Skip to main content

Firefox Accounts support in Kinto

Project description

Firefox Accounts support in Kinto

travis Coverage

Kinto-fxa enables authentication in Kinto applications using Firefox Accounts OAuth2 bearer tokens.

N.B. This project used to be called cliquet-fxa, but was renamed to

kinto-fxa following the rename of the cliquet project to kinto.

It provides:

  • An authentication policy class;

  • Integration with Kinto cache backend for token verifications;

  • Integration with Kinto for heartbeat view checks;

  • Some optional endpoints to perform the OAuth dance (optional).

  • Kinto documentation

  • Issue tracker

Installation

As stated in the official documentation, Firefox Accounts OAuth integration is currently limited to Mozilla relying services.

Install the Python package:

pip install kinto-fxa

Include the package in the project configuration:

kinto.includes = kinto_fxa

And configure authentication policy using pyramid_multiauth formalism:

multiauth.policies = fxa
multiauth.policy.fxa.use = kinto_fxa.authentication.FxAOAuthAuthenticationPolicy

By default, it will rely on the cache configured in Kinto.

Configuration

Fill those settings with the values obtained during the application registration:

fxa-oauth.client_id = 89513028159972bc
fxa-oauth.client_secret = 9aced230585cc0aaea0a3467dd800
fxa-oauth.oauth_uri = https://oauth-stable.dev.lcip.org
fxa-oauth.requested_scope = profile kinto
fxa-oauth.required_scope = kinto
fxa-oauth.webapp.authorized_domains = *.firefox.com
# fxa-oauth.cache_ttl_seconds = 300
# fxa-oauth.state.ttl_seconds = 3600

In case the application shall not behave as a relier (a.k.a. OAuth dance endpoints disabled):

fxa-oauth.relier.enabled = false

If necessary, override default values for authentication policy:

# multiauth.policy.fxa.realm = Realm

Login flow

OAuth Bearer token

Use the OAuth token with this header:

Authorization: Bearer <oauth_token>
notes:

If the token is not valid, this will result in a 401 error response.

Obtain token using Web UI

  • Navigate the client to GET /fxa-oauth/login?redirect=http://app-endpoint/#. There, a session cookie will be set, and the client will be redirected to a login form on the FxA content server;

  • After submitting the credentials on the login page, the client will be redirected to http://app-endpoint/#{token} (the web-app).

Obtain token custom flow

The GET /v1/fxa-oauth/params endpoint can be use to get the configuration in order to trade the Firefox Accounts BrowserID with a Bearer Token. See Firefox Account documentation about this behavior

$ http GET http://localhost:8000/v0/fxa-oauth/params -v

GET /v0/fxa-oauth/params HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: localhost:8000
User-Agent: HTTPie/0.8.0


HTTP/1.1 200 OK
Content-Length: 103
Content-Type: application/json; charset=UTF-8
Date: Thu, 19 Feb 2015 09:28:37 GMT
Server: waitress

{
    "client_id": "89513028159972bc",
    "oauth_uri": "https://oauth-stable.dev.lcip.org",
    "scope": "profile"
}

Changelog

This document describes changes between each past release.

2.3.1 (2017-01-30)

Bug fixes

  • Make sure that caching of token verification nevers prevents from authenticating requests (see Mozilla/PyFxA#48)

2.3.0 (2016-12-22)

Internal changes

  • Migrate schemas to Cornice 2 #38

2.2.0 (2016-10-27)

New features

  • Improve FxA error messages (fixes #1)

Bug fixes

  • Optimize authentication policy to avoid validating the token several times per request (fixes #33)

Internal changes

  • Use Service from kinto.core (fixes #28)

  • Make sure it does not catch Cornice 2 dependency (#36)

2.1.0 (2016-09-08)

  • Add the plugin version in the capability.

2.0.0 (2016-05-19)

Breaking changes

  • Project renamed to Kinto-fxa to match the rename of cliquet to kinto.core.

  • Update to kinto.core for compatibility with Kinto 3.0. This release is no longer compatible with Kinto < 3.0, please upgrade!

  • With Kinto > 2.12*, the setting multiauth.policy.fxa.use must now be explicitly set to kinto_fxa.authentication.FxAOAuthAuthenticationPolicy

Bug fixes

  • Fix checking of Authorization header when python is ran -O (ref mozilla-services/cliquet#592)

1.4.0 (2015-10-28)

  • Updated to Cliquet 2.9.0

Breaking changes

  • cliquet-fxa cannot be included using pyramid.includes setting. Use cliquet.includes instead.

1.3.2 (2015-10-22)

Bug fixes

  • In case the Oauth dance is interrupted, return a 408 Request Timeout error instead of the 401 Unauthenticated one. (#11)

  • Do not call cliquet.load_default_settings from cliquet-fxa (#12)

1.3.1 (2015-09-29)

  • Separate multiple scopes by a + in login URL.

1.3.0 (2015-09-29)

Bug fixes

  • Multiple scopes can be requested on the login flow.

  • Multiple scopes can be required for the app.

Configuration changes

  • fxa-oauth.scope is now deprecated. fxa-oauth.requested_scope and fxa-oauth.required_scope should be used instead.

1.2.0 (2015-06-24)

  • Add default settings to define a policy “fxa”. It is now possible to just include cliquet_fxa and add fxa to multiauth.policies setting list.

  • Do not check presence of cliquet cache in initialization phase.

  • Do not use Cliquet logger to prevent initialization errors.

1.1.0 (2015-06-18)

  • Do not prefix authenticated user with fxa_ anymore (#5)

1.0.0 (2015-06-09)

  • Imported code from Cliquet

Contributors

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

kinto-fxa-2.3.1.tar.gz (13.4 kB view details)

Uploaded Source

Built Distribution

kinto_fxa-2.3.1-py2.py3-none-any.whl (18.9 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file kinto-fxa-2.3.1.tar.gz.

File metadata

  • Download URL: kinto-fxa-2.3.1.tar.gz
  • Upload date:
  • Size: 13.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No

File hashes

Hashes for kinto-fxa-2.3.1.tar.gz
Algorithm Hash digest
SHA256 5d23cc801fc35603802979692196bc8ccc701ced97c52cb364daf14d3dc292d4
MD5 8554016afd2b28a6ec17b4f200f42aa1
BLAKE2b-256 11a59446a8487b4b9ec59e6dba7ce5fab23f12e49e93193895df1c85b327f031

See more details on using hashes here.

File details

Details for the file kinto_fxa-2.3.1-py2.py3-none-any.whl.

File metadata

File hashes

Hashes for kinto_fxa-2.3.1-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 0f8c9bbdbfbda5b8a6b4b1d0ea3957f54fe231cf085f12b43a9326ccde33beec
MD5 50dc98a0631309cbeb925cd2b401cbbd
BLAKE2b-256 6dfccd72589cf69bcecfada47c7848f93a8e66b637c1cf423944b19c0e4c1d02

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page