The ecosystem_anon_id_keys has two layers of nesting, seems like it should only need one

[rfk]

If I fetch the client config doc from https://accounts.stage.mozaws.net/.well-known/fxa-client-configuration it tells me:

{
  "auth_server_base_url": "https://api-accounts.stage.mozaws.net",
  "oauth_server_base_url": "https://oauth.stage.mozaws.net",
  "pairing_server_base_uri": "wss://channelserver.services.mozilla.com",
  "profile_server_base_url": "https://profile.stage.mozaws.net",
  "sync_tokenserver_base_url": "https://token.stage.mozaws.net",
  "ecosystem_anon_id_keys": [
    {
      "LlU4keOmhTuq9fCNnpIldYGT9vT9dIDwnu_SBtTgeEQ": {
        "crv": "P-256",
        "kid": "LlU4keOmhTuq9fCNnpIldYGT9vT9dIDwnu_SBtTgeEQ",
        "kty": "EC",
        "x": "i3FM3OFSCZEoqu-jtelXwKt6AL4ODQ75NUdHbcLWQSo",
        "y": "nW-S3QiHDo-9hwfBhKnGKarkt_PVqVyIPUytjutTunY"
      }
    }
  ]
}

The ecosystem_anon_id_keys field here looks like an array, whose items are objects mapping key ids to key data. If we some day come to advertise a second key here, would it end up as a new array member like this:

  "ecosystem_anon_id_keys": [
    {
      "LlU4keOmhTuq9fCNnpIldYGT9vT9dIDwnu_SBtTgeEQ": {
        "crv": "P-256",
        "kid": "LlU4keOmhTuq9fCNnpIldYGT9vT9dIDwnu_SBtTgeEQ",
        "kty": "EC",
        "x": "i3FM3OFSCZEoqu-jtelXwKt6AL4ODQ75NUdHbcLWQSo",
        "y": "nW-S3QiHDo-9hwfBhKnGKarkt_PVqVyIPUytjutTunY"
      }
    },
    {
      "new-key-id": {
        "crv": "P-256",
        "kid": "new-key-id",
        "kty": "EC",
        "x": "xxx",
        "y": "y"
      }
    }
  ]

Or would it appear as another member of the map with the existing key, like this:

  "ecosystem_anon_id_keys": [
    {
      "LlU4keOmhTuq9fCNnpIldYGT9vT9dIDwnu_SBtTgeEQ": {
        "crv": "P-256",
        "kid": "LlU4keOmhTuq9fCNnpIldYGT9vT9dIDwnu_SBtTgeEQ",
        "kty": "EC",
        "x": "i3FM3OFSCZEoqu-jtelXwKt6AL4ODQ75NUdHbcLWQSo",
        "y": "nW-S3QiHDo-9hwfBhKnGKarkt_PVqVyIPUytjutTunY"
      },
      "new-key-id": {
        "crv": "P-256",
        "kid": "new-key-id",
        "kty": "EC",
        "x": "xxx",
        "y": "y"
      }
    }
  ]

I feel like one of the layers of nesting here is not necessary, but I don't have strong opinions about which one.

As a point of comparison, the oauth JWKs endpoint returns a list of keys without indirecting through a map of key ids.

┆Issue is synchronized with this Jira Task
┆Issue Number: FXA-2312

[eoger]

How important are the key ids in practice? If they are not, I'd vote for the simple array representation (same as the JWKs endpoint).

[whd]

The existing representation likely stems from being the format I provided in https://bugzilla.mozilla.org/show_bug.cgi?id=1636102. That representation comes from an implementation detail of how these keys are stored and the mechanism I used to print them, but I would recommend the array representation for actual use in applications.

In the future I'll provide these keys without the extra level of indirection.

[rfk]

Thanks folks, sounds like broad agreement for the array representation from consumers. @6a68 could you please take a look at prioritizing this fix so we can build against it in client work?

[LZoog]

Thanks for filing @rfk, this was my misunderstanding but should be a quick fix. I'll ping @jrgm.

[data-sync-user]

➤ Lauren Zugai commented:

Assigning to jrgm. The fix will land in train 181.

[data-sync-user]

➤ Wil Clouser commented:

Thanks.  Closing this in the 181 train

[jrgm]

This is in stage now:

$ curl -s 'https://accounts.stage.mozaws.net/.well-known/fxa-client-configuration' | python -mjson.tool
{
    "auth_server_base_url": "https://api-accounts.stage.mozaws.net",
    "ecosystem_anon_id_keys": [
        {
            "crv": "P-256",
            "kid": "LlU4keOmhTuq9fCNnpIldYGT9vT9dIDwnu_SBtTgeEQ",
            "kty": "EC",
            "x": "i3FM3OFSCZEoqu-jtelXwKt6AL4ODQ75NUdHbcLWQSo",
            "y": "nW-S3QiHDo-9hwfBhKnGKarkt_PVqVyIPUytjutTunY"
        }
    ],
    "oauth_server_base_url": "https://oauth.stage.mozaws.net",
    "pairing_server_base_uri": "wss://channelserver.services.mozilla.com",
    "profile_server_base_url": "https://profile.stage.mozaws.net",
    "sync_tokenserver_base_url": "https://token.stage.mozaws.net"
}

[jaredhirsch]

Looks great, @jrgm! Thanks 🍻