fxa_client/token.rs
1/* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5//! # Token Management
6//!
7//! A signed-in application will typically hold a number of different *tokens* associated with the
8//! user's account, including:
9//!
10//! - An OAuth `refresh_token`, representing their ongoing connection to the account
11//! and the scopes that have been granted.
12//! - Short-lived OAuth `access_token`s that can be used to access resources on behalf
13//! of the user.
14//! - Optionally, a `session_token` that gives full control over the user's account,
15//! typically managed on behalf of web content that runs within the context
16//! of the application.
17
18use crate::{ApiResult, Error, FirefoxAccount};
19use error_support::handle_error;
20use serde_derive::*;
21use std::convert::TryInto;
22
23impl FirefoxAccount {
24 /// Get a short-lived OAuth access token for the user's account.
25 ///
26 /// **💾 This method alters the persisted account state.**
27 ///
28 /// Applications that need to access resources on behalf of the user must obtain an
29 /// `access_token` in order to do so. For example, an access token is required when
30 /// fetching the user's profile data, or when accessing their data stored in Firefox Sync.
31 ///
32 /// This method will obtain and return an access token bearing the requested scopes, either
33 /// from a local cache of previously-issued tokens, or by creating a new one from the server.
34 ///
35 /// # Arguments
36 ///
37 /// - `scope` - space-separated list of OAuth scopes to be granted by the token.
38 /// - Each scope must have been requested during the signin flow, or be a scope
39 /// which the server might offer automatically in some account-specific cases.
40 /// - Scope order is not significant; `"a b"` and `"b a"` are equivalent.
41 /// - When a single scope is requested and it has an associated scoped key
42 /// (e.g. `https://identity.mozilla.com/apps/oldsync`), the returned
43 /// `AccessTokenInfo::key` will be populated; for multi-scope requests it is `None`.
44 /// - `use_cache` - optionally set to false to force a new token request. The fetched
45 /// token will still be cached for later `get_access_token` calls.
46 ///
47 /// # Notes
48 ///
49 /// - If the application receives an authorization error when trying to use the resulting
50 /// token, it should call [`clear_access_token_cache`](FirefoxAccount::clear_access_token_cache)
51 /// before requesting a fresh token.
52 #[handle_error(Error)]
53 pub fn get_access_token(&self, scope: &str, use_cache: bool) -> ApiResult<AccessTokenInfo> {
54 self.internal
55 .lock()
56 .get_access_token(scope, use_cache)?
57 .try_into()
58 }
59
60 /// Builds a complete `signedInUser` JSON object for a WebChannel `fxaccounts:fxa_status`
61 /// response, embedding the session token without exposing it to the browser layer. Email and
62 /// uid are read from the cached profile in internal state. Returns `None` if no session token
63 /// is available.
64 pub fn get_signed_in_user_for_web_channel(&self) -> Option<String> {
65 self.internal.lock().get_signed_in_user_for_web_channel()
66 }
67
68 /// Handle a WebChannel password-change notification by exchanging the new session token
69 /// for a new refresh token.
70 ///
71 /// **💾 This method alters the persisted account state.**
72 #[handle_error(Error)]
73 pub fn handle_web_channel_password_change(&self, json_payload: String) -> ApiResult<()> {
74 self.internal
75 .lock()
76 .handle_web_channel_password_change(&json_payload)
77 }
78
79 /// Get the session token for the user's account, if one is available.
80 ///
81 /// **💾 This method alters the persisted account state.**
82 ///
83 /// Applications that function as a web browser may need to hold on to a session token
84 /// on behalf of Firefox Accounts web content. This method exists so that they can retrieve
85 /// it an pass it back to said web content when required.
86 ///
87 /// # Notes
88 ///
89 /// - Please do not attempt to use the resulting token to directly make calls to the
90 /// Firefox Accounts servers! All account management functionality should be performed
91 /// in web content.
92 /// - A session token is only available to applications that have requested the
93 /// `https://identity.mozilla.com/tokens/session` scope.
94 #[handle_error(Error)]
95 pub fn get_session_token(&self) -> ApiResult<String> {
96 self.internal.lock().get_session_token()
97 }
98
99 /// Update the stored session token for the user's account.
100 ///
101 /// **💾 This method alters the persisted account state.**
102 ///
103 /// Applications that function as a web browser may need to hold on to a session token
104 /// on behalf of Firefox Accounts web content. This method exists so that said web content
105 /// signals that it has generated a new session token, the stored value can be updated
106 /// to match.
