Firefox Accounts End-to-end encryption

Firefox Accounts offers an end-to-end encryption support feature for OAuth reliers by deriving a strong encryption key from user's password. Keep in mind that Firefox Accounts does not provide a storage solution, it is up to you to use the generated key and encrypt the data with that key.

WebExtensions

To use this feature in WebExtensions you need to do the following:

  1. Register an OAuth client and an OAuth app scope with Firefox Accounts
  2. Install the fxa-crypto-relier library into your WebExtension
  3. Follow the documentation to trigger the Firefox Accounts login screen
  4. Consume the derived key after the successful login

Examples

You can find an example of this feature in the TestPilot Notes source code. Here's a simplified diagram of a scoped key generated for a WebExtension:

An example of a key generated by Firefox Accounts: 

The generated key can be imported using existing WebCrypto APIs:

function shared_key(key) {
  return crypto.subtle.importKey(
    'jwk',
    { kty: key.kty, k: key.k.replace(/=/, '') },
    'AES-KW',
    true,
    ['wrapKey', 'unwrapKey']
  );
}

Document Tags and Contributors

 Contributors to this page: vladikoff
 Last updated by: vladikoff,