|
|
| (36 intermediate revisions by 11 users not shown) |
| Line 1: |
Line 1: |
| {{LastUpdated}} | | {{LastUpdated}} |
|
| |
|
| =What Is Firefox Accounts? = | | = Firefox Accounts = |
|
| |
|
| Firefox Accounts is a consumer account system which provides access to services run by Mozilla, such as [https://marketplace.firefox.com/ Firefox Marketplace] and the [https://wiki.mozilla.org/User_Services/Sync next version of Firefox Sync]. A user can sign in with a Firefox Account to all her "Foxes": Firefox on Desktop, Firefox for Android, and Firefox OS. Signing into a Firefox browser or device gives the user access to integrated Mozilla Services on that browser or device that requires authentication (e.g., Firefox Sync). Longer term we envision that non-Mozilla services and applications will be able to delegate authentication to Firefox Accounts. | | Firefox Accounts is the account system for Firefox users to access hosted services provided by Mozilla. |
|
| |
|
| Firefox Accounts from a literal, technical perspective is not much to look at. It's a thin service that does only a few things, e.g., | | A user can sign in with a Firefox Account to any of her "Foxes" - Firefox on Desktop, Firefox for Android, and Firefox OS - to access integrated services such as [https://wiki.mozilla.org/User_Services/Sync Firefox Sync] and [https://marketplace.firefox.com/ Firefox Marketplace]. She can also sign in to services on the web using a standard OAuth flow. |
|
| |
|
| * It allows users to create a Firefox Account.
| | For information on integrating a service with Firefox Accounts, visit the [https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Firefox_Accounts Firefox Accounts portal on MDN]. |
| * It allows existing account holders to authenticate themselves, and perform related operations (reset password, change password, etc.)
| |
| * It provides a delegated authentication API to relying Mozilla services (possibly third services in the future). Just like how Google Drive delegates authentication to Google Accounts, Firefox Marketplace will delegate authentication to Firefox Accounts.
| |
|
| |
|
| Firefox Accounts itself doesn't store much about users, and we intend to keep it that way: | | For information on contributing to Firefox Accounts development, visit the [https://fxa.readthedocs.org developer documentation]. |
|
| |
|
| * Email address
| | To file a bug related to Firefox Accounts, you can use either [https://github.com/mozilla/fxa/issues/new Github] or [https://bugzilla.mozilla.org/enter_bug.cgi?product=Cloud%20Services&component=Server:%20Firefox%20Accounts Bugzilla]. |
| * Password verifier
| |
| * User id
| |
| * Sync encryption keys
| |
| * Whether the user has accepted the ToS and PP
| |
| * A log of security events about the user (from where and when logins, passwords resets, etc. happen), and from what devices the user is currently logged in.
| |
| | |
| Firefox Accounts on it's own is boring and useless. Firefox Accounts is only interesting and valuable when you start attaching services to it, like Firefox Marketplace, Where's My Fox, and Firefox Sync. These services will manage their own data, but rely on Firefox Accounts for single sign-on and related authentication services.
| |
| | |
| =FAQ=
| |
| | |
| == Will I be required to create a Firefox Account to use Firefox? ==
| |
| | |
| No, of course not! Firefox Accounts will only be required for Mozilla Services that require authentication, such as Firefox Sync and Firefox Marketplace.
| |
| | |
| ==How does a user create and sign in to a Firefox Account?==
| |
| Firefox Accounts will work much like authentication works just about everywhere else. You create a Firefox Account with a verified email and password. You sign in to Firefox Accounts with your email and password. We are currently evaluating creating and logging in to a Firefox Account with a mobile number.
| |
| | |
| ==Why does Firefox Accounts require me to choose a password?==
| |
| The first relying service we're targeting with Firefox Accounts is Firefox Sync. Current Firefox Sync encrypts all your data in our servers, and we will continue to do so in the Firefox Accounts backed version of Sync. However, in the FxA backed version of Firefox Sync, we will encrypt your Sync data with a key derived from your Firefox Account password, instead a random key managed by the J-PAKE pairing protocol. This technique of using a password derived sync key is similar to how data protection in [https://support.google.com/chrome/answer/1181035?hl=en&ref_topic=1693469 Chrome Sync] works.
| |
| | |
| ==What is the UX for signing in to a Firefox Account?==
| |
| NOTE: This is a work in progress!
