Confirmed users, Bureaucrats and Sysops emeriti
812
edits
Services/Sync/NextGen: Difference between revisions
→High level technical description
No edit summary |
|||
| Line 35: | Line 35: | ||
= High level technical description = | = High level technical description = | ||
'' | == Identification == | ||
The implementation of the next generation Sync feature will be centred around Persona. The Identity team will work to define and deploy a special type of IdP, which I'll refer to as a "Preferred IdP" or PIdP for short. This IdP will support an auth protocol designed to prevent disclosure of the user's Persona passphrase to the server, as well as enabling non-browser clients to directly authenticate without a browser context. In addition to a secure authentication protocol, a PIdP will also expose an API to obtain a wrapped encryption key (known as the User Key, or UK). This key will be encrypted and decrypted on the client, using a key derived from the Persona passphrase. The User Key will not be exposed to consumers, but will be used by the Persona client to encrypt and decrypt a per-service encryption key (known as a Service Key or SK) on request. | |||
== Service Authentication == | |||
As with Apps in the Cloud, the service client will obtain an assertion from the Persona client, and use that to authenticate to the Token Server. A successful request to the Token Server will return an object containing all necessary data to make requests against the Identity-attached service, as described in the [https://docs.services.mozilla.com/token/apis.html Token Server API docs]. | |||
== Using the Service == | |||
The new version of the [http://docs.services.mozilla.com/storage/apis-2.0.html Sync Storage API] uses the same request authentication model as Apps in the Cloud. Beyond that, it is a significantly refined version of the 1.1 API with a set of improvements [https://docs.services.mozilla.com/storage/apis-2.0.html#changes-from-v1-1 outlined in the API docs]. Sync clients will use a Service Key stored on the service itself, encrypted by the Persona client using the UK. The SK will be used to encrypt outgoing records and decrypt incoming records, as with the current Sync model. | |||
= Open Questions = | = Open Questions = | ||