- 1 About Firefox Accounts
- 2 FAQ
- 2.1 Am I required to create a Firefox Account to use Firefox?
- 2.2 Why does Firefox Accounts require me to choose a password?
- 2.3 What information does Firefox Accounts store about the user?
- 2.4 Can I use Firefox Accounts to store user data for my application or service?
- 2.5 What's the difference between Persona and Firefox Accounts?
- 2.6 Can I use Persona to log in to my Firefox Account?
- 2.7 Can I use my Firefox Account to log in to non-Mozilla services?
- 2.8 Does Firefox Accounts provide email?
- 2.9 Is it possible to host your own Firefox Accounts service, like with Firefox Sync?
- 3 Architecture
- 4 Resources
About Firefox Accounts
Firefox Accounts is the account system that provides access to services run by Mozilla and select partners.
A user can sign in with a Firefox Account to any of her "Foxes" - Firefox on Desktop, Firefox for Android, and Firefox OS - to access integrated services such as Firefox Sync and Firefox Marketplace. She can also sign in to services on the web using a standard OAuth flow.
Longer term we envision that non-Mozilla services and applications will be able to delegate authentication to Firefox Accounts while managing their own data.
For information on integrating a service with Firefox Accounts, visit the Firefox Accounts portal on MDN.
For information on contributing to Firefox Accounts development, visit the developer documentation.
Am I required to create a Firefox Account to use Firefox?
No. A Firefox Account is only required for Mozilla Services that require authentication, such as Firefox Sync and advanced features on Firefox Marketplace like purchasing paid apps, adding app reviews etc.
Why does Firefox Accounts require me to choose a password?
One of the primary services that uses Firefox Accounts is Firefox Sync, which encrypts all your data client-side before submitting it to the server. The password is used to securely derive an encryption key.
What information does Firefox Accounts store about the user?
Can I use Firefox Accounts to store user data for my application or service?
In general no.
Firefox Accounts only stores information that will deliver significant user value across applications or is tightly related to the user's identity. It will not store user data for relying services. Relying Mozilla services can use Firefox Accounts for authentication, but application data storage is the responsibility of the individual applications.
What's the difference between Persona and Firefox Accounts?
Persona is a general-purpose federated login protocol for the web. It is not intended to provide you with a new account, and it's not a new account system. It's intended that you can use Persona to log in to relying sites without first "signing up" for Persona, but rather using an existing account with a Persona-enabled Identity Provider.
One confusing point about Persona today is a service called the "Persona Fallback", which serves as a proxy Identity Provider if your actual IdP doesn't support Persona (or isn't bridged), which just about every IdP except for Google and Yahoo. In this case, you currently have to sign up for a "Persona Fallback Account" (i.e. choose a password and verify your email) to use Persona.
But a Persona Fallback Account is not a Persona Account, it's not part of the long term vision of Persona, and that's not supposed to be the happy path of the Persona login experience. And it's definitely not a Firefox Account.
We also need more than just a login sysem, e.g. Firefox Sync requires the ability to derive an encryption key to protect the user's data. Firefox Accounts enables us to do that without adding all those complications to the simple-and-effected Persona protocol.
Can I use Persona to log in to my Firefox Account?
Can I use my Firefox Account to log in to non-Mozilla services?
Not initially, but it's something we'd like to support in the future.
Does Firefox Accounts provide email?
Is it possible to host your own Firefox Accounts service, like with Firefox Sync?
Firefox Accounts Cloud Services is composed of several sub-services, including an auth server and a content server.
The Auth Server provides an HTTP API that:
- authenticates the user
- enables the user to authenticate to other services via BrowserID assertions
- enables change and reset password operations
- Code: https://github.com/mozilla/fxa-auth-server
- API documentation: https://github.com/mozilla/fxa-auth-server/blob/master/docs/api.md
- Dev deployment: https://github.com/mozilla/fxa-auth-server#dev-deployment
- Python API client (primarily a reference client): https://github.com/warner/picl-spec-crypto
The OAuth Server provides an HTTP API that:
- accepts BrowserID assertions from the auth-server as authentication
- implements a standard OAuth2 token-granting flow
- Code: https://github.com/mozilla/fxa-oauth-server
- API documentation: https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md
- hosting login and create account pages
- hosting password reset pages
- hosting landing pages for email verification links
- hosting UI pages for the OAuth login flow
- Code: https://github.com/mozilla/fxa-content-server
- Code: https://github.com/mozilla/fxa-js-client
- Key stretching details: https://wiki.mozilla.org/Identity/AttachedServices/KeyServerProtocol#Client-Side_Key_Stretching
- Key stretching performance tests: https://wiki.mozilla.org/Identity/AttachedServices/Key_Stretching_Performance_Tests
FxA enables clients to generate BrowserID assertions on behalf of the user. FxA provides a hosted verifier for verifying these assertions.
- Verifier server code: https://github.com/mozilla/browserid-verifier
- Verifier library: https://github.com/mozilla/browserid-local-verify
- Production deployment: https://verifier.accounts.firefox.com/v2
FxA uses the Customs Server to detect and mitigate fraud & abuse.
- Code: https://github.com/mozilla/fxa-customs-server
- Deployment: currently pulled in by the auth server as an npm dependency
Fraud and Abuse
- Firefox Accounts development: https://mail.mozilla.org/listinfo/dev-fxacct
- Sync development: https://mail.mozilla.org/listinfo/sync-dev
- Leads: Chris Karlof, Ryan Kelly
- IRC: #fxa
- List: firstname.lastname@example.org
- Engineering: Danny Coates, Shane Tomlinson, Sean McArthur, Vlad Filippov, Phil Booth, Vijay Budhram
- UX: Ryan Feeley
- Metrics: Katie Parlante
- QA: John Morrison, Peter deHaan, Karl Thiessen
- DevOps: Chris Kolosiwsky