Metadata-Version: 2.0
Name: kinto-fxa
Version: 2.3.0
Summary: Firefox Accounts support in Kinto
Home-page: https://github.com/mozilla-services/kinto-fxa
Author: Mozilla Services
Author-email: services-dev@mozilla.com
License: Apache License (2.0)
Keywords: web services
Platform: UNKNOWN
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: 3.5
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Topic :: Internet :: WWW/HTTP :: WSGI :: Application
Classifier: License :: OSI Approved :: Apache Software License
Requires-Dist: kinto (>=5.0)
Requires-Dist: pyfxa (>=0.0.9)

Firefox Accounts support in Kinto
=================================

|travis| |master-coverage|

.. |travis| image:: https://travis-ci.org/mozilla-services/kinto-fxa.svg?branch=master
    :target: https://travis-ci.org/mozilla-services/kinto-fxa

.. |master-coverage| image::
    https://coveralls.io/repos/mozilla-services/kinto-fxa/badge.png?branch=master
    :alt: Coverage
    :target: https://coveralls.io/r/mozilla-services/kinto-fxa

*Kinto-fxa* enables authentication in *Kinto* applications using
*Firefox Accounts* OAuth2 bearer tokens.

N.B. This project used to be called *cliquet-fxa*, but was renamed to
  *kinto-fxa* following the rename of the *cliquet* project to
  *kinto*.

It provides:

* An authentication policy class;
* Integration with *Kinto* cache backend for token verifications;
* Integration with *Kinto* for heartbeat view checks;
* Some optional endpoints to perform the *OAuth* dance (*optional*).


* `Kinto documentation <http://kinto.readthedocs.io/en/latest/>`_
* `Issue tracker <https://github.com/mozilla-services/kinto-fxa/issues>`_


Installation
------------

As `stated in the official documentation <https://developer.mozilla.org/en-US/Firefox_Accounts>`_,
Firefox Accounts OAuth integration is currently limited to Mozilla relying services.

Install the Python package:

::

    pip install kinto-fxa


Include the package in the project configuration:

::

    kinto.includes = kinto_fxa

And configure authentication policy using `pyramid_multiauth
<https://github.com/mozilla-services/pyramid_multiauth#deployment-settings>`_ formalism:

::

    multiauth.policies = fxa
    multiauth.policy.fxa.use = kinto_fxa.authentication.FxAOAuthAuthenticationPolicy

By default, it will rely on the cache configured in *Kinto*.


Configuration
-------------

Fill those settings with the values obtained during the application registration:

::

    fxa-oauth.client_id = 89513028159972bc
    fxa-oauth.client_secret = 9aced230585cc0aaea0a3467dd800
    fxa-oauth.oauth_uri = https://oauth-stable.dev.lcip.org
    fxa-oauth.requested_scope = profile kinto
    fxa-oauth.required_scope = kinto
    fxa-oauth.webapp.authorized_domains = *.firefox.com
    # fxa-oauth.cache_ttl_seconds = 300
    # fxa-oauth.state.ttl_seconds = 3600


In case the application shall not behave as a relier (a.k.a. OAuth dance
endpoints disabled):

::

    fxa-oauth.relier.enabled = false


If necessary, override default values for authentication policy:

::

    # multiauth.policy.fxa.realm = Realm


Login flow
----------

OAuth Bearer token
::::::::::::::::::

Use the OAuth token with this header:

::

    Authorization: Bearer <oauth_token>


:notes:

    If the token is not valid, this will result in a ``401`` error response.


Obtain token using Web UI
:::::::::::::::::::::::::

* Navigate the client to ``GET /fxa-oauth/login?redirect=http://app-endpoint/#``.
  There, a session cookie will be set, and the client will be redirected to a login
  form on the FxA content server;
* After submitting the credentials on the login page, the client will
  be redirected to ``http://app-endpoint/#{token}`` (the web-app).


