As part of our quest simplify our OAuth infastructure and remove BrowserID, let's move the OAuth /authorization endpoint over to the auth-server and authenticate it directly with a sessionToken, rather than having to indirect through a separate services with a BrowserID assertion.
This supports the Fennec -> Fenix migration flow (since Fenix can use Fennec's sessionToken to authorize itself as a new client) as well as furthering broader architectural efforts to make OAuth the primary mechanism of authorizing things via FxA. Other consumers include the Desktop half of the pairing flow, which currently uses the BrowserID-authenticated /authorization route.
As part of our quest simplify our OAuth infastructure and remove BrowserID, let's move the OAuth /authorization endpoint over to the auth-server and authenticate it directly with a sessionToken, rather than having to indirect through a separate services with a BrowserID assertion.
This supports the Fennec -> Fenix migration flow (since Fenix can use Fennec's sessionToken to authorize itself as a new client) as well as furthering broader architectural efforts to make OAuth the primary mechanism of authorizing things via FxA. Other consumers include the Desktop half of the pairing flow, which currently uses the BrowserID-authenticated
/authorization
route.Ref: https://github.com/mozilla/fxa-auth-server/pull/2932 for a WIP PR.
(@vladikoff I edited your issue comment to add more details as part of breaking down https://github.com/mozilla/fxa-auth-server/issues/2547#issuecomment-468482625)