| |
| | |
| Here are some Lucidchart flow diagrams for FxA: https://www.lucidchart.com/documents/edit/4f34-ef24-52695ddf-8057-72580a00d543
| |
| ===Web===
| |
| We anticipate the majority of Firefox Account sign ins and account creations will be driven by flows from Mozilla relying services, such as Firefox Marketplace. We propose relying Mozilla services present account controls and signal the FxA logged in state in the upper right corner of their Web properties:
| |
| | |
| [[File:Sign-in.png|400px]]
| |
| | |
| If a user clicks on the "Sign Up" or "Log In" button, it will take her to to a FxA page that will allow her to sign in or create an account. After completing sign in or account creation, she will be redirected back to the relying Mozilla service.
| |
| | |
| ===FxOS===
| |
| TODO
| |
| | |
| ==How do relying Mozilla services authenticate an FxA user?==
| |
| Great question. We're still working out the details. We're first going to figure out the [https://wiki.mozilla.org/Identity/Firefox_Accounts/SSO product requirements of SSO with FxA] and go from there.
| |
| | |
| ==How does a user reset her Firefox Account password?==
| |
| Password reset works by responding to an email challenge.
| |
| | |
| ==What's the difference between Persona and Firefox Accounts?==
| |
| Persona is not intended to provide you with a new account, and it's not a new account system. Persona is a federated login protocol. You use Persona to log in to relying sites, and it's not intended that you need to "sign up" for Persona before you can use it. If you would need to sign up for anything, you would need to create an account at an IdP that supports Persona.
| |
| | |
| One *huge* confusing point about Persona today is a service called the "Persona Fallback", which serves as a proxy IdP if your actual IdP doesn't support Persona (or isn't bridged), which just about every IdP except for Google and Yahoo. In this case, you currently have to sign up for a "Persona Fallback Account" (i.e. choose a password and verify your email) to use Persona.
| |
| | |
| But a Persona Fallback Account is not a Persona Account, it's not the long term vision of Persona, and that's not supposed to be the happy path of the Persona login experience.
| |
| | |
| More importantly, for the purposes of this question, a Persona Fallback Account is definitely not a Firefox Account.
| |
| | |
| So why Firefox Accounts and what will one do?
| |
| | |
| Mozilla needs an account database to deliver a fantastic, integrated experience across all its products. Unfortunately, delivering awesome services involves some less exciting, but still important aspects, like making sure users have had a chance to inspect our terms of service and privacy policies. We must also comply with local laws and regulations, e.g., [http://www.coppa.org/ COPPA]. It would be inconvenient for users to have to verify a terms of service, a privacy policy, and COPPA at each individual Mozilla service. We believe that users should only have to inspect our terms of service, privacy policy, and go through COPPA verification '''once''' for all our services. Firefox Accounts enables us to do that. One we get the basics down and enable single sign-on for relying Mozilla Services with your Firefox Account, we hope integrate Firefox Accounts with Persona on the Web and Firefox user agents to make logging in everywhere as painless as it should be.
| |
| | |
| == What information does Firefox Accounts store about the user? Can I use it to store user data for my application or service? ==
| |
| Firefox Accounts stores limited user information, and only stores information that will deliver significant user value across applications or is tightly related to the user's identity. It will not store user data for relying services. Relying Mozilla services can use Firefox Accounts for authentication, but application data storage is the responsibility of the individual applications.
| |
| | |
| Currently, Firefox Accounts stores the user's email address, a unique identifier, sync encryption key material, and whether you user has read and accepted the terms of service, privacy policy, etc. The existence of a Firefox Account also indicates the user has passed COPPA verification.
| |
| | |
| Possible future plans:
| |
| * "screen name"
| |
| * avatar
| |
| * mobile number
| |
| | |
| == Can I use Persona to log in to my Firefox Account? ==
| |
| Not initially, but it's something we're investigating to add in the future.
| |
| | |
| == Can I use my Firefox Account to log in to non-Mozilla services? ==
| |
| Not initially, but it's something we're investigating to support in the future.
| |
| | |
| == Does Firefox Accounts provide email? ==
| |
| No.
| |
| | |
| == What services will use Firefox Accounts? ==
| |
| Here's a (probably incomplete) list of services we anticipate you'll be able to log into with your Firefox Account:
| |
| * Firefox Sync
| |
| * Firefox Marketplace
| |
| * Where's My Fox?
| |
| * [https://wiki.mozilla.org/User:Dria/PiCL_Future_Ideas crazy future ideas]
| |
| | |
| == What do these terms mean? ==
| |
| * FTU, FTE: First Time Experience on Firefox OS
| |
| * FxA : Firefox Accounts. It may also refer to a user's particular Firefox Account.
| |
| * Jelly: A confusing term that refers to a hosted web page that is injected into more native-looking browser UI. An example of this is about:healthreport.
| |
| * Doughnut: The browser code that wraps the "Jelly" and enables it to interact with chrome code in the browser.
| |
| * RP : Relying Party. Services that use Firefox Accounts for authentication and identity. Currently these are limited to services run by Mozilla.
