Update the PyFxA verify_token() method to perform local verification of JWT access tokens using a third-party JWT library #79
Comments
|
To do this, I will be porting the javascript implementation to the existing python implementation (which will then get ported to rust later. lol.) https://github.com/mozilla/fxa/blob/master/packages/fxa-auth-server/lib/oauth/token.js |
|
I think the more interesting piece from your perspective will be https://github.com/mozilla/fxa/blob/493c1cc96cd23e9b4c5e9355db40c32b6fe9785b/packages/fxa-auth-server/lib/oauth/jwt_access_token.js#L104 (Which actually isn't very interesting apart from checking the You will also need to discover the FxA server's public key, by loading it from |
|
@rfk Great, thanks for the details. |
|
From slack conversation, I filed an issue to make sure we're all on the same page about cachine behavior when fetching the keys: mozilla/fxa#5411 I also figured I'd drop a link to the FxA doc on how to verify the JWTs, for completeness: https://github.com/mozilla/fxa/blob/master/packages/fxa-auth-server/docs/oauth/jwt-access-tokens.md#local-verification-of-a-jwt-access-token |
|
See also mozilla/fxa#5412 for a suggestion to make discovery of the keys slightly easier given the current shape of the PyFxA codebase. |
To support the larger efforts to get the FxA Rust Component into Desktop, we first need to get Sync completely migrated away from BrowserID over to OAuth.
The text was updated successfully, but these errors were encountered: