feat(auth): Send client_id, service, firstAuthorization to attached services

[LZoog]

Because:

• Braze needs the client_id/service on signup, and to know the first time a user authorizes a new service or RP

This commit:

• Adds client_id to the 'verified' signup event
• Adds firstAuthorization boolean to the 'login' event, derived from the accountAuthorizations table
• Sets the 'login' event's 'service' to the browser service and falls back to the client_id (existing functionality) for web RPs
• Removes some event-broker README docs in favor of ecosystem-platform docs

closes FXA-13784

--

• My commit is GPG signed.
• If applicable, I have modified or added tests which pass locally.
• I have added necessary documentation (if appropriate).
• I have verified that my changes render correctly in RTL (if appropriate).
• I have manually reviewed all AI generated code.

---

For the verified signup event, we already send service from the query parameters over, interestingly enough. I added client_id there.

For login, service is currently sent as the client_id, but we also explicitly pass client_id too. So, here, I've changed service to be from the query params if available, and it still falls back to client_id.

Documentation added in mozilla/ecosystem-platform#784.

[Copilot]

Pull request overview

This PR updates FxA “attached services” events so downstream consumers (e.g., Braze) can reliably identify the OAuth clientId, the effective service for browser/native flows, and whether a login corresponds to a user’s first authorization of a given service/RP. It also centralizes event format documentation by linking to ecosystem-platform docs.

Changes:

• Add clientId to the verified signup event payload when available from request tags.
• Add firstAuthorization to the login event, derived from existing accountAuthorizations rows read before consent writes.
• Adjust login.service to prefer resolved OAuthNative service (browser service) and document event formats via external docs.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
packages/fxa-event-broker/README.md	Replaces embedded event format docs with links to ecosystem-platform documentation.
packages/fxa-auth-server/lib/routes/utils/signup.spec.ts	Adds tests asserting verified event includes/omits clientId appropriately.
packages/fxa-auth-server/lib/routes/utils/signup.js	Includes clientId in verified notifications when request is tagged with a client id.
packages/fxa-auth-server/lib/routes/utils/account.ts	Adds clientId to verified event for flows that bypass AccountHandler.createAccount.
packages/fxa-auth-server/lib/routes/oauth/authorization.spec.ts	Extends consent-write tests to cover firstAuthorization read/flag behavior.
packages/fxa-auth-server/lib/routes/oauth/authorization.js	Implements best-effort first-authorization detection; updates login payload service and adds firstAuthorization.
packages/fxa-auth-server/lib/routes/account.ts	Adds clientId to verified event on account creation when email is already verified.
packages/fxa-auth-server/lib/oauth/first-authorization.ts	Adds helper to derive whether an authorization is the first for a service/RP.
packages/fxa-auth-server/lib/oauth/first-authorization.spec.ts	Adds unit tests for deriveFirstAuthorization across native/web/ambiguous cases.
packages/fxa-auth-server/lib/log.spec.ts	Adds regression test ensuring explicit clientId + firstAuthorization pass through when service is an OAuthNative service string.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.