Saturday, March 07, 2015

x-auto-login at Mozilla Services?

As I described here

http://ignisvulpis.blogspot.de/2014/11/x-auto-login-at-google.html

Google is using a proprietary HTTP header named x-auto-login to log you into Google services like GMail using your local Android account.
This is cool.

Browse to a Google website and be logged in without the need to remember the super secure password. Sadly this is a closed system as we learned when implementing this for Firefox for Android (Fennec).
See https://bugzilla.mozilla.org/show_bug.cgi?id=1030650

Yes, Fennec can talk to the Authenticator and ask for a "weblogin:" token for "com.google" but the Authenticator answers differently depending on who asks. If Chrome is asking then the returned token redirects you to https://accounts.google.com/ and immediately logs you in, but when you'r Fennec then you are just redirected to https://accounts.google.com/ and have to enter username and password. Bummer.

Anyway: How about using this scheme for Mozilla services and using a Mozilla account on the device or local to the browser (Firefox Sync) if available.

  1. browse to e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1030650 (obviously a Mozilla service) and press the login button 
  2. get redirected to https://accounts.firefox.com/ServiceLogin?service=bugzilla&passive=true&rm=false&continue=https://bugzilla.mozilla.org/show_bug.cgi?id=1030650 &ss=1&scc=1&ltmpl=bugzilla&emr=1 
  3. the response includes an x-auto-login HTTP header in the response 
  4. Firefox sees the x-auto-login header and
    - on desktop look for Firefox Sync account use it to obtain a token from a token endpoint hosted at mozilla.org
    - on Android ask the AccountManager for a weblogin token for "org.mozilla". 
  5. redirect to the token (the token is an URL). In this case e.g. https://accounts.firefox.com/?t=accesstokenb64&...
  6. https://accounts.firefox.com/ validates the token and redirects back to https://bugzilla.mozilla.org/show_bug.cgi?id=1030650
I think this is doable and would benefit the users of Mozilla services.

Next step then (there is always a next step) is to allow third party logins e.g. from githup to bugzilla using x-auto-login.

No comments: