Changes

Identity/Firefox Accounts

8,047 bytes removed, 04:09, 10 February 2017

Make this page a bare-bones overview with links to more up-to-date resources

= ~~About~~ Firefox Accounts =

Firefox Accounts is the account system ~~that provides~~ for Firefox users to access to hosted services ~~run~~ provided by Mozilla ~~and select partners~~.

A user can sign in with a Firefox Account to any of her "Foxes" - Firefox on Desktop, Firefox for Android, and Firefox OS - to access integrated services such as [https://wiki.mozilla.org/User_Services/Sync Firefox Sync] and [https://marketplace.firefox.com/ Firefox Marketplace]. She can also sign in to services on the web using a standard OAuth flow.

~~Longer term we envision that non-Mozilla services and applications will be able to delegate authentication to Firefox Accounts while managing their own data.~~

For information on integrating a service with Firefox Accounts, visit the [https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Firefox_Accounts Firefox Accounts portal on MDN].

For information on contributing to Firefox Accounts development, visit the [https://fxa.readthedocs.org developer documentation].

~~=FAQ=~~

~~== Am I required to create a Firefox Account to use Firefox? ==~~

No. A Firefox Account is only required for Mozilla Services that require authentication, such as Firefox Sync and advanced features on Firefox Marketplace like purchasing paid apps, adding app reviews etc.

~~== Why does Firefox Accounts require me to choose a password? ==~~

One of the primary services that uses Firefox Accounts is Firefox Sync, which encrypts all your data client-side before submitting it to the server. The password is used to securely derive an encryption key.

~~== What information does Firefox Accounts store about the user? ==~~

~~https://developer.mozilla.org/en-US/Firefox_Accounts#Firefox_Accounts_user_data~~

~~== Can I use Firefox Accounts to store user data for my application or service? ==~~

~~In general no.~~

Firefox Accounts only stores information that will deliver significant user value across applications or is tightly related to the user's identity. It will not store user data for relying services. Relying Mozilla services can use Firefox Accounts for authentication, but application data storage is the responsibility of the individual applications.

~~== What's the difference between Persona and Firefox Accounts? ==~~

Persona is a general-purpose federated login protocol for the web. It is not intended to provide you with a new account, and it's not a new account system. It's intended that you can use Persona to log in to relying sites without first "signing up" for Persona, but rather using an existing account with a Persona-enabled Identity Provider.

One confusing point about Persona today is a service called the "Persona Fallback", which serves as a proxy Identity Provider if your actual IdP doesn't support Persona (or isn't bridged), which just about every IdP except for Google and Yahoo. In this case, you currently have to sign up for a "Persona Fallback Account" (i.e. choose a password and verify your email) to use Persona.

But a Persona Fallback Account is not a Persona Account, it's not part of the long term vision of Persona, and that's not supposed to be the happy path of the Persona login experience. And it's definitely not a Firefox Account.

Independently of Persona, Mozilla needs an account database to deliver a fantastic, integrated experience across all its products and on all the user's devices. Unfortunately, delivering awesome services involves some less exciting, but still important aspects, like making sure users have had a chance to inspect our terms of service and privacy policies. We must also comply with local laws and regulations, e.g., [http://www.coppa.org/ COPPA]. It would be inconvenient for users to have to verify a terms of service, a privacy policy, and COPPA at each individual Mozilla service. We believe that users should only have to inspect our terms of service, privacy policy, and go through COPPA verification '''once''' for all our services.

We also need more than just a login sysem, e.g. Firefox Sync requires the ability to derive an encryption key to protect the user's data. Firefox Accounts enables us to do that without adding all those complications to the simple-and-effected Persona protocol.

~~== Can I use Persona to log in to my Firefox Account? ==~~

~~No.~~

~~== Can I use my Firefox Account to log in to non-Mozilla services? ==~~

~~Not initially, but it's something we'd like to support in the future.~~

~~== Does Firefox Accounts provide email? ==~~

~~No.~~

~~== Is it possible to host your own Firefox Accounts service, like with Firefox Sync? ==~~

~~[https://docs.services.mozilla.com/howtos/run-fxa.html Yes.]~~

~~=Architecture=~~

~~[[File:Firefox_Accounts_Architecture.png]]~~

~~[[File:Firefox_Accounts_and_Sync_Architecture.png]]~~

~~https://mana.mozilla.org/wiki/display/services/Firefox+Accounts+Architecture~~

~~== Cloud Services ==~~

~~Firefox Accounts Cloud Services is composed of several sub-services, including an '''auth server''' and a '''content server'''.~~

