Add fxa:<email> to principals if profile is in requested scope?

[leplatrem]

Follow up of @magopian question: how do I know the user id of a FxA user?

Currently, we only add fxa:<user id> which is the md5 of the email or something like that., but should be considered opaque IMO.

Adding fxa:<email> would allow Kinto permissions to be defined easily for example.

Note: With kinto-portier it is a lot easier. It is always the email.

[Natim]

Unlike portier, you cannot access the email address for privacy reason in FxA unless you ask for the profile["email"] scope

[leplatrem]

Yes but profile is our default requested scope

[Natim]

Not in production. And we don't actually need it for Kinto, so we shouldn't enforce it.

[Natim]

See https://github.com/mozilla-services/cloudops-deployment/blob/master/projects/kintowe/puppet/modules/kintowe/templates/kinto.ini.erb#L65

[leplatrem]

Thanks! Closing ;)

[rfk]

Currently, we only add fxa: which is the md5 of the email
or something like that., but should be considered opaque IMO.

FTR, the fxa userid is a randomly-generated opaque identifier, and you can expect it to remain stable even when we eventually ship the ability to change the email on your firefox account.

[Natim]

Actually, we could also make the fxa-email mandatory for some use cases where we want to enable sharing with email. It would make sense.

[Natim]

In that case we could provide both principals fxa:fxaID and fxa:email