Mozilla’s identity and access management (IAM) initiatives

(Mike) #19

Auth0? Really? It’s not a surprising choice from the same stellar IAM team that previously though their “persona” identity system was a good idea. Don’t support open standards… let’s tell everyone to get an Auth0 account… of course! Obviously Mozilla should support OpenID Connect, which is already supported by Google, Microsoft and numerous other domains, and provides a solution for distributed control of identity information (in case people realize that we have enough massive silos of identity information for the NSA to hack).

(Kairo) #20

Sorry, don’t be so harsh, you can say your opinion without attacking people. And even inform yourself before you talk. the IAM team did not create Persona, nor did they end it, and even then Persona tried to create a new open standard for something where there was none (and still isn’t). Also, Auth0 actually supports and uses OpenID Connect. While I may not ultimately be in favor of closed-source solutions personally, for the timeframe and the dire landscape out there, this was and is probably a decent choice for this initiative. You uninformed and personal attack is unwarranted, please be gentle and adhere to the Mozilla Participation Guidelines.
And please give the team that has to make those decisions some love. It’s awesome that they are open about what they are choosing and doing in their paid job (are you doing the same?) and that they are adhering to high security standards and weighing the options available carefully.

(Matias Woloski) #21

Hey Mike,

Auth0 sponsors and is certified OpenID Connect provider. I personally participate in the working group and we (Auth0) help a lot on the evangelism of these standards (see: and

let’s tell everyone to get an Auth0 account

Maybe this is not clear, but Auth0 is more close to a federation broker than an Identity Provider (we provide user/pwd storage but it’s just a feature). If you notice the implementation from the IAM team chose is passwordless (email code), LDAP or social provider, there is no password storage on any of these. This, plus the fact that all the relying parties (apps) speak the OIDC/OAuth2 standard makes Auth0 completely replaceable without having to go through bizantine migrations. This was always one of our goals: to be chosen because we provide the best platform that implements these standards. If Mozilla happens to find a better implementation, OSS or not, I would love to learn from it, and improve ours.

Matias (CTO)

(Kairo) #22

One thing I noticed is that I can’t get my existing account working with that GitHub-only setup as I never receive a recover email. Is that broken or am I a one-off?

(Kairo) #23

As I see on the Reps portal (and as I feared before), the password-less email login really sucks. Until I actually receive the email (in a different application than where I started the flow, of course), I don’t know any more what I wanted to do originally and have been ripped out of the work flow I started with. I’d even prefer the big corporate walled gardens knowing when I log in to this work-disruptive method.

Edit: And additionally, once I realize I have started a login session and look into email, and open the link, I get greeted with a “Mozilla Corporation - Oops!, something went wrong” screen with no explanation if I can do anything to actually log in :frowning:

(Jwhitlock) #24

I’m sorry to hear that account recovery isn’t working. The “happy path” for recovering an MDN account is:

  1. Sign in with GitHub
  2. We notice there is an existing account that shares an email with your GitHub profile, and display a box with “Click here to recover a profile”. You click the link
  3. A login link is sent to the email address (and maybe lands in the spam folder :frowning:).
  4. You are logged into the existing account, and can associate it with GitHub for future logins.

If the “happy path” did not work for you, please open a bug so we can get into specifics like email addresses in a non-public forum.

(Kairo) #25

That’s where it fails for me, and given that I own my email server, I know it didn’t land in any spam stuff on my side. I’ll file a bug.

(Henrik Mitsch) #26

Hi @kairo, this was the HTTP 400 issue, right?

If yes, this case can be considered closed. :slight_smile:

Best regards,

(Kairo) #27

Yes, was that, thanks for jumping and working on it! :slight_smile:

(alex_mayorga) #28

¡Hola Matias!

Would it be possible to get a “Remember me on this device/IP” kind of check box in Auth0 in the near future, please?


(Henrik Mitsch) #29

Hi @alex_mayorga,

can you describe what exactly you would like to achieve and/or the problem you experience?

Best regards,

(alex_mayorga) #30

¡Hola Henrik!

I’d like for my sign-ins to last a bit more before I’m asked to re-authenticate.


(Henrik Mitsch) #31

Hi @alex_mayorga, I think most of our properties have 30 day tokens by now. Is this not enough?

(alex_mayorga) #32

¡Hola Henrik!

Perhaps the fact that I login in all these on both the Debian and Windows 10 partitions makes it feel less “SSO-ish” than it should:

Would we ever see these moving to or is that a non-goal?


(Henrik Mitsch) #33

This is probably a non-goal. Lot’s of reasons for that. The main one being: Firefox Accounts are currently bound to be used only for Firefox use cases, not for general authentication/authorization requests.

(Jason Bradford) #34

As to persona-like authentication, have a look at the open FIDO standards. They do enable authentication (though not authorization) in a pretty excellent way that opens the door to some pretty future-minded authentication workflows that maintain RP-RP anonymity and a high level of security and it actually lessens the development load for RPs once enabled.

Full disclosure, this is a biased opinion. Prior to Mozilla, I worked with the people who created the standard. It would be really great if Auth0 were looking to support the standard as well.

(rugk) #35

Thing is: Why do you trust an external provider? For something such critical and sensitive as login? You should not depend on a third-party just for user login. When it goes down, has security flaws, handles your user data (is all data from Mozilla staff passed to Auth0?) in a non-sensitive way, has any breach or whatever… you have the problem.
And: You cannot even do anything about it. You do not even had the responsibility…

Also passwordless login via mail is anything, but not a nice way to login.

(Jasmine Bogolyubova) #36

Agree with u mate, its a very goo think, i use it aswell and i am happy!

1 Like
(Armen) #37

Thanks for this overview.

Since this is pinned at the top; Would it be possible to create a more recent summary and pin that instead of this post?

(Leo McArdle) closed #39