cross-domain SSO w/ Persona

[Luke Crouch]

MDN would like to explore SSO between marketplace.firefox.com and
developer.mozilla.org. Both sites use Persona.

Lloyd pointed me at
https://groups.google.com/d/msg/mozilla.dev.identity/oMuTGsxLKQk/YSgw55zJQTgJ

I personally would like to use navigator.id.watch({..., realm:
'mozilla.org', ...}) and to host a realm file at the domain with a list
of domains participating in the SSO realm. [1]

What other Mozilla Persona-powered sites are looking for SSO?

Thanks,
-L

[1]
https://groups.google.com/d/msg/mozilla.dev.identity/oMuTGsxLKQk/adi7JqYF1-IJ

[David Ascher]

Webmaker has it across webmaker.org, thimble.webmaker.org, popcorn.webmaker.org (and soon others).

I'd talk to jbuck, cc'ed.

--da

> _______________________________________________
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-identity

[Sean McArthur]

Good news, I've been working on this all week. I have it mostly working,
trying to write tests for all possible situations. It will work exactly as
was decided in that thread:

On sites that should be part of a realm, they should use:
navigator.id.watch({ realm: 'foo.com' });

A file should exist at foo.com/.well-known/browserid-realm, served as
application/json, with the contents: { realm: ['foo.com', 'bar.com', '
bazz.foo.com'] }

Would you guys be interesting in testing this with me on your dev
platforms? Until it's merged into dev, I can host it on a separate domain.
If you guys wanted to test it, you'd change the origin of your include.js
from login.persona.org to something like realms.personatest.org (it's not
up yet).

[Luke Crouch]

cc'ing Les.

Yes! This sounds cool. Not sure how best to test it though - Les?

-L

On 8/23/13 2:25 PM, Sean McArthur wrote:
> Good news, I've been working on this all week. I have it mostly
> working, trying to write tests for all possible situations. It will
> work exactly as was decided in that thread:
>
> On sites that should be part of a realm, they should use:

> navigator.id.watch({ realm: 'foo.com <http://foo.com>' });

>
> A file should exist at foo.com/.well-known/browserid-realm

> <http://foo.com/.well-known/browserid-realm>, served as

> application/json, with the contents: { realm: ['foo.com

> <http://foo.com>', 'bar.com <http://bar.com>', 'bazz.foo.com
> <http://bazz.foo.com>'] }

>
> Would you guys be interesting in testing this with me on your dev
> platforms? Until it's merged into dev, I can host it on a separate
> domain. If you guys wanted to test it, you'd change the origin of your

> include.js from login.persona.org <http://login.persona.org> to
> something like realms.personatest.org <http://realms.personatest.org>

> (it's not up yet).
>
>
> On Fri, Aug 23, 2013 at 11:03 AM, David Ascher <d...@mozilla.com

> <mailto:d...@mozilla.com>> wrote:
>
> Webmaker has it across webmaker.org <http://webmaker.org>,
> thimble.webmaker.org <http://thimble.webmaker.org>,
> popcorn.webmaker.org <http://popcorn.webmaker.org> (and soon others).

>
> I'd talk to jbuck, cc'ed.
>
> --da
>
> On 2013-08-23, at 10:34 AM, Luke Crouch <lcr...@mozilla.com

> <mailto:lcr...@mozilla.com>> wrote:
>
> > MDN would like to explore SSO between marketplace.firefox.com

> <http://marketplace.firefox.com> and developer.mozilla.org
> <http://developer.mozilla.org>. Both sites use Persona.

> >
> > Lloyd pointed me at
> https://groups.google.com/d/msg/mozilla.dev.identity/oMuTGsxLKQk/YSgw55zJQTgJ
> >
> > I personally would like to use navigator.id.watch({..., realm:

> 'mozilla.org <http://mozilla.org>', ...}) and to host a realm file

> at the domain with a list of domains participating in the SSO
> realm. [1]
> >
> > What other Mozilla Persona-powered sites are looking for SSO?
> >
> > Thanks,
> > -L
> >
> > [1]
> https://groups.google.com/d/msg/mozilla.dev.identity/oMuTGsxLKQk/adi7JqYF1-IJ
> > _______________________________________________
> > dev-identity mailing list
> > dev-id...@lists.mozilla.org

