fix: add settings for FxA acct event SET aud and iss

chenba · chenba · commit 1695e1eb1fea · 2026-06-15T15:07:37.000-05:00
diff --git a/docs/src/config.md b/docs/src/config.md
@@ -107,6 +107,8 @@ The following configuration options are available.
 | <span id="SYNC_TOKENSERVER__TOKEN_DURATION"></span>SYNC_TOKENSERVER__TOKEN_DURATION | 3600 | Token TTL (1 hour) |
 | <span id="SYNC_TOKENSERVER__FXA_WEBHOOK_ENABLED"></span>SYNC_TOKENSERVER__FXA_WEBHOOK_ENABLED | false | Enable the FxA webhook endpoint. When disabled, the route is not registered. |
 | <span id="SYNC_TOKENSERVER__FXA_WEBHOOK_METRICS_ONLY"></span>SYNC_TOKENSERVER__FXA_WEBHOOK_METRICS_ONLY | false | Run the FxA webhook handler in metrics-only mode. Received events are counted but not processed. Only used if `FXA_WEBHOOK_ENABLED` is true. |
+| <span id="SYNC_TOKENSERVER__FXA_WEBHOOK_SET_CLIENT_ID"></span>SYNC_TOKENSERVER__FXA_WEBHOOK_SET_CLIENT_ID | None | Expected `aud` of FxA Security Event Tokens. Required for account event webhooks. |
+| <span id="SYNC_TOKENSERVER__FXA_WEBHOOK_SET_ISSUER"></span>SYNC_TOKENSERVER__FXA_WEBHOOK_SET_ISSUER | None | Expected `iss` of FxA Security Event Tokens. Required for account event webhooks. |
 
 ### Tokenserver+FxA Integration
 
diff --git a/syncserver/src/tokenserver/mod.rs b/syncserver/src/tokenserver/mod.rs
@@ -76,25 +76,20 @@ impl ServerState {
 
         let set_verifiers = {
             let mut verifiers = Vec::with_capacity(2);
-            if let Some(client_id) = &settings.fxa_client_id {
+            if let (Some(client_id), Some(issuer)) = (
+                &settings.fxa_webhook_set_client_id,
+                &settings.fxa_webhook_set_issuer,
+            ) {
                 if let Some(primary_jwk) = &settings.fxa_oauth_primary_jwk {
                     verifiers.push(
-                        SETVerifierImpl::new(
-                            primary_jwk,
-                            client_id,
-                            &settings.fxa_oauth_server_url,
-                        )
-                        .expect("Invalid primary JWK for SET verification"),
+                        SETVerifierImpl::new(primary_jwk, client_id, issuer)
+                            .expect("Invalid primary JWK for SET verification"),
                     );
                 }
                 if let Some(secondary_jwk) = &settings.fxa_oauth_secondary_jwk {
                     verifiers.push(
-                        SETVerifierImpl::new(
-                            secondary_jwk,
-                            client_id,
-                            &settings.fxa_oauth_server_url,
-                        )
-                        .expect("Invalid secondary JWK for SET verification"),
+                        SETVerifierImpl::new(secondary_jwk, client_id, issuer)
+                            .expect("Invalid secondary JWK for SET verification"),
                     );
                 }
             }
diff --git a/tokenserver-settings/src/lib.rs b/tokenserver-settings/src/lib.rs
@@ -40,7 +40,7 @@ pub struct Settings {
     /// A secondary JWK to be used to verify OAuth tokens. This is intended to be used to enable
     /// seamless key rotations on FxA.
     pub fxa_oauth_secondary_jwk: Option<Jwk>,
-    /// Sync's client id assigned by FxA.  It is used to validate the `aud` of JWKs.
+    /// Sync's client id assigned by FxA.  Used to validate OAuth access tokens.
     pub fxa_client_id: Option<String>,
     /// The rate at which capacity should be released from nodes that are at capacity.
     pub node_capacity_release_rate: Option<f32>,
@@ -75,6 +75,10 @@ pub struct Settings {
     /// are counted but not processed.
     /// Defaults to false.
     pub fxa_webhook_metrics_only: bool,
+    /// The `aud` of Security Event Tokens received on the account events webhook endpoint.
+    pub fxa_webhook_set_client_id: Option<String>,
+    /// The `iss` of Security Event Tokens received on the account events webhook endpoint.
+    pub fxa_webhook_set_issuer: Option<String>,
 }
 
 impl Default for Settings {
@@ -105,6 +109,8 @@ impl Default for Settings {
             init_node_capacity: 100000,
             fxa_webhook_enabled: false,
             fxa_webhook_metrics_only: false,
+            fxa_webhook_set_client_id: None,
+            fxa_webhook_set_issuer: None,
         }
     }
 }
