Mozilla Hacks

Getting involved with Account Manager

By Dan Mills

Posted on May 13, 2010 in Firefox and Identity

It’s been a couple of weeks since we originally posted about Account Manager and we’ve gotten a lot of feedback. We’ve got a few opportunities for people to get more involved with the project, listed below.

Join us at the Account Manager Meet-up or at IIW

We are hosting an Account Manager Meet-up on Friday, May 21st at Mozilla’s Mountain View Headquarters. This meetup will be an excellent opportunity to give your feedback on the draft specification as we prepare to finalize it. So, if you are a web developer, sysadmin, protocol or security expert, RSVP here.

The summit will be from 1PM to 4PM followed by a “cantina” during which you’ll get a chance to meet with other Mozilla developers over informal drinks and snacks.

We’ll also be presenting at the Internet Identity Workshop next week; if you are planning on attending IIW look for the Account Manager talk and come and say hello!

Browser-assisted registration

Another way to help out is to add reigistration support to your site. The latest version of the Account Manager add-on adds support for a basic registration flow, and we’re very interested in finding out what the Web development community thinks about it. Here’s what you need to do:

Add a snippet to the username-password-form profile in your AMCD:

"register": {
    "method": "POST",
    "path": "/register-endpoint",
    "id-type": "email"
}

Then you need to add a method at /register-endpoint which will receive the user id and secret as POST parameters. Your method should return 200 if the id and secret are OK, otherwise return 400 with a snippet of JSON (see the spec for details and examples).

You might need to change your content to accomodate this new model: after you return 200 the expectation is that there is a username+password pair which is valid, even though it might map to a disabled account. For example, if you need to ask for additional information, have the user solve a captcha, or require email verification, simply keep the account disabled until those additional requirements have been met.

Addressing cross-site request forgeries

Based on feedback from the community, we’ve been investigating several possibilities for preventing CSRF attacks with Account Manager. In addition to supporting CSRF tokens, the latest proposal leverages headers to achieve the same goal with fewer requests and without a session cookie. Interested? Join the discussion on our forum.

Join us online

Join our online community, visit the Account Manager feature page to learn more about Account Manager, and to subscribe to our mailing list/forum.

If you add support for Account Manager to your site, please add yourself to the the wiki page for early Account Manager sites.

About Dan Mills

More articles by Dan Mills…

6 comments

  1. Robert Kaiser

    I’d love to come to the meetup and such things, but it’s not that easy to just walk over from Central Europe to MV… :(

    It would be nice if there was a away to communicate via IRC, but it doesn’t look klike people knowing anything about Account Manager are usually present in #labs or whatever it is now.

    May 16th, 2010 at 08:55

  2. lg

    Wow, they had irc? I never knew… but I suspected they must of course have one…

    I’ve wondered about telling some site admins’ I know about this account manager… chances are they already know, but I wonder why anyone should be incorporating new functionality into their web sites, if only one or two people could even use it?

    My opinion is that future proofing doesn’t need to occur if nearly all of the visitors never even use the new code… (IE users)

    May 17th, 2010 at 11:00

    1. jpvincent

      Well, Mozilla will integrate that into Firefox 4 and I personaly think that for the user, managing his logins in the browser will be as important as having tabs like FF did a few years ago.
      FF4 alone will represent 30% of your audience in one year and if this functionality works, other browser will adhere to the standard.

      So right now is definitely not the best time to implement that, as long as the spec is not finalized, but I bet it will be a must have in 2 years

      May 18th, 2010 at 02:01

  3. Lg from before

    hmm, I think it’d be great if the account manager saved on data transfer sizes, when it gets used…

    As I understand it, right now, firefox and other browsers can save log-in form information, but still have to send it to the log in servers, and a user name and password might have a lot of characters in it, so saving data transferred there, would have one of those nice accumulative effects of lower bandwidth usage?

    May 18th, 2010 at 07:37

  4. Anonymous

    I don’t like what you’ve turned this into.

    I liked this feature the way it was in the early Weave builds, it was a discrete little icon in the awesomebar and did everything I wanted it to. Even when you separated it into Account Manager v 0.0.2, it was still fine.

    But now it doesn’t even work, and from the looks of the current version, if feels more bulky, simplified and dumbed down. You have only made it worse.

    May 19th, 2010 at 16:46

  5. zafar iqbal

    I want job for account manager or admin manager. can have a job my requirment.

    September 14th, 2010 at 22:42

Comments are closed for this article.