| |
| * PiCL : Profile in the Cloud. This is a deprecated term that was used to refer to Firefox Accounts + attached services (i.e., relying parties).
| |
| | |
| == Where is the schedule for FxA? ==
| |
| https://wiki.mozilla.org/Identity/Roadmap
| |
| | |
| == Where is the FxA for Web addition to the Arch section below? ==
| |
| | |
| == What are the similarities/differences between FxA for Web and the Dev work already being done for desktop and android? ==
| |
| | |
| == Have a question not covered here? Add it in this section and we'll answer it! ==
| |
| Is it possible to host your own Firefox accounts, like with Firefox Sync?
| |
| | |
| =Architecture=
| |
| [[File:Firefox_Accounts_Architecture.png]]
| |
| | |
| [[File:Firefox_Accounts_and_Sync_Architecture.png]]
| |
| | |
| https://mana.mozilla.org/wiki/display/services/Firefox+Accounts+Architecture
| |
| | |
| | |
| == Cloud Services ==
| |
| | |
| Firefox Accounts Cloud Services is composed of several sub-services, an '''auth server''', a '''content server''', and a '''crypto helper'''.
| |
| | |
| === Auth Server ===
| |
| | |
| The Auth Server provides an HTTP API that:
| |
| | |
| * authenticates the user
| |
| * enables the user to authenticate to other services via BrowserID assertions
| |
| * enables change and reset password operations
| |
| | |
| Links:
| |
| * Code: https://github.com/mozilla/fxa-auth-server
| |
| * API documentation: https://github.com/mozilla/fxa-auth-server/blob/master/docs/api.md
| |
| * API design document: [[Identity/AttachedServices/KeyServerProtocol]]
| |
| * Dev deployment: https://github.com/mozilla/fxa-auth-server#dev-deployment
| |
| * Python API client (primarily a reference client): https://github.com/warner/picl-spec-crypto
| |
| | |
| === Content Server ===
| |
| | |
| The Content Server hosts static assets (HTML, Javascript, CSS, etc.) that support user interactions with the Firefox Accounts. The responsibilities of the Content Server include:
| |
| | |
| * hosting Gherkin, a Javascript library that supports interactions with the Auth Server
| |
| * hosting login and create account pages
| |
| * hosting password reset pages
| |
| * hosting landing pages for email verification links
| |
| | |
| Links:
| |
| * Code: https://github.com/mozilla/fxa-content-server
| |
| * Deployments:
| |
| ** dev stable: https://accounts.dev.lcip.org/
| |
| ** dev latest: https://accounts.dev.lcip.org/
| |
| ** prod: https://accounts.firefox.com/
| |
| | |
| === JS Client Library ===
| |
| | |
| Firefox Accounts provides a Javascript client library for the Web that supports operations with Firefox Accounts. In addition to communicating with the Auth Server, it also performs local key stretching (PBKDF2 and scrypt) on the user's password before it's used in the API. It is hosted by the Content Server. This library was at one time called "Gherkin".
| |
| | |
| Links:
| |
| * Code: https://github.com/mozilla/fxa-js-client
| |
| * Key stretching details: https://wiki.mozilla.org/Identity/AttachedServices/KeyServerProtocol#Client-Side_Key_Stretching
| |
| * Key stretching performance tests: https://wiki.mozilla.org/Identity/AttachedServices/Key_Stretching_Performance_Tests
| |
| | |
| === scrypt Helper ===
| |
| | |
| A portion of the key stretching process uses [http://en.wikipedia.org/wiki/Scrypt scrypt], a password-based key derivation function that uses significant amounts of memory. On memory constrained devices, Firefox Accounts provides a helper service for this portion of the key stretching process.
| |
| | |
| Links:
| |
| * Code: https://github.com/mozilla/fxa-scrypt-helper
| |
| * Dev deployment: https://scrypt-accounts.dev.lcip.org/
| |
| | |
| === Verifier ===
| |
| | |
| FxA will host its own BID verifier for relying Mozilla service to verify the assertions FxA generates. The reason is that the <code>principal</code> will be <code>{ email: <user's real email>, uid: <FxA user id> }</code>, which is not BID-kosher.
| |
| | |
| Update (11/14/13): A separate verifier is currently off the table. The proposal is to use the current verifier, with some changes.
| |
| Update (11/15/13): it sure seems like it is back on the table. Can someone confirm?