~~=== Auth Server ===~~

~~The Auth Server provides an HTTP API that:~~

* authenticates the user

* enables the user to authenticate to other services via BrowserID assertions

* enables change and reset password operations

~~Links:~~

* Code: https://github.com/mozilla/fxa-auth-server

* API documentation: https://github.com/mozilla/fxa-auth-server/blob/master/docs/api.md

* Dev deployment: https://github.com/mozilla/fxa-auth-server#dev-deployment

* Python API client (primarily a reference client): https://github.com/warner/picl-spec-crypto

~~=== OAuth Server ===~~

~~The OAuth Server provides an HTTP API that:~~

* accepts BrowserID assertions from the auth-server as authentication

* implements a standard OAuth2 token-granting flow

~~Links:~~

* Code: https://github.com/mozilla/fxa-oauth-server

* API documentation: https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md

~~=== Content Server ===~~

~~The Content Server hosts static assets (HTML, Javascript, CSS, etc.) that support user interactions with the Firefox Accounts. The responsibilities of the Content Server include:~~

* hosting a Javascript library that supports interactions with the Auth Server

* hosting login and create account pages

* hosting password reset pages

* hosting landing pages for email verification links

* hosting UI pages for the OAuth login flow

~~Links:~~

* Code: https://github.com/mozilla/fxa-content-server

* Deployments:

** dev stable: https://accounts.dev.lcip.org/

** dev latest: https://accounts-latest.dev.lcip.org/

** prod: https://accounts.firefox.com/

Interaction with the Firefox Accounts authentication and OAuth APIs are is done via a Javascript client library. In addition to communicating with the backend servers, it also performs local key stretching (PBKDF2 and scrypt) on the user's password before it's used in the API. It is hosted by the Content Server. This library was at one time called "Gherkin".

~~Links:~~

* Code: https://github.com/mozilla/fxa-js-client

* Key stretching details: https://wiki.mozilla.org/Identity/AttachedServices/KeyServerProtocol#Client-Side_Key_Stretching

* Key stretching performance tests: https://wiki.mozilla.org/Identity/AttachedServices/Key_Stretching_Performance_Tests

~~=== Verifier ===~~

~~FxA enables clients to generate BrowserID assertions on behalf of the user. FxA provides a hosted verifier for verifying these assertions.~~

* Verifier server code: https://github.com/mozilla/browserid-verifier

* Verifier library: https://github.com/mozilla/browserid-local-verify

* Production deployment: https://verifier.accounts.firefox.com/v2

~~=== Customs Server ===~~

~~FxA uses the Customs Server to detect and mitigate fraud & abuse.~~

~~Links:~~

* Code: https://github.com/mozilla/fxa-customs-server

* Deployment: currently pulled in by the auth server as an npm dependency

~~== Deployments ==~~

~~https://developer.mozilla.org/en-US/Firefox_Accounts#Firefox_Accounts_deployments~~

~~== Metrics ==~~

~~https://wiki.mozilla.org/Identity/Firefox_Accounts/Minimum_Viable_Metrics~~

~~== Fraud and Abuse ==~~

* General [[Identity/Firefox Accounts/Fraud and abuse|Fraud and abuse detection/migitation]]

* [[Identity/Firefox_Accounts/Account_lockout|Account lockout]] feature

~~= Resources =~~

* [[Identity/Firefox_Accounts/Meeting_Notes|Meeting Notes Archive]]

~~== Mailing Lists ==~~

* Firefox Accounts development: https://mail.mozilla.org/listinfo/dev-fxacct

* Sync development: https://mail.mozilla.org/listinfo/sync-dev

~~{{FxA Team}}~~

~~== Testing ==~~

* [[/Testing Notes|Testing notes]]

* [[/Test Plans|Test plans]]

~~== Related ==~~

* [https://wiki.mozilla.org/Identity/Roadmap Identity Roadmap]

* [https://wiki.mozilla.org/User_Services/Sync Firefox Sync.next]

* [https://wiki.mozilla.org/Identity/PiCL Identity and PiCL]

* [https://wiki.mozilla.org/Identity/UX FxA UX/UI]

* [https://wiki.mozilla.org/QA/Services/SyncTestPlanV1 QA Team Test Plan]

* [https://wiki.mozilla.org/Identity/WhatDoesFxAMeanToYou What Does Firefox Accounts Mean To You?]

Rfkelly

Confirm

358

edits

Changes

Identity/Firefox Accounts

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

How to Contribute

MozillaWiki

Around Mozilla

Tools