668
edits
Changes
→User-Agent Compliance
The User-Agent plays an important role in BrowserID support. Here, we define, normatively, the API that user agents MUST implement, including specific behaviors in response to these API calls. Relying Parties and Identity Providers can safely skip this section.
A compliant BrowserID User-Agent must implement the <tt>navigator.id</tt> object, which serves both for issuing assertions and exposing a provisioning flow to identity providers.
=== Issuing Assertions ===
<tt>navigator.id.get(object options);</tt>
# Establish the origin of the requesting site (including scheme and non-standard port).
# Check local BrowserID store for known identities that have been successfully used previously.# Present the list of known identities. The User Agent MAY suggest a preferred identity out of that list based on heuristics or other internal state, e.g. the email last used on that site.# If no associations are found, the User-Agent SHOULD ask When the user for what to do, by presenting a list of known email identities to choose from.selects an Identity:# # check that the associated certificate is still valid. If no email identities are knownnot, initiate a provisioning workflow for that Identity, the User-Agent MAY assist the user in any way then continue once it sees fitreturns successfully. [xxx ?]# Verify # generate an Identity Assertion using the requesting site's origin as audience and the expiry date of current time. Bundle with the associated certificate associated to create a Backed Identity Assertion, and fire a <tt>login</tt> event on the <tt>navigator.id</tt> object with a serialization of the Backed Identity Assertion in the identity <tt>assertion</tt> field of the previously-chosen associationevent, then terminate the login workflow. # If the certificate has expiredno Identities are known, or would expire before if the intended validity period of the assertion user wishes to be generateduse a new Identity, the User-Agent MUST follow should prompt the steps in the CERTIFICATE REFRESH section of user for this specification.# Create an Identity Assertion object for the chosen new identity, scoped and use it to the full domain of the requesting site initiate a Provisioning workflow (including scheme and non-standard portsee below). Once provisioning has completed, and sign it with the private key associated with User Agent SHOULD present the updated list of identities to the chosen identityuser.# Execute If, at any point, the user cancels the login process, fire a <tt>loginCancelled</tt> event on the <tt>navigator.id.onVerifiedEmail callback </tt> object and provide terminate the newly-created Identity Assertion as an argumentlogin workflow.
* A <tt>loginCancelled</tt> event if the user chose not to log in.
