See also the canonical version
Procedure to install Firefox Accounts system to WebPlatform infrastructure. To read more about the context and the project of adapting FxA for WebPlatform infrastructure, head over to WPD:Projects/SSO/Adapt Firefox Accounts for WebPlatform
seanmonstar: ... the oauth spec uses "grant" where we use "code". OAuth server sends a code to app, and the app trades the "code" for a token.
-
Database schema, see https://github.com/mozilla/fxa-auth-db-server/tree/master/db/schema, and add:
ALTER TABLE accounts ADD COLUMN `username` VARCHAR(55) CHARACTER SET 'utf8' COLLATE 'utf8_unicode_ci' NULL DEFAULT NULL , ADD COLUMN `fullName` VARCHAR(255) NULL DEFAULT NULL AFTER `username`, ADD UNIQUE INDEX `username_UNIQUE` (`username` ASC) ;
The component that humans sees in their web browsers.
Start by system dependencies
sudo apt-get install nginx-full git nodejs npm libgmp-dev libgmp10 pcregrep
Ubuntu package-names collision fix, we want nodejs, not radio amateur utility.
sudo ln -s /usr/bin/nodejs /usr/bin/node
Deployment specific requirements:
sudo npm install -g grunt-cli phantomjs bower bunyan
Creating folders:
sudo mkdir -p /srv/webplatform/auth/
sudo chown -R ubuntu:ubuntu /srv/webplatform
Download package and extract
curl -o fxa-content-server.tar.gz https://codeload.github.com/webplatform/fxa-content-server/tar.gz/webplatform-customizations
tar xfz fxa-content-server.tar.gz
cd fxa-auth-content-webplatform-customizations
Install dependencies
npm install --production
bower install
Note that you can see available options the project base Convict file. Those files are easy to find, they are generally called config.js
outside of the config/
folder. Mostly in lib/
. The Confict files shows all options and shows the defaults.
more server/lib/configuration.js
Configuration notes:
fxaccount_url
: Is where you will expose the fxa-auth-server, ideally through a HTTP server that has a valid SSL certificate, in our caseapi.accounts.webplatform.org
Configuration and startup, refer to fxa-content-server config block below.
Install the package
cd /srv/webplatform/auth
curl -o fxa-auth-server.tar.gz https://codeload.github.com/webplatform/fxa-auth-server/tar.gz/webplatform-customizations
tar xfz fxa-auth-server.tar.gz
cd fxa-auth-server-webplatform-customizations
Install dependencies
npm install --production
Note that you can see available options the project base Convict file.
more config/config.js
The file name can match the environment name. For example, if you use NODE_ENV=prod
, the file would be config/prod.json
Configuration notes:
contentServer
: Is the URL where the fxa-content-server istemplateServer
: Is, also, where the fxa-content-server (At the moment). This is where the email templates are accessible, and they will most likely change location in an unknown future.customsUrl
: Will eventually be the email checker called "Customs", can be set to "none" if not in use (current default)
Configuration and startup, refer to fxa-auth-server config block below.
Get the package
cd /srv/webplatform/auth
curl -o fxa-oauth-server.tar.gz https://codeload.github.com/webplatform/fxa-oauth-server/tar.gz/master
tar xfz fxa-oauth-server.tar.gz
cd fxa-oauth-server-master
Install dependencies
npm install --production
You can see the available configuration switches here:
more lib/config.js
more config/dev.json
Configuration notes:
clients
: Is an array of objects that is used to allow clients. At every startup, the OAuth server ensures that the client entries are inserted in the database and allows a remote site to use us as an OAuth server. To have preauthorized clients, look at the client property "whitelisted
".
contentUrl
: Should point to the OAuth endpoint context root, e.g. https://accounts.webplatform.org/oauth/whitelisted
: in aclient
entry. This property is useful to differentiate services that we want to pass through OAuth without asking each user to confirm the use. To learn more about generating keys, you can see it in the fxa-oauth-server/doc/clients.md
Configuration and startup, refer to fxa-oauth-server config block below.
- Sample nodemon config
- nodemon help
- Grunt nodemon in
task/server.js
Get the package
cd /srv/webplatform/auth
curl -o fxa-profile-server.tar.gz https://codeload.github.com/webplatform/fxa-profile-server/tar.gz/webplatform-customizations
tar xfz fxa-profile-server.tar.gz
cd fxa-profile-server-webplatform-customizations
Install dependencies
npm install --production
You can see the available configuration switches here:
more lib/config.js
more config/dev.json
Configuration, refer to fxa-profile-server config block below.
Note, we are creating self-signed for the moment.
sudo -s
cd /etc/nginx/ssl
From here, you have two choices:
- Install your key and certificates
- Create self-signed certificates
It is expected that you have the following files in /etc/nginx/ssl
Adjust vhost:
vi /etc/nginx/sites-enabled/accounts
Paste:
server {
listen 80;
server_name accounts.webplatform.org;
return 301 https://accounts.webplatform.org$request_uri;
}
server {
listen 80;
server_name api.accounts.webplatform.org;
return 301 https://api.accounts.webplatform.org$request_uri;
}
server {
listen 80;
server_name oauth.accounts.webplatform.org;
return 301 https://oauth.accounts.webplatform.org$request_uri;
}
server {
listen 443 ssl;
server_name accounts.webplatform.org;
location / {
proxy_pass http://127.0.0.1:3030;
}
ssl on;
ssl_certificate ssl/accounts.webplatform-20140401.pem;
ssl_certificate_key ssl/201404.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
}
server {
listen 443 ssl;
server_name api.accounts.webplatform.org;
location / {
proxy_pass http://127.0.0.1:9000;
}
ssl on;
ssl_certificate ssl/api.accounts.webplatform-20140401.pem;
ssl_certificate_key ssl/201404.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
}
server {
listen 443 ssl;
server_name oauth.accounts.webplatform.org;
location / {
proxy_pass http://127.0.0.1:9010;
}
ssl on;
ssl_certificate ssl/oauth.accounts.webplatform-20140401.pem;
ssl_certificate_key ssl/201404.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
}
Remove default nginx vhost
rm /etc/nginx/sites-enabled/default
Return as normal user
exit
Paste our own self-signed CA authority (eventually will be real ones)
vi ca-cert.pem
vi ca-key.pem
Optionnal If you do not have your own certs to use as root of your own self-signed authority, you can make your own with this:
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca-cert.pem
Generate certificate request:
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out accounts-req.pem -subj '/C=US/ST=MA/L=Cambridge/O=W3C/OU=WebPlatform Project/CN=accounts.webplatform.org/emailAddress=hostmaster@webplatform.org'
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out api.accounts-req.pem -subj '/C=US/ST=MA/L=Cambridge/O=W3C/OU=WebPlatform Project/CN=api.accounts.webplatform.org/emailAddress=hostmaster@webplatform.org'
Generate self-signed certificate:
openssl x509 -req -in accounts-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out accounts-cert.pem
openssl x509 -req -in api.accounts-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out api.accounts-cert.pem
As described in NGINX SSL Module documentation about SSL certificates;
When using a chain of certificates, just append the extra certificates to your .crt file. The server certificate needs to be the first on the file, otherwise you'll get a mismatch between private and public keys.
Rename them fo follow the conventions given in the rest of the procedure.
mv accounts-cert.pem accounts.webplatform-20140401.pem
cat ca-cert.pem >> accounts.webplatform-20140401.pem
mv api.accounts-cert.pem api.accounts.webplatform-20140401.pem
cat ca-cert.pem >> api.accounts.webplatform-20140401.pem
mv server-key.pem 201404.key