> <mailto:dev-id...@lists.mozilla.org>

> > https://lists.mozilla.org/listinfo/dev-identity
>
> _______________________________________________
> dev-identity mailing list

> dev-id...@lists.mozilla.org <mailto:dev-id...@lists.mozilla.org>
> https://lists.mozilla.org/listinfo/dev-identity
>
>

[Les Orchard]

----- Original Message -----
> From: "Luke Crouch" <lcr...@mozilla.com>
> To: "Sean McArthur" <smca...@mozilla.com>
> Cc: "David Ascher" <d...@mozilla.com>, jb...@mozillafoundation.org, dev-id...@lists.mozilla.org, "Les Orchard"
> <lorc...@mozilla.com>
> Sent: Friday, August 23, 2013 2:32:58 PM
> Subject: Re: cross-domain SSO w/ Persona
>
> cc'ing Les.
>
> Yes! This sounds cool. Not sure how best to test it though - Les?

It does indeed sound cool, better than I was hoping for.

Something we could try:

* Implement the SSO calls on MDN, behind a feature flag that we only enable on -dev or -stage

* Beg to have developer-dev.allizom.org or developer.allizom.org temporarily added to the Webmaker SSO realm (or another realm that's easily poked at)

* Try it out and then declare MFBT

--
Les Orchard <lorc...@mozilla.com>
{web,mad,computer} scientist

[Sean McArthur]

So, part of my testing revealed the need to include the scheme in the
realm. We correctly don't assume that http://foo.com is the same site as
https://foo.com, and so the realms will need to differentiate also. Both in
watch, and in the browserid-realm well-known.

On Fri, Aug 23, 2013 at 3:46 PM, Les Orchard <lorc...@mozilla.com> wrote:

> ----- Original Message -----
> > From: "Luke Crouch" <lcr...@mozilla.com>
> > To: "Sean McArthur" <smca...@mozilla.com>
> > Cc: "David Ascher" <d...@mozilla.com>, jb...@mozillafoundation.org,
> dev-id...@lists.mozilla.org, "Les Orchard"
> > <lorc...@mozilla.com>
> > Sent: Friday, August 23, 2013 2:32:58 PM
> > Subject: Re: cross-domain SSO w/ Persona
> >
> > cc'ing Les.
> >
> > Yes! This sounds cool. Not sure how best to test it though - Les?
>
> It does indeed sound cool, better than I was hoping for.
>
> Something we could try:
>
> * Implement the SSO calls on MDN, behind a feature flag that we only
> enable on -dev or -stage
>

> * Beg to have developer-dev.allizom.org or developer.allizom.orgtemporarily added to the Webmaker SSO realm (or another realm that's easily

[Shane Tomlinson]

On 23/08/2013 23:51, Sean McArthur wrote:
> So, part of my testing revealed the need to include the scheme in the
> realm. We correctly don't assume that http://foo.com is the same site as
> https://foo.com, and so the realms will need to differentiate also. Both in
> watch, and in the browserid-realm well-known.
>
>

Sean, have you given thought to supplying common TOS/PP and siteName via
the request variables?

This is fantastic stuff!

Shane

[Sean McArthur]

Shane, I don't follow. What do you mean?

> ______________________________**_________________
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/**listinfo/dev-identity<https://lists.mozilla.org/listinfo/dev-identity>
>

[Shane Tomlinson]

On 24/08/2013 18:14, Sean McArthur wrote:
> Shane, I don't follow. What do you mean?
>

Last year when we discussed using realms, somebody mentioned that it may
be a legal requirement that two sites in the same realm share TOS/PP
agreements. Each site could declare a link to the same TOS/PP agreement
in their call to .request, or, the link could be declared in the realm's
.json file instead.

Shane

[Crystal Beasley]

Has anyone opened a bug with legal to review this question?



--

Crystal Beasley
Product Designer for Identity
Mozilla Corporation
503/360-5448

[Sean McArthur]

Awesome Shane, I hadn't thought of that at all.

I just opened a bug with Legal asking about this.