a content server.

Auth Server

The Auth Server provides an HTTP API that:

  • authenticates the user
  • enables the user to authenticate to other services via BrowserID assertions
  • enables change and reset password operations

Links:

Content Server

The Content Server hosts static assets (HTML, Javascript, CSS, etc.) that support user interactions with the Firefox Accounts. The responsibilities of the Content Server include:

  • hosting a Javascript library that supports interactions with the Auth Server
  • hosting login and create account pages
  • hosting password reset pages
  • hosting landing pages for email verification links

Links:

JS Client Library

Firefox Accounts provides a Javascript client library for the Web that supports operations with Firefox Accounts. In addition to communicating with the Auth Server, it also performs local key stretching (PBKDF2 and scrypt) on the user's password before it's used in the API. It is hosted by the Content Server. This library was at one time called "Gherkin".

Links:

Verifier

FxA enables clients to generate BrowserID assertions on behalf of the user. FxA provides a hosted verifier for verifying these assertions.

Customs Server

FxA uses the Customs Server to detect and mitigate fraud & abuse.

Links:

Firefox Accounts on Firefox OS

Implementation of Firefox Accounts in FirefoxOS is committed for b2g v2.0.

Firefox Accounts user story spreadsheet - the canonical source of truth:

The Committed user stories have landed, as have most of the Targeted. The project bug is here:

Open bugs with clear product value:

ID Summary Priority Status
968567 Expose the NSS implementation of PBKDF2 HMAC SHA256 from bug 974162 to chrome JS for use by FxAccounts -- RESOLVED
970623 Notify user when email verified P3 NEW
980638 FTU 'forgot password' link should show an error message, not enter fxa web reset flow P2 RESOLVED
987418 Update copy in fxa system app P2 RESOLVED
994725 Screen spacing is off on Firefox Account sign in screen in FTE on device P2 RESOLVED
998012 Add FxA Terms/Privacy text to the system app P2 RESOLVED
998464 Detect if network goes offline during sign in/sign up flow and notify the user P1 RESOLVED
1000323 Find My Device should call navigator.mozId.request({refreshAuthentication: 0}) on a disable event (can't switch user) -- VERIFIED
1003201 [FxAccounts] cursor is not placeable by touch when entering email account -- RESOLVED
1004242 Expose FxAccounts resendVerificationEmail to Gaia -- RESOLVED
1004319 Handle server-side account changes in Gecko P2 RESOLVED

11 Total; 1 Open (9.09%); 9 Resolved (81.82%); 1 Verified (9.09%);


Open bugs for corner cases:

ID Summary Priority Status
973635 Allow user to cancel FxA network call when server has sent backoff message P4 NEW
994887 [FxAccounts] Login steps show invalid flow in certain case of logging in from Settings P4 RESOLVED
1004209 Ensure error cases are spec'd, error messages copy approved P2 RESOLVED

3 Total; 1 Open (33.33%); 2 Resolved (66.67%); 0 Verified (0%);


Open bugs for refactoring and other yak-shaving:

ID Summary Priority Status
967779 replace persona icon with flat fox icon P2 RESOLVED
967988 when WMF icon is ready, add WMF and Marketplace icons to logged-in panel P3 NEW
982969 Canceling sign-in flow should fire oncancel(), not onerror() -- RESOLVED
983452 FxA in FTU: Remove code that checks if FxA is preffed off P2 RESOLVED
989368 Write marionette js tests for services/fxaccounts P3 NEW
993794 FxA Settings app: Remove code that checks if FxA is preffed off P2 RESOLVED
996248 [FxAccounts] Move refreshAuthentication test from IAC-API TestFXA app to RP-API UITest app P3 NEW
997361 Firefox Accounts FxA security review for the FxOS 2.0 release -- RESOLVED
1003993 FxA System app - remove refs to 'accountId', replace with 'email' -- RESOLVED
1004099 FxA Settings app - remove refs to 'accountId', replace with 'email' -- RESOLVED

10 Total; 3 Open (30%); 7 Resolved (70%); 0 Verified (0%);


Deployments

https://developer.mozilla.org/en-US/Firefox_Accounts#Firefox_Accounts_deployments

Metrics

https://wiki.mozilla.org/Identity/Firefox_Accounts/Minimum_Viable_Metrics

Fraud and Abuse

Resources

Mailing Lists

Team

  • Leads: Chris Karlof, Ryan Kelly
  • IRC: #fxa
  • List: dev-fxacct@mozilla.org
  • Engineering: Danny Coates, Zach Carter, Shane Tomlinson, Andrew Chilton, Sean McArthur, Vlad Filippov
  • UX: John Gruen, Ryan Feeley
  • Metrics: Katie Parlante
  • QA: John Morrison, Peter deHaan, Karl Thiessen
  • DevOps: Chris Kolosiwsky

Related