-
Notifications
You must be signed in to change notification settings - Fork 1.6k
OAuth 2.0 / Keycloak suppot #1381
Comments
Send uses a fairly unique feature of FxA whereby the signin flow generates client-side encryption keys that the application can use to protect data stored on the server. Any replacement auth system would need to provide similar functionality.
Sorry, we do not yet allow third-party services to use FxA as an OAuth provider. I'd like to see us allow it one day but it's not on the short-term roadmap. |
Hmm, wait, what? The FxA server generates the client-side encryption keys? As FxA is used for e.g. Firefox Sync, this effectively means the server knows how to decrypt the data stored in a self-hosted sync server? |
There is an open issue how to self-host the FxA server, you can follow it here: mozilla/fxa#3652 One day you might be able to host your own instance, so you'll be able to obtain yourself a client ID. |
Not quite; the FxA login protocol is designed to generate a client-side encryption key without revealing it to the server, you can read a bit about it in this blog post. |
Oh, I see the separation now, thanks for the link. Now, I get why a simple Oauth provider can't replace the FxA server easily. |
For information i do use the mod_auth_openidc with apache in front reverse proxy protect server behind apache2 avec openidDoc : https://github.com/zmartzone/mod_auth_openidc installapt-get install apache2 config apachea2enmod headers rewrite proxy_wstunnel proxy_http proxy auth_openidc configure keycloakhttps://github.com/zmartzone/mod_auth_openidc/wiki/Keycloak I just change the apache regexp to allow download but not upload, the regexp is not perfect <Location ~ "^((?!/download|/api|\.css|.\.js|\.svg|\.woff2|\.png).)*$">
# desired configurations
AuthType openid-connect
Require valid-user
</Location> |
We ar eusing Keycloak as an Open Source Identity and Access Management.
Is it possible to use something like Keycloak (via OAuth 2.0?) instead of a FXA server for user logins of Mozilla Send? As far as I can see in the config file, we can only specify a link to an FXA server together with a client id.
If an FXA server is required: Can we use the one from Mozilla and - if yes - how can we obtain a client id?
The text was updated successfully, but these errors were encountered: