668
edits
Changes
→Identity Provisioning Flow
* The user-agent checks <tt>https://eyedee.me/.well-known/browserid</tt> and determines that <tt>eyedee.me</tt> supports BrowserID. From this configuration file it determines the provisioning and authentication URLs.
* The user-agent loads, in an invisible IFRAME, the provisioning URL <tt>https://eyedee.me/browserid/provision.html</tt>, delivering to that URL any cookies that have previously been set.
* The provisioning URL communicates with its server to determine if Alice is properly authenticated and, if so, triggers key generation within the user agent, obtains the public key, signs it, and registers the resulting certificate with the user agent: // get parameters of provisioning navigator.id.beginProvisioning(function(email, cert_duration) { // ... check if the current user is authenticated as 'email' ... if (notAuthenticated()) { navigator.id.raiseProvisioningFailure("user isn't authenticated"); } // request a keypair be generated by browserid and get the public key navigator.id.genKeyPair(function(pubkey) { // ... interact with the server to sign the public key and get // a certificate ... var cert = someServerInteraction(); // pass the certificate back to BrowserID and complete the // provisioining process navigator.id.registerCertificate(cert); }); });
* If Alice is not properly authenticated, the user agent loads the authentication URL <tt>https://eyedee.me/browserid/authenticate.html</tt> in a dialog interface, where Alice can then proceed to log into <tt>EyeDee.me</tt> using whatever flow/method EyeDee.me wishes. Once this is successfully completed, the user-agent returns to the BrowserID user-interface, and attempts to load the provisioning URL as in the previous step.
* Once a certificate for <tt>alice@eyedee.me</tt> is installed, the user-agent completes the login to <tt>example.com</tt> by creating an assertion and delivering it to <tt>example.com</tt> as in the Main Protocol Flow above.
