Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Add oauth_webchannel_v1 for Fenix and GeckoView apps #2043

Closed
wants to merge 8 commits into from
Closed

[WIP] Add oauth_webchannel_v1 for Fenix and GeckoView apps #2043

wants to merge 8 commits into from

Conversation

vladikoff
Copy link
Contributor

@vladikoff vladikoff changed the title Add oauth_webchannel_v1 for Fenix and GeckoView apps [WIP] Add oauth_webchannel_v1 for Fenix and GeckoView apps Aug 1, 2019
@vladikoff vladikoff mentioned this pull request Aug 1, 2019
Closed
5 tasks
rfk
rfk reviewed Aug 5, 2019
View reviewed changes
packages/fxa-content-server/app/scripts/lib/app-start.js Show resolved Hide resolved
packages/fxa-content-server/app/scripts/lib/channels/receivers/web-channel.js
detail = JSON.parse(event.detail);
} catch (e) {
detail = event.detail;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious why this change was necessary, is it a limitation of the webextension webchannel receiver?

I'd also be tempted to do a typeof event.details here to ensure you don't try to JSON.parse something that's not a string.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did the API of the WebChannel message change with Fenix/GeckoView?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WebExtensions in Geckoview/ Fenix cannot pass js objects, only strings. Otherwise it displays [protected], [inaccessible] or something

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hrm, I also recall an ancient bug about sending only strings on Desktop as well, which has had to get added to a special allowlist in order to bypass.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's when sending an event to the browser that detail has to be stringified:

@vbudhram
Copy link
Contributor

vbudhram commented Aug 5, 2019

@vladikoff is there a train you want to land this in and estimate of work?

@cse-test-sync cse-test-sync mentioned this pull request Aug 13, 2019
Closed
@vladikoff vladikoff mentioned this pull request Aug 14, 2019
Merged
1 task
shane-tomlinson
shane-tomlinson reviewed Aug 15, 2019
View reviewed changes
Copy link
Contributor

@shane-tomlinson shane-tomlinson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The approach seems reasonable, the amount of duplicate code in oauth-webchannel-v1 is pretty hefty. Could the OAuthWebChannelBroker's prototype be extended with the duplicate methods from the OAuth broker, or maybe a Cocktail mixin to share between the two?

What would be very useful is a short doc how the protocol works from an integration P.O.V., e.g., how to open FxA, what messages to listen for, and what should happen when those messages come in. Having that recorded will be useful to point people at (ourselves included) as an explanation for how it all works.

packages/fxa-content-server/app/scripts/lib/channels/receivers/web-channel.js
detail = JSON.parse(event.detail);
} catch (e) {
detail = event.detail;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did the API of the WebChannel message change with Fenix/GeckoView?

packages/fxa-content-server/app/scripts/models/auth_brokers/oauth-webchannel-v1.js
* @returns {Promise} Returns a promise that resolves into an encrypted bundle
* @private
*/
_provisionScopedKeys(account) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a ton of code duplicated between here an the oauth-redirect broker, can this be shared somehow?

shane-tomlinson
shane-tomlinson reviewed Aug 15, 2019
View reviewed changes
packages/fxa-content-server/docs/relier-communication-protocols/fx-webchannel.md
{
"code": "02f3cfea84ac4c143662b38d6c7f0c82c6f91eb041befc7cecda446b1b4887c1",
"state": "vHao1p6OizzwReCkQMSpZA",
"redirect": "http://127.0.0.1:3030/oauth/success/a2270f727f45f648?code=02f3cfea84ac4c143662b38d6c7f0c82c6f91eb041befc7cecda446b1b4887c1&state=vHao1p6OizzwReCkQMSpZA",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this right, or would it be an urn like urn:ietf:wg:oauth:2.0:oob:oauth-redirect-webchannel?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah yes, we can do that!

@vladikoff
Copy link
Contributor Author

Continued in #2320

@vladikoff vladikoff closed this Aug 26, 2019
@shane-tomlinson shane-tomlinson deleted the feature.fenix-channel branch October 14, 2019 11:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shane-tomlinson shane-tomlinson shane-tomlinson left review comments

@rfk rfk rfk left review comments

Assignees

@vladikoff vladikoff

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[fxa-content-server] Support OAuth WebChannels for Fenix
4 participants
@vladikoff @vbudhram @rfk @shane-tomlinson