Skip to content

feat(authorization): Update conditional keys fetch, add scopes in fxaOAuthLogin#20427

Draft
LZoog wants to merge 1 commit intomainfrom
FXA-12939-code
Draft

feat(authorization): Update conditional keys fetch, add scopes in fxaOAuthLogin#20427
LZoog wants to merge 1 commit intomainfrom
FXA-12939-code

Conversation

@LZoog
Copy link
Copy Markdown
Contributor

@LZoog LZoog commented Apr 22, 2026

Because:

  • Non-Sync browser services (VPN, Relay, SmartWindow) should not force password entry just to fetch keys, but should fetch them opportunistically if a password is entered for another reason.
  • The browser needs to know which scopes were granted after an OAuth flow completes.
  • The isSignedIntoFirefoxDesktop state was too narrow for the scope authorization flow which applies to all Firefox platforms.

This commit:

  • Splits wantsKeys into requiresKeys (Sync only, forces password) and wantsKeysIfPasswordEntered (non-Sync, opportunistic), with wantsKeys, to allow a "cached login" render without the "keys optional" capability, which is a capability intended for passwordless non-sync browser logins.
  • Adds scopes field to fxaOAuthLogin WebChannel message at all call sites, because the browser needs to know which scopes were actually granted — with ADR 0049, FxA may deny requested scopes or grant additional ones, and the browser may not request scope at all
  • Renames isSignedIntoFirefoxDesktop to isSignedIntoFirefox and removes the Desktop-only check.
  • Adds VPN to token exchange allowed scopes in auth-server config.
  • Adds "Authorize" button text for signed-in Firefox users, full UI TBD

closes FXA-12939

Draft because I need to actually test this. It won't make the tag tomorrow but I'll try to get it ready for an early dot.

@LZoog
feat(authorization): Update conditional keys fetch, add scopes in fxa…
d047358 
…OAuthLogin

Because:
* Non-Sync browser services (VPN, Relay, SmartWindow) should not force password entry just to fetch keys, but should fetch them opportunistically if a password is entered for another reason.
* The browser needs to know which scopes were granted after an OAuth flow completes.
* The isSignedIntoFirefoxDesktop state was too narrow for the scope authorization flow which applies to all Firefox platforms.

This commit:
* Splits wantsKeys into requiresKeys (Sync only, forces password) and wantsKeysIfPasswordEntered (non-Sync, opportunistic), with wantsKeys, to allow a "cached login" render without the "keys optional" capability, which is a capability intended for passwordless non-sync browser logins.
* Adds scopes field to fxaOAuthLogin WebChannel message at all call sites, because the browser needs to know which scopes were actually granted — with ADR 0049, FxA may deny requested scopes or grant additional ones, and the browser may not request scope at all
* Renames isSignedIntoFirefoxDesktop to isSignedIntoFirefox and removes the Desktop-only check.
* Adds VPN to token exchange allowed scopes in auth-server config.
* Adds "Authorize" button text for signed-in Firefox users, full UI TBD

closes FXA-12939
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LZoog