Mozilla ID HTML Client
The Mozilla ID HTML client is a pure-HTML implementation of the Mozilla ID relying party API that uses PostMessage to communicate with a trusted Mozilla iframe/popup. This iframe/popup, in turn, authenticates with the Mozilla ID serviceand requests identity assertions that the iframe can then return to the relying party via PostMessage.
It consists of 3 basic elements:
- Relying Party API Library
This is the library that a relying party includes in their page. It detects if the navigator.id.* APIs are present, and if not, creates them. This library is responsible for dynamically creating and communicating with the trusted iframe via PostMessage.
For more information on the relying party API, see MozillaID/Spec.
- Trusted Iframe
The trusted iframe is responsible for implementing most of the logic in the HTML client. Its duties include:
- Implementing a PostMessage protocol to communicate with the relying party API library.
- Launching and communicating with trusted popups in order to request user input.
- Establishing and maintaining an active session with the Mozilla ID service.
- Requesting identity assertions from the Mozilla ID service (after user consent), and sending them back to the relying party API library.
- The trusted iframe SHOULD not be a visible iframe or request user input directly, since it would be subject to clickjacking attacks. It SHOULD use a trusted pop-up to communicate with the user.
- The trusted iframe MUST determine the audience (the relying party's domain) by inspecting the origin of PostMessage requests. It MUST NOT trust the relying party to assert this via the PostMessage API.
For more information on the internal API the iframe uses to communicate with the Mozilla ID service, see the MozillaID/InternalSpec document.
- Trusted Pop-Up
TBD- there might be various popups (?). They are used for communicating with the user for sign-in, account creation, email selection, etc.
Trusted Iframe API
- how does it open a popup? does it need to talk to the wrapper to request a popup?
- how does it report failure to the wrapper API?
- how does it communicate with a popup?
1. page calls wrapper::getVerifiedEmail(cb)
2. wrapper::getVerifedEmail() calls service js to determine the current user's email
3. service js determines if user has active session
if no, then get an active session by use of a pop-up
(if service js fails to establish an active session, then return a failure)
4. service js determines if there is a default email already set to be disclosed to this RP
if no, then
make an API call to the ID server to fetch the list of possible email addresses to use, and show a pop-up to let the user decide if/what to disclose to the RP
if user cancels, return a failure (the same failure!)
5. once the service js has established the desired email to be disclosed, make an IAR (identity assertion request) to the ID server to obtain an IA that will be returned to the page
6. the wrapper gets back the IA from the service JS and calls the callback with status and IA.