Open tublitzed opened 4 years ago
fzzzy
commented
4 years ago To do this, I will be porting the javascript implementation to the existing python implementation (which will then get ported to rust later. lol.)
https://github.com/mozilla/fxa/blob/master/packages/fxa-auth-server/lib/oauth/token.js
rfk
commented
4 years ago I think the more interesting piece from your perspective will be https://github.com/mozilla/fxa/blob/493c1cc96cd23e9b4c5e9355db40c32b6fe9785b/packages/fxa-auth-server/lib/oauth/jwt_access_token.js#L104
(Which actually isn't very interesting apart from checking the typ parameter).
You will also need to discover the FxA server's public key, by loading it from https://accounts.firefox.com/.well-known/openid-configuration via the jwks_uri field.
fzzzy
commented
4 years ago @rfk Great, thanks for the details.
rfk
commented
4 years ago From slack conversation, I filed an issue to make sure we're all on the same page about cachine behavior when fetching the keys: https://github.com/mozilla/fxa/issues/5411
I also figured I'd drop a link to the FxA doc on how to verify the JWTs, for completeness: https://github.com/mozilla/fxa/blob/master/packages/fxa-auth-server/docs/oauth/jwt-access-tokens.md#local-verification-of-a-jwt-access-token
rfk
commented
4 years ago See also https://github.com/mozilla/fxa/issues/5412 for a suggestion to make discovery of the keys slightly easier given the current shape of the PyFxA codebase.
To support the larger efforts to get the FxA Rust Component into Desktop, we first need to get Sync completely migrated away from BrowserID over to OAuth.