Encryption key for FxA relier client

[Fernando Jiménez Moreno]

Hello Ryan,

I hope everything is going well.

I am currently working on this project for the Connected Devices team (CC'ing its mailing lists), where we need to store some sensitive user information (user location so far) and I am trying to figure out how to do it in the most private way.

We would like to use FxA to authenticate users. But I don't feel comfortable with the idea of storing a match between FxA user email and user location on our server. So I was wondering if there is any way to use the FxA associated encryption key (the one we use for Sync) to encrypt this information on the client side before sending it to our server. We want the clients to know this info, but I'd rather not store it in plain on our side.

I've seen that it is possible to obtain the encryption key [1] through the OAuth flow, but it is currently only possible for in-browser reliers [2]. In this case, our current setup involves a web client. So my question is: are there any plans to allow web clients to obtain the encryption key?

Thanks!

/ Fernando

[1] https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md#get-v1authorization
[2] https://github.com/mozilla/fxa-content-server/blob/3b40424c1ccbce9dc142f6c0302811c422c697fa/docs/relier-keys.md#oauth-relier-keys

[Ryan Kelly]

On 14/09/2016 03:55, Fernando Jiménez Moreno wrote:
> I am currently working on this project for the Connected Devices team
> (CC'ing its mailing lists), where we need to store some sensitive user
> information (user location so far) and I am trying to figure out how to
> do it in the most private way.
>
> We would like to use FxA to authenticate users. But I don't feel
> comfortable with the idea of storing a match between FxA user email and
> user location on our server. So I was wondering if there is any way to
> use the FxA associated encryption key (the one we use for Sync) to
> encrypt this information on the client side before sending it to our
> server. We want the clients to know this info, but I'd rather not store
> it in plain on our side.
>
> I've seen that it is possible to obtain the encryption key [1] through
> the OAuth flow, but it is currently only possible for in-browser reliers
> [2].

To be honest, the one existing consumer of that flow (Hello) is being
decommissioned, and we were looking at deprecating that functionality in
order to reduce complexity.

> In this case, our current setup involves a web client. So my
> question is: are there any plans to allow web clients to obtain the
> encryption key?

I'm personally very interested in the possibilities there, I think
providing encryption facilities is really on-mission and a strong
differentiator for FxA versus other login solutions.

Unfortunately it's hard to make it a priority because:

* It's not in service of any of our core goals for FxA right now, which
mostly focus on the existing sync integration.

* It's challenging to get right from a security perspective; if a bug
were to accidentally leak the sync encryption keys to other websites
it would be an absolute disaster.

So we've no short-term plans to pursue this functionality on the FxA team.

However, if it's important enough to your project that you'd be willing
to take on some of the engineering work (e.g. if it were a choice
between having it in FxA or implementing it yourself in your own
product) then I'd be happy to try to figure out a way to enable that.
(But of course I realize that's unlikely to be an attractive option!).


Cheers,

Ryan

[Fernando Jiménez Moreno]

Thanks for your prompt response, Ryan!

[ferjm] This would indeed be a wonderful differentiator.

Unfortunately it's hard to make it a priority because:

* It's not in service of any of our core goals for FxA right now, which
  mostly focus on the existing sync integration.

* It's challenging to get right from a security perspective; if a bug
  were to accidentally leak the sync encryption keys to other websites
  it would be an absolute disaster.

So we've no short-term plans to pursue this functionality on the FxA team.

However, if it's important enough to your project that you'd be willing
to take on some of the engineering work (e.g. if it were a choice
between having it in FxA or implementing it yourself in your own
product) then I'd be happy to try to figure out a way to enable that.
(But of course I realize that's unlikely to be an attractive option!).

[ferjm] We are still in the planning phase and trying to decide how important is to have user accounts for this project. So it's good to know the alternatives that we have. I'll let you know if we finally want to go with this path. Thanks so much for your help!

Cheers,

/ Fernando