Are we doing it now? If so what is it restricted to?

Which deployment will work with our dev prod-clone? i.e.: <a href="https://api-account

Restrict allowedIssuers when verifying assertion about tokenserver HOT 9 CLOSED

mozilla-services commented on May 28, 2024

Restrict allowedIssuers when verifying assertion

from tokenserver.

Comments (9)

rfk commented on May 28, 2024

Are we doing it now?

We are not. There's a config setting to do it but it's not set to anything in our deployments. I'd like to see the following rules:

for production:
- trusted_issuers = api.accounts.firefox.com
- allowed_issuers = api.accounts.firefox.com
for stage/dev/etc:
- trusted_issuers = api.accounts.firefox.com api-accounts.$ENV.mozaws.net
- allowed_issuers = api.accounts.firefox.com api-accounts.$ENV.mozaws.net mockmyid.com

(Note two different settings here: "trusted issuers" are the ones that are allowed to assert for arbitrary identities; "allowed issuers" is a whitelist of issuers we accept from, even if it's a primary-backed assertion)

Allowing mockmyid for non-prod environments makes testing easier because we don't have to interact with the upstream FxA server at all. Allowing dev fxa servers with dev tokenserver seems useful for full-stack testing.

@ckarlof thoughts? I'll attempt a puppet-config PR with the necessary changes.

from tokenserver.

rfk commented on May 28, 2024

The necessary changes have been made in puppet config and will go out with the next deployment; @jbonacci to work with me to verify that untrusted issuers are not accepted once it rolls out to stage.

from tokenserver.