This is a working draft of defining Firefox Accounts Single Sign-On for relying Mozilla Services. SSO is hard.
- 1 Goals
- 2 Terms
- 3 Product Research
- 4 Proposed FxA SSO on FxOS
- 5 Proposed FxA SSO on the Web
- 6 Questions
- 7 Contact
- Define FxA single sign-on (and out) behavior on FxOS and the Web.
- Make it simple as possible, both with respect to UX and implementation, and punch complexity in the face.
- FxA: Firefox Account or Firefox Accounts
- WMF: Where's My Fox
- FMI: Find My iPhone
SSO is pretty confusing on iOS and Android, but Google does it ok. We're building it from scratch. Let's try not to screw it up.
You can maybe do something that smells like "log in to device", but it's actually a basket of different services you can each be individually be logged in to. It appears that
- iTunes/App Store
- Game Center
can all be logged in with different users and their logged in state is not coupled. At device setup, you can maybe log into everything at once, but I'm not going to wipe my device to test.
iCloud and Find My iPhone
iCloud is a cloud syncing service that is tightly bundled with Find My iPhone (FMI). After you enable FMI, you need to re-enter your AppleID password to disable. If you want to log out of iCloud after enabling FMI, you need to enter your AppleID password. If logout is successful, logging out of iCloud will disable FMI.
Android allows different attached accounts for data syncing. One high value account is your Google Account, which is connected to lots of local apps and services, e.g.,
- Google Play
All of these apps are connected to the logged in state of your Google Account on the phone, i.e., SSO. You can't log of these apps individually. However, other Google services seem to be "loosely coupled" with the logged in state of your Google Account:
You can log out of these, but the logged in state of the phone will immediately log you back in the next time you open the app.
Proposed FxA SSO on FxOS
FxA on FxOS has two high level states:
- Someone is logged in to the phone with her FxA
- No one logged in to the phone with her FxA
There is a "middle ground" state of "logged in but not ready", which could exist after the user creates her account, but hasn't verified her email address or after a password reset on another device. These states will be address in more detail.
If the phone is in the "no one is logged in" state, a user can opt to:
- log into her phone with her FxA email and password
- create an FxA, supply an email address, choose a password, and verify her email address, which then logs the user in
When a user is logged in to the phone with her FxA, the phone is authorized to use and enable all relying Mozilla Services. No additional password entry is required (although there might be some future exceptions). This *does not* mean that all services are enabled by default. E.g., a user may need to explicitly configure/opt in to some services, like Where's My Fox.
If the phone is in the "someone is logged in state", the user can choose to log out of her FxA from the Settings menu. When a user logs out of the phone, it should effectively log her out of all relying Mozilla services. Since WMF requires special handling similar to FMI, I propose that if a user has WMF enabled, she will need to enter her FxA password to logout, and we should provide messaging that logging out will disable WMF on this device.
In general, we should not train nor encourage users to log out of her FxA on FxOS. We should consider it to be the "nuclear" option. I personally never log out of my Google Account on Android and my AppleID on iOS devices, and I don't know anyone that does. If you routinely log out of these devices (as opposed to using screen locks or local password controls), I'd love to talk to you about why reconfiguring your mobile devices all the time is so exciting. Fast profile switching would also be a huge win here.
Relying Mozilla Services
When a user is logged into the phone, and she opens/uses a relying Mozilla Service app, we will automatically provide that app with the identity of the logged in user with a BrowserID assertion. If there is no user logged in (or after the user logs out), relying Mozilla apps should appear in the logged out state, prompting the user to log in to her FxA to use any functionality that requires to be logged in.
TODO: This section needs more work.
TODO: Cover the error case where a user is logged into the phone, but we can't generate an assertion for some reason (e.g., error or can't refresh expired cert because of no network).
Force Authentication aka "who is using this phone right now?"
Apps may require a "fresh authentication" flow after the user has logged in with her FxA. This is often called "force authentication".
- User is in Marketplace making a purchase.
- User is trying to disable WMF.
- User is trying to log out of her FxA after enabling WMF.
TODO: Document how this would work.
Server side support being designed here: https://github.com/mozilla/fxa-auth-server/issues/307
"I want to give my phone to my kid/friend/frenemy and not have them screw with my FxA stuff."
- Maybe app specific, e.g., put marketplace into "always require my password for purchases"
- Maybe high level "profile" switching support (i.e., guest mode)
- IMO, we are failing if users resort to logging out of their phone for this use case. IMO, logout is "disconnect, get my stuff out of this phone". It's the nuclear option. This is mobile and we probably need to cache user data locally for stuff to work well. "FxA logout" is signal that we should delete this cached data, so logging out for a use case whose time length is limited will suck overall. Something not as extreme (e.g., keeps the logged in state in the background, but may require a force auth to resume) would probably suffice for this use case.
"I leave my phone laying around, and I don't want randos picking it up and messing with my stuff."
- local PIN/gesture screen lock, independent of FxA
Proposed FxA SSO on the Web
How is FxA login/logout different on web vs firefox devices? What is the expected behavior?
- same SSO experience (both login and logout)
- no FTE
- no local WMF app, so no need to require password entry to log out of FxA
- maybe need force auth for the Web, maybe not (need to coordinate with stakeholders)
Relying mozilla services give FxA some real estate in the upper right corner of their pages. If a user is logged in to her FxA, we signal the logged in state there. If no user is logged in, we show a "create account" and "sign in" links. Clicking on one of these will kick you in to an FxA flow, and return you back to the originating page (signed in). See this: https://www.dropbox.com/s/j0dki85gwaxqt5t/FxA%20Animation.m4v
How does this work with 3rd party relying services?
What happens to the logged in state on my FxOS device if I reset my password on Desktop, particular wrt the state of WMF?
TODO. hint: it shouldn't get borked. We can mark, not destroy, sessions and require forceAuth to refresh. Server support discussion here: https://github.com/mozilla/fxa-auth-server/issues/338
Chris Karlof created this, but I don't own it. LMK if you have questions and please contribute.
- Leads: Chris Karlof, Ryan Kelly
- IRC: #fxa
- List: email@example.com
- Engineering: Danny Coates, Shane Tomlinson, Sean McArthur, Vlad Filippov, Phil Booth, Vijay Budhram
- UX: Ryan Feeley
- Metrics: Katie Parlante
- QA: John Morrison, Peter deHaan, Karl Thiessen
- DevOps: Chris Kolosiwsky