Saturday, March 07, 2015

x-auto-login at Mozilla Services?

As I described here

Google is using a proprietary HTTP header named x-auto-login to log you into Google services like GMail using your local Android account.
This is cool.

Browse to a Google website and be logged in without the need to remember the super secure password. Sadly this is a closed system as we learned when implementing this for Firefox for Android (Fennec).

Yes, Fennec can talk to the Authenticator and ask for a "weblogin:" token for "" but the Authenticator answers differently depending on who asks. If Chrome is asking then the returned token redirects you to and immediately logs you in, but when you'r Fennec then you are just redirected to and have to enter username and password. Bummer.

Anyway: How about using this scheme for Mozilla services and using a Mozilla account on the device or local to the browser (Firefox Sync) if available.

  1. browse to e.g. (obviously a Mozilla service) and press the login button 
  2. get redirected to &ss=1&scc=1&ltmpl=bugzilla&emr=1 
  3. the response includes an x-auto-login HTTP header in the response 
  4. Firefox sees the x-auto-login header and
    - on desktop look for Firefox Sync account use it to obtain a token from a token endpoint hosted at
    - on Android ask the AccountManager for a weblogin token for "org.mozilla". 
  5. redirect to the token (the token is an URL). In this case e.g.
  6. validates the token and redirects back to
I think this is doable and would benefit the users of Mozilla services.

Next step then (there is always a next step) is to allow third party logins e.g. from githup to bugzilla using x-auto-login.

No comments: