X-Authentication-Method: Browser-ID (optional header since Browser-ID is the default)
{"audience":XXX,"assertion":XXX}
* the Login Server checks the browser id assertion [2] '''this step will be done locally without calling an external browserid server -- but this could potentially happen''' (we can use pyvep + use the BID.org certificate)