The Account Manager project aims to help users manage the (currently manual and tedious) process of signing up/in/out of sites by adding chrome-level status and knobs to give the user a consistent point to view and control of sign-in status to the current site.

The project has two main deliverables:

1. A protocol definition that sites can use to define their account-and-session management features in a format a web browser can understand. (Check out the latest draft of the specification, or older versions).
2. An implementation of this protocol in Firefox.

This project is a reboot of the Account Manager Labs project, see that page for more background information.

Drivers

• Dan Mills
• Ed Lee
• Alex Faaborg
• You!

Status

Overview

See bug 571409.

Account Manager is currently a patch to mozilla-central, and is being targeted at the first release post 4.0.

Note that there is an add-on prototype (the result of the Labs exploration), but it is buggy and speaks an older version of the Account Manager protocol. It is not recommended for testing, use try-server builds instead.

Performance Impact

Currently around 1.3% on average:

linux: 1.7%
lin64: 2.4%
macos: 0.2%
mac64: 2.0%
winxp: 1.3%
win 7: 0.5%

Code Overview

See here for a quick walk-through of the code.

TODO

User facing features

• autoconnect [~2d]
• multi-profile sign-in bubbles [~1d]
• federated profile [~3d]
• HTTP Auth profile
• right click menu (fast user switching)
• basic in-content registration [a few days' work]

Backend features

• cookie-watching (refresh status on cookie changes) [~1day]
• per-method static parameters (for forms that use a hidden param to determine action)
• per-method dynamic parameters (for e.g. CSRF protection)

Password manager integration

• bug 589362
• use new password manager columns for account lookup/saving
  • migration (set account realm for existing saved logins) [~1 day]
  • also on password manager end (when saving new password) [~1 day (dolske?)]

Requirements

• Status display
  • Unregistered, signed-out, and signed-in for supported sites [P1]
  • Notifications of site requests for sign-in [P3]

• Sign-up support
  • New id+secret pair negotiation [P1]
  • Automatic password generation [P1]
  • Optional feature to allow user-defined passwords [P1]
  • Remember preferred email and username(s) [P1]

• Sign-in support
  • Request existing user credentials for new/unknown sites [P1]
  • Two-click sign-in [P1]
  • Optional automatic sign-in on next session [P2]
  • Support for multiple accounts [P1]

• Sign-out support
  • Two-click sign-out [P1]

• Password change
  • User-initiated password change [P2]
    • To a new random password [P3]
    • To a new user-defined password [P2]

• Support for various authentication types
  • Form submission/cookie [P1]
  • HTTP Basic auth [P1]
  • HTTP Digest auth [P2]
  • Client certs [P3]

• Supports sync if installed [P1]

• Disables itself during private browsing mode [P1]

Non-Goals

• Greasemonkey-like hacks that work only on one site, except as needed only to demonstrate the potential for the feature.
• Creating new and interesting authentication/authorization schemes.
• Extensive hacking on Password Manager-like heuristics to make it only sort of work on more sites.

Dependencies

Generally speaking:

• Password manager
• Theme work, site button in particular
• Notifications, to a lesser extent

Mockups

Design 1

Related Projects / Other Links

• Site Identity
• Account Manager Labs project
• Google Group

We held an in-person meetup on May 21st, see:

• The meetup page (with notes).
• Distilled analysis from discussions at the meetup.