| |
| | |
| Discussion:
| |
| * https://github.com/mozilla/fxa-auth-server/issues/292
| |
| * https://github.com/mozilla/fxa-auth-server/pull/275
| |
| * https://groups.google.com/forum/#!topic/mozilla.dev.identity/1ecTUrOFzbQ
| |
| | |
| == Desktop ==
| |
| | |
| Firefox Accounts integration on Firefox for Desktop is happening in the [https://tbpl.mozilla.org/?tree=Elm "elm" project branch]. We are also working out of a [https://github.com/mhammond/mozilla-central/tree/experiment/elm-fxaccount-sync github repo] for "pre-elm" experimentation.
| |
| | |
| Tracking bug:
| |
| * https://bugzilla.mozilla.org/showdependencytree.cgi?id=905997&hide_resolved=1
| |
| | |
| == Android ==
| |
| | |
| Firefox Accounts integration on Firefox for Android is happening in the [https://tbpl.mozilla.org/?tree=Elm "elm" project branch].
| |
| | |
| Tracking bug:
| |
| * https://bugzilla.mozilla.org/showdependencytree.cgi?id=799726&hide_resolved=1
| |
| | |
| == Firefox OS ==
| |
| Implementation of Firefox Accounts in FirefoxOS is committed for b2g v1.4. This is a collaborative effort working closely with TEF and Telenor engineers.
| |
| | |
| Demo:
| |
| * https://vimeo.com/79618371
| |
| | |
| Tracking bug:
| |
| * https://bugzilla.mozilla.org/showdependencytree.cgi?id=941723&hide_resolved=1
| |
| | |
| Our current line of thought is below and a work-in-progress:
| |
| * UX: https://wiki.mozilla.org/Identity/UX#FXOS
| |
| * https://github.com/SamPenrose/fxa-fxos/blob/master/dependencies.md
| |
| | |
| ===Tracking===
| |
| <onlyinclude>
| |
| <bugzilla>
| |
| {
| |
| "blocks": "941723",
| |
| "resolution": "---",
| |
| "include_fields": "id, summary, status, resolution, assigned_to, depends_on, blocks, whiteboard"
| |
| }
| |
| </bugzilla>
| |
| | |
| == Operations ==
| |
| For now, here are some useful links about Firefox Accounts Operations:
| |
| * Q3 load testing results: https://id.etherpad.mozilla.org/fxa-q3-load-testing-summary
| |
| * Deployment planning: https://wiki.mozilla.org/Identity/AttachedServices/DeploymentPlanning/
| |
| * Traffic model: https://wiki.mozilla.org/Identity/AttachedServices/DeploymentPlanning/TrafficModel
| |
| * Notes on the operational costs of the Auth Server: https://mail.mozilla.org/pipermail/sync-dev/2013-July/000043.html
| |
| | |
| === Deployments ===
| |
| * production (proposed) https://github.com/mozilla/fxa-auth-server/issues/295#issuecomment-28614668
| |
| * stage (proposed): https://github.com/mozilla/fxa-auth-server/issues/295#issuecomment-28725360
| |
| * dev:
| |
| ** Auth server: https://api-accounts.dev.lcip.org
| |
| ** Auth server (auto-pushed from master): https://api-accounts-latest.dev.lcip.org/
| |
| ** Content server: https://accounts.dev.lcip.org/flow
| |
| ** Scrypt helper: https://scrypt-accounts.dev.lcip.org
| |
| | |
| == Metrics ==
| |
| https://wiki.mozilla.org/Identity/Firefox_Accounts/Minimum_Viable_Metrics
| |
| | |
| == Fraud and Abuse ==
| |
| https://id.etherpad.mozilla.org/fxacct-metrics-fraud-detection
| |
| | |
| =Resources=
| |
| | |
| == Mailing Lists ==
| |
| * Firefox Accounts development: https://mail.mozilla.org/listinfo/dev-fxacct
| |
| * Sync development: https://mail.mozilla.org/listinfo/sync-dev
| |
| | |
| {{FxA Team}}
| |
| | |
| == Related ==
| |
| * [https://wiki.mozilla.org/Identity/Roadmap Identity Roadmap]
| |
| * [https://wiki.mozilla.org/User_Services/Sync Firefox Sync.next]
| |
| * [https://wiki.mozilla.org/Identity/PiCL Identity and PiCL]
| |
| * [https://wiki.mozilla.org/Identity/UX FxA UX/UI]
| |
| * [https://wiki.mozilla.org/QA/Services/SyncTestPlanV1 QA Team Test Plan]
| |
| * [https://wiki.mozilla.org/Identity/WhatDoesFxAMeanToYou What Does Firefox Accounts Mean To You?]
| |
| | |
| == Demos ==
| |
| * Firefox Accounts + Firefox Sync on Android: https://vimeo.com/77667079
| |
| * Firefox Accounts + Firefox Sync on Desktop: https://vimeo.com/77717494
| |