diff --git a/docs/src/config.md b/docs/src/config.md
index b66c5f6d0b..c2dfad5c6e 100644
--- a/docs/src/config.md
+++ b/docs/src/config.md
@@ -107,6 +107,8 @@ The following configuration options are available.
| SYNC_TOKENSERVER__TOKEN_DURATION | 3600 | Token TTL (1 hour) |
| SYNC_TOKENSERVER__FXA_WEBHOOK_ENABLED | false | Enable the FxA webhook endpoint. When disabled, the route is not registered. |
| SYNC_TOKENSERVER__FXA_WEBHOOK_METRICS_ONLY | false | Run the FxA webhook handler in metrics-only mode. Received events are counted but not processed. Only used if `FXA_WEBHOOK_ENABLED` is true. |
+| SYNC_TOKENSERVER__FXA_WEBHOOK_SET_CLIENT_ID | None | Expected `aud` of FxA Security Event Tokens. Required for account event webhooks. |
+| SYNC_TOKENSERVER__FXA_WEBHOOK_SET_ISSUER | None | Expected `iss` of FxA Security Event Tokens. Required for account event webhooks. |
### Tokenserver+FxA Integration
diff --git a/syncserver/src/tokenserver/mod.rs b/syncserver/src/tokenserver/mod.rs
index 756764fb61..ab45b852bc 100644
--- a/syncserver/src/tokenserver/mod.rs
+++ b/syncserver/src/tokenserver/mod.rs
@@ -76,25 +76,20 @@ impl ServerState {
let set_verifiers = {
let mut verifiers = Vec::with_capacity(2);
- if let Some(client_id) = &settings.fxa_client_id {
+ if let (Some(client_id), Some(issuer)) = (
+ &settings.fxa_webhook_set_client_id,
+ &settings.fxa_webhook_set_issuer,
+ ) {
if let Some(primary_jwk) = &settings.fxa_oauth_primary_jwk {
verifiers.push(
- SETVerifierImpl::new(
- primary_jwk,
- client_id,
- &settings.fxa_oauth_server_url,
- )
- .expect("Invalid primary JWK for SET verification"),
+ SETVerifierImpl::new(primary_jwk, client_id, issuer)
+ .expect("Invalid primary JWK for SET verification"),
);
}
if let Some(secondary_jwk) = &settings.fxa_oauth_secondary_jwk {
verifiers.push(
- SETVerifierImpl::new(
- secondary_jwk,
- client_id,
- &settings.fxa_oauth_server_url,
- )
- .expect("Invalid secondary JWK for SET verification"),
+ SETVerifierImpl::new(secondary_jwk, client_id, issuer)
+ .expect("Invalid secondary JWK for SET verification"),
);
}
}
diff --git a/tokenserver-settings/src/lib.rs b/tokenserver-settings/src/lib.rs
index f0f38b5af3..662e893f1a 100644
--- a/tokenserver-settings/src/lib.rs
+++ b/tokenserver-settings/src/lib.rs
@@ -40,7 +40,7 @@ pub struct Settings {
/// A secondary JWK to be used to verify OAuth tokens. This is intended to be used to enable
/// seamless key rotations on FxA.
pub fxa_oauth_secondary_jwk: Option,
- /// Sync's client id assigned by FxA. It is used to validate the `aud` of JWKs.
+ /// Sync's client id assigned by FxA. Used to validate OAuth access tokens.
pub fxa_client_id: Option,
/// The rate at which capacity should be released from nodes that are at capacity.
pub node_capacity_release_rate: Option,
@@ -75,6 +75,10 @@ pub struct Settings {
/// are counted but not processed.
/// Defaults to false.
pub fxa_webhook_metrics_only: bool,
+ /// The `aud` of Security Event Tokens received on the account events webhook endpoint.
+ pub fxa_webhook_set_client_id: Option,
+ /// The `iss` of Security Event Tokens received on the account events webhook endpoint.
+ pub fxa_webhook_set_issuer: Option,
}
impl Default for Settings {
@@ -105,6 +109,8 @@ impl Default for Settings {
init_node_capacity: 100000,
fxa_webhook_enabled: false,
fxa_webhook_metrics_only: false,
+ fxa_webhook_set_client_id: None,
+ fxa_webhook_set_issuer: None,
}
}
}