107 ///
108 /// # Arguments
109 ///
110 /// - `session_token` - the new session token value provided from web content.
111 #[handle_error(Error)]
112 pub fn handle_session_token_change(&self, session_token: &str) -> ApiResult<()> {
113 self.internal
114 .lock()
115 .handle_session_token_change(session_token)
116 }
117
118 /// Create a new OAuth authorization code using the stored session token.
119 ///
120 /// When a signed-in application receives an incoming device pairing request, it can
121 /// use this method to grant the request and generate a corresponding OAuth authorization
122 /// code. This code would then be passed back to the connecting device over the
123 /// pairing channel (a process which is not currently supported by any code in this
124 /// component).
125 ///
126 /// # Arguments
127 ///
128 /// - `params` - the OAuth parameters from the incoming authorization request
129 #[handle_error(Error)]
130 pub fn authorize_code_using_session_token(
131 &self,
132 params: AuthorizationParameters,
133 ) -> ApiResult<String> {
134 self.internal
135 .lock()
136 .authorize_code_using_session_token(params)
137 }
138
139 /// Clear the access token cache in response to an auth failure.
140 ///
141 /// **💾 This method alters the persisted account state.**
142 ///
143 /// Applications that receive an authentication error when trying to use an access token,
144 /// should call this method before creating a new token and retrying the failed operation.
145 /// It ensures that the expired token is removed and a fresh one generated.
146 pub fn clear_access_token_cache(&self) {
147 self.internal.lock().clear_access_token_cache()
148 }
149}
150
151/// An OAuth access token, with its associated keys and metadata.
152///
153/// This struct represents an FxA OAuth access token, which can be used to access a resource
154/// or service on behalf of the user. For example, accessing the user's data in Firefox Sync
155/// an access token for the scope `https://identity.mozilla.com/apps/sync` along with the
156/// associated encryption key.
157#[derive(Debug)]
158pub struct AccessTokenInfo {
159 /// The scope of access granted by token.
160 pub scope: String,
161 /// The access token itself.
162 ///
163 /// This is the value that should be included in the `Authorization` header when
164 /// accessing an OAuth protected resource on behalf of the user.
165 pub token: String,
166 /// The client-side encryption key associated with this scope.
167 ///
168 /// **⚠️ Warning:** the value of this field should never be revealed outside of the
169 /// application. For example, it should never to sent to a server or logged in a log file.
170 pub key: Option<ScopedKey>,
171 /// The expiry time of the token, in seconds.
172 ///
173 /// This is the timestamp at which the token is set to expire, in seconds since
174 /// unix epoch. Note that it is a signed integer, for compatibility with languages
175 /// that do not have an unsigned integer type.
176 ///
177 /// This timestamp is for guidance only. Access tokens are not guaranteed to remain
178 /// value for any particular lengthof time, and consumers should be prepared to handle
179 /// auth failures even if the token has not yet expired.
180 pub expires_at: i64,
181}
182
183/// A cryptographic key associated with an OAuth scope.
184///
185/// Some OAuth scopes have a corresponding client-side encryption key that is required
186/// in order to access protected data. This struct represents such key material in a
187/// format compatible with the common "JWK" standard.
188///
189#[derive(Clone, Serialize, Deserialize)]
190pub struct ScopedKey {
191 /// The type of key.
192 ///
193 /// In practice for FxA, this will always be string string "oct" (short for "octal")
194 /// to represent a raw symmetric key.
195 pub kty: String,
196 /// The OAuth scope with which this key is associated.
197 pub scope: String,
198 /// The key material, as base64-url-encoded bytes.
199 ///
200 /// **⚠️ Warning:** the value of this field should never be revealed outside of the
201 /// application. For example, it should never to sent to a server or logged in a log file.
202 pub k: String,
203 /// An opaque unique identifier for this key.
204 ///
205 /// Unlike the `k` field, this value is not secret and may be revealed to the server.
206 pub kid: String,
207}
208
209/// Parameters provided in an incoming OAuth request.
210///
211/// This struct represents parameters obtained from an incoming OAuth request - that is,
212/// the values that an OAuth client would append to the authorization URL when initiating
213/// an OAuth sign-in flow.
214pub struct AuthorizationParameters {
215 pub client_id: String,
216 pub scope: Vec<String>,
217 pub state: String,
218 pub access_type: String,
219 pub code_challenge: Option<String>,
220 pub code_challenge_method: Option<String>,
221 pub keys_jwk: Option<String>,
222}