Comments (9)
Are we doing it now?
We are not. There's a config setting to do it but it's not set to anything in our deployments. I'd like to see the following rules:
- for production:
- trusted_issuers = api.accounts.firefox.com
- allowed_issuers = api.accounts.firefox.com
- for stage/dev/etc:
- trusted_issuers = api.accounts.firefox.com api-accounts.$ENV.mozaws.net
- allowed_issuers = api.accounts.firefox.com api-accounts.$ENV.mozaws.net mockmyid.com
(Note two different settings here: "trusted issuers" are the ones that are allowed to assert for arbitrary identities; "allowed issuers" is a whitelist of issuers we accept from, even if it's a primary-backed assertion)
Allowing mockmyid for non-prod environments makes testing easier because we don't have to interact with the upstream FxA server at all. Allowing dev fxa servers with dev tokenserver seems useful for full-stack testing.
@ckarlof thoughts? I'll attempt a puppet-config PR with the necessary changes.
from tokenserver.
The necessary changes have been made in puppet config and will go out with the next deployment; @jbonacci to work with me to verify that untrusted issuers are not accepted once it rolls out to stage.
from tokenserver.
Which deployment will work with our dev prod-clone? i.e.: https://api-accounts-dev.stage.mozaws.net
from tokenserver.
A currently-non-existent "dev" deployment of TS+sync would do so. Should we authorize this issuer for the TS stage environment as well?
from tokenserver.
Should we authorize this issuer for the TS stage environment as well?
Sounds good. We use that dev environment to test FxA Sync against candidate releases from time to time, so it would be nice if that didn't break.
from tokenserver.
Is allowed_issuers
exercised in a test anywhere? I couldn't find one. Let us please avoid a goto fail
.
from tokenserver.
Title change: 'Restrict trustedIssuers when verifying assertion" > "Restrict allowedIssuers when verifying assertion"
from tokenserver.
Tests in https://bugzilla.mozilla.org/show_bug.cgi?id=981985
from tokenserver.
A currently-non-existent "dev" deployment of TS+sync would do so. Should we authorize this issuer for the TS stage environment as well?
The time may have come: mozilla/fxa-content-server#1499
We're spinning up fxa-dev instances (running under *.dev.lcip.org) to test with Sync. What's the appropriate token server/sync back end to integrate with?
from tokenserver.
Related Issues (20)
- How to further fix to purge_old_records task (?) HOT 11
- Consider switching UID generation to random number rather than autoincrement value HOT 1
- Convert TokenServer to rust
- Upgrade PyFxA and add tests to confirm that fxa-generation fields are correctly handled. HOT 1
- Cannot build loadtest on 1.5.6 HOT 3
- Cannot start 1.5.6 docker container (ContextualVersionConflict cffi) HOT 11
- CryptographyDeprecationWarning for openssl
- Create a new release with only the pypy upgrade HOT 6
- Figure out caching story for OAuth JWK request HOT 2
- Use sane metric library HOT 1
- Browser id removal - confirm what caused the CPU spike. HOT 2
- Figure out how to include JWT OAuth tokens in the loadtest
- Modify CircleCI config to avoid rate limiting. HOT 1
- Allow specifying the Makefile's python interpreter
- Add Sentry Configuration HOT 2
- Upgrade docker to debian buster
- Travis CI free usage ends Dec 3; mozilla repos should switch to other CI platforms
- Update requirement for Python 3.10
- Makefile:40: local/.install.stamp] Error 137
- how to run docker mozilla/tokenserver?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tokenserver.