Obtain token custom flow
::::::::::::::::::::::::

The ``GET /v1/fxa-oauth/params`` endpoint can be use to get the
configuration in order to trade the *Firefox Accounts* BrowserID with a
*Bearer Token*. `See Firefox Account documentation about this behavior
<https://developer.mozilla.org/en-US/Firefox_Accounts#Firefox_Accounts_BrowserID_API>`_

.. code-block:: http

    $ http GET http://localhost:8000/v0/fxa-oauth/params -v

    GET /v0/fxa-oauth/params HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: localhost:8000
    User-Agent: HTTPie/0.8.0


    HTTP/1.1 200 OK
    Content-Length: 103
    Content-Type: application/json; charset=UTF-8
    Date: Thu, 19 Feb 2015 09:28:37 GMT
    Server: waitress

    {
        "client_id": "89513028159972bc",
        "oauth_uri": "https://oauth-stable.dev.lcip.org",
        "scope": "profile"
    }


Changelog
=========

This document describes changes between each past release.

2.3.0 (2016-12-22)
------------------

**Internal changes**

- Migrate schemas to Cornice 2 #38


2.2.0 (2016-10-27)
------------------

**New features**

- Improve FxA error messages (fixes #1)

**Bug fixes**

- Optimize authentication policy to avoid validating the token several times
  per request (fixes #33)

**Internal changes**

- Use Service from kinto.core (fixes #28)
- Make sure it does not catch Cornice 2 dependency (#36)


2.1.0 (2016-09-08)
------------------

- Add the plugin version in the capability.


2.0.0 (2016-05-19)
------------------

**Breaking changes**

- Project renamed to *Kinto-fxa* to match the rename of ``cliquet`` to
  ``kinto.core``.

- Update to ``kinto.core`` for compatibility with Kinto 3.0. This
  release is no longer compatible with Kinto < 3.0, please upgrade!

- With *Kinto* > 2.12*, the setting ``multiauth.policy.fxa.use`` must now
  be explicitly set to ``kinto_fxa.authentication.FxAOAuthAuthenticationPolicy``

**Bug fixes**

- Fix checking of ``Authorization`` header when python is ran ``-O``
  (ref mozilla-services/cliquet#592)


1.4.0 (2015-10-28)
------------------

-  Updated to *Cliquet* 2.9.0

**Breaking changes**

- *cliquet-fxa* cannot be included using ``pyramid.includes`` setting.
  Use ``cliquet.includes`` instead.


1.3.2 (2015-10-22)
------------------

**Bug fixes**

- In case the Oauth dance is interrupted, return a ``408 Request Timeout``
  error instead of the ``401 Unauthenticated`` one. (#11)
- Do not call ``cliquet.load_default_settings`` from cliquet-fxa (#12)


1.3.1 (2015-09-29)
------------------

- Separate multiple scopes by a + in login URL.


1.3.0 (2015-09-29)
------------------

**Bug fixes**

- Multiple scopes can be requested on the login flow.
- Multiple scopes can be required for the app.

**Configuration changes**

- ``fxa-oauth.scope`` is now deprecated. ``fxa-oauth.requested_scope`` and
  ``fxa-oauth.required_scope`` should be used instead.


1.2.0 (2015-06-24)
------------------

- Add default settings to define a policy "fxa".
  It is now possible to just include ``cliquet_fxa`` and
  add ``fxa`` to ``multiauth.policies`` setting list.
- Do not check presence of cliquet cache in initialization
  phase.
- Do not use Cliquet logger to prevent initialization errors.


1.1.0 (2015-06-18)
------------------

- Do not prefix authenticated user with ``fxa_`` anymore (#5)


1.0.0 (2015-06-09)
------------------

- Imported code from *Cliquet*


Contributors
============

* Alexis Metaireau <alexis@mozilla.com>
* Mathieu Leplatre <mathieu@mozilla.com>
* Nicolas Perriault <nperriault@mozilla.com>
* Rémy Hubscher <rhubscher@mozilla.com>
* Tarek Ziade <tarek@mozilla.com>
* Lavish Aggarwal <lucky.lavish@gmail.com>


