rfk
commented
5 years ago To support the Fennec -> Fenix migration, if this route is used to grant the app a token with "oldsync" scope, then it should ensure the app has a device record in a similar way to https://github.com/mozilla/fxa-auth-server/issues/2955. If the route is used to generate a refreshToken, that refreshToken should be added to the device record.
As part of our quest simplify our OAuth infastructure and remove BrowserID, let's move the OAuth /token endpoint over to the auth-server and allow it to be authenticated directly with a sessionToken. This will let clients that already hold a sessionToken grant themselves OAuth tokens directly, rather than having to indirect through a separate services with a BrowserID assertion.
This supports the Fennec -> Fenix migration flow (since Fenix can use the existing sessionToken from Fenix to mint new OAuth tokens for itself) as well as furthering broader architectural efforts to make OAuth the primary mechanism of authorizing things via FxA. Other potential consumers include Desktop when it grants itself tokens for accessing profile data, and Firefox for iOS when it grants itself tokens for syncing the Logins rust component.
The new route should also support the existing
authorization_codeandrefresh_tokengrant types, so that we can do interesting auth-server things with them (such as registering placeholder device records and sending emails, as described in https://github.com/mozilla/fxa-auth-server/issues/2880).Blocks https://github.com/mozilla/fxa-auth-server/issues/2880; Requires #2962