Mozilla’s identity and access management (IAM) initiatives

(Jbryner) #10

Persona end of life is November 30th. After that date it will be shut down.

(Rabimba) #11

Hence my query was there will be an alternate login system in place before that day. Otherwise there won’t be any way to log in.

(Henrik Mitsch) #12

Hi @rabimba,

yes, there will be an alternate login. We are currently working on transitioning to Auth0, enabling passwordless login for all volunteers (and LDAP login for staff).
We expect to run tests on our Staging instance this week. Details of this can be seen in our sprint emails which are also published in this Discourse category.

Please send me a private message at in case you want to see and test the new login on our staging system.

Best regards,

(Jbryner) #13

Ah… sorry misunderstood. Yes there is a prod instance up. You can see it in action on

(Kairo) #14

FWIW, Mozilla can’t be sold, as a non-profit foundation cannot be bought by anyone. Mitchell has outlined that a number of times as something very positive, don’t take it away from us. :wink:

That said, I of course know that there’s extensive review involved in what Mozilla uses, esp. in an area as critical as this. My question wasn’t trying to be negative but genuine interest of why we made that choice (which I’m not sure was answered so far), given that others are facing similar decisions.

When you say “we run a dedicated instance”, does that imply that their code is completely open or do we have a licensed copy that we run on (virtual) machines that are under our control?

Again, I’m genuinely interested in the backgrounds of the choice here and wonder in what circumstances the same is a good choice for others out there and where the trade-offs are.

(Jbryner) #15

They house their open code here:

The drivers for the choice were mainly support of OIDC and licensing favorable to allowing us to include community and paid staff in one solution. Hosting choices were made based on price (our own VM in our AWS account being the most expensive, shared VM being the least), support (SLA for bug fixes) and security (adhering to their existing SOC 2 processes).

(Andrew) #16

I’m also quite interested in why Auth0 is being used. In my experience using it I’ve been rather disappointed with the product.

@hmitsch Did you ever provide @kairo the details of why this approach was taken? I would also like this information.

(Rodrigo López Dato) #17

Hi all, I work for Auth0. Happy to answer any questions you might have about our product - seems this is a better medium to discuss than Twitter. We understand openness and transparency are important to Mozilla, and while our product is not open source we would still like to address any specific concerns you might have about Auth0.

(Andrew) #18

You sponsor passport.js though which is super awesome. :grinning: You could say you’re friends of open source.

(Mike) #19

Auth0? Really? It’s not a surprising choice from the same stellar IAM team that previously though their “persona” identity system was a good idea. Don’t support open standards… let’s tell everyone to get an Auth0 account… of course! Obviously Mozilla should support OpenID Connect, which is already supported by Google, Microsoft and numerous other domains, and provides a solution for distributed control of identity information (in case people realize that we have enough massive silos of identity information for the NSA to hack).

(Kairo) #20

Sorry, don’t be so harsh, you can say your opinion without attacking people. And even inform yourself before you talk. the IAM team did not create Persona, nor did they end it, and even then Persona tried to create a new open standard for something where there was none (and still isn’t). Also, Auth0 actually supports and uses OpenID Connect. While I may not ultimately be in favor of closed-source solutions personally, for the timeframe and the dire landscape out there, this was and is probably a decent choice for this initiative. You uninformed and personal attack is unwarranted, please be gentle and adhere to the Mozilla Participation Guidelines.
And please give the team that has to make those decisions some love. It’s awesome that they are open about what they are choosing and doing in their paid job (are you doing the same?) and that they are adhering to high security standards and weighing the options available carefully.

(Matias Woloski) #21

Hey Mike,

Auth0 sponsors and is certified OpenID Connect provider. I personally participate in the working group and we (Auth0) help a lot on the evangelism of these standards (see: and

let’s tell everyone to get an Auth0 account

Maybe this is not clear, but Auth0 is more close to a federation broker than an Identity Provider (we provide user/pwd storage but it’s just a feature). If you notice the implementation from the IAM team chose is passwordless (email code), LDAP or social provider, there is no password storage on any of these. This, plus the fact that all the relying parties (apps) speak the OIDC/OAuth2 standard makes Auth0 completely replaceable without having to go through bizantine migrations. This was always one of our goals: to be chosen because we provide the best platform that implements these standards. If Mozilla happens to find a better implementation, OSS or not, I would love to learn from it, and improve ours.

Matias (CTO)

(Kairo) #22

One thing I noticed is that I can’t get my existing account working with that GitHub-only setup as I never receive a recover email. Is that broken or am I a one-off?

(Kairo) #23

As I see on the Reps portal (and as I feared before), the password-less email login really sucks. Until I actually receive the email (in a different application than where I started the flow, of course), I don’t know any more what I wanted to do originally and have been ripped out of the work flow I started with. I’d even prefer the big corporate walled gardens knowing when I log in to this work-disruptive method.

Edit: And additionally, once I realize I have started a login session and look into email, and open the link, I get greeted with a “Mozilla Corporation - Oops!, something went wrong” screen with no explanation if I can do anything to actually log in :frowning:

(Jwhitlock) #24

I’m sorry to hear that account recovery isn’t working. The “happy path” for recovering an MDN account is:

  1. Sign in with GitHub
  2. We notice there is an existing account that shares an email with your GitHub profile, and display a box with “Click here to recover a profile”. You click the link
  3. A login link is sent to the email address (and maybe lands in the spam folder :frowning:).
  4. You are logged into the existing account, and can associate it with GitHub for future logins.

If the “happy path” did not work for you, please open a bug so we can get into specifics like email addresses in a non-public forum.

(Kairo) #25

That’s where it fails for me, and given that I own my email server, I know it didn’t land in any spam stuff on my side. I’ll file a bug.

(Henrik Mitsch) #26

Hi @kairo, this was the HTTP 400 issue, right?

If yes, this case can be considered closed. :slight_smile:

Best regards,

(Kairo) #27

Yes, was that, thanks for jumping and working on it! :slight_smile:

(alex_mayorga) #28

¡Hola Matias!

Would it be possible to get a “Remember me on this device/IP” kind of check box in Auth0 in the near future, please?


(Henrik Mitsch) #29

Hi @alex_mayorga,

can you describe what exactly you would like to achieve and/or the problem you experience?

Best regards,