vladikoff
commented
6 years ago I am worried that from an OAuth server point of view the action param is way too generic.
Closed shane-tomlinson closed 6 years ago
vladikoff
commented
6 years ago I am worried that from an OAuth server point of view the action param is way too generic.
shane-tomlinson
commented
6 years ago I am worried that from an OAuth server point of view the action param is way too generic.
Can you expand?
vladikoff
commented
6 years ago @shane-tomlinson ah I see we already had in the codebase. It's ok then, I will just try to remember what action means and does more :P.
shane-tomlinson
commented
6 years ago @shane-tomlinson ah I see we already had in the codebase. It's ok then, I will just try to remember what action means and does more :P.
I had a quick look at both the OpenID Connect and OAuth 2 spec and didn't find mention of an action query parameter anywhere, though section 3.1.2.1 of the OpenID Connect spec says that "Other parameters MAY be sent". IIRC we used action in the content server because the oauth server already made use of it.
I see that action is already part of our publicly defined API, though it's not mentioned in the MDN docs.
rfk
commented
6 years ago I had a quick look at both the OpenID Connect and OAuth 2 spec and didn't find mention of an action query parameter anywhere
Yep, I haven't seen any standard way of allowing the relier to choose the desired flow, so we have to go our own way here. It'd be nice if we got to a point where relier didn't have to care about this, and email-first is probably a step in that direction.
See https://github.com/mozilla/fxa-content-server/issues/6009
Changes should be limited to https://github.com/mozilla/fxa-oauth-server/blob/master/lib/routes/redirect.js.
If
action=email, theactionquery parameter must be propagated to the content server.