668
edits
Identity/BrowserID: Difference between revisions
Jump to navigation
Jump to search
→Certifying Users
| Line 346: | Line 346: | ||
The domain SHOULD determine, without any user-facing content, the user's state of authentication with the domain. The domain MAY use cookies or localStorage to make this determination. | The domain SHOULD determine, without any user-facing content, the user's state of authentication with the domain. The domain MAY use cookies or localStorage to make this determination. | ||
The domain | The domain MUST call, in JavaScript: | ||
navigator.id.beginProvisioning(provisionEmailFunction); | navigator.id.beginProvisioning(provisionEmailFunction); | ||
with <tt>provisionEmailFunction</tt> a function that accepts an email address as parameter. | with <tt>provisionEmailFunction</tt> a function that accepts an email address as parameter. | ||
| Line 352: | Line 352: | ||
Once the email address determined, the domain SHOULD check that the user is properly authenticated to use this email address. If she isn't, the domain SHOULD call <tt>navigator.id.raiseProvisioningFailure(explanation)</tt> with <tt>explanation</tt> a string explaining the failure. | Once the email address determined, the domain SHOULD check that the user is properly authenticated to use this email address. If she isn't, the domain SHOULD call <tt>navigator.id.raiseProvisioningFailure(explanation)</tt> with <tt>explanation</tt> a string explaining the failure. | ||
If the user is properly authenticated, the domain | If the user is properly authenticated, the domain MUST call: | ||
navigator.id.genKeyPair(gotPublicKey); | navigator.id.genKeyPair(gotPublicKey); | ||
with <tt>gotPublicKey</tt> a function that accepts a JWK-string-formatted public-key. | with <tt>gotPublicKey</tt> a function that accepts a JWK-string-formatted public-key. | ||
The domain's JavaScript SHOULD then send this JWK string to the domain's backend server. The domain's backend server SHOULD certify this key along with the email address provided to its <tt>provisionEmailFunction</tt> function, and an expiration date at least 1 minutes in the future. The backend server SHOULD NOT issue a certificate valid longer than 24 hours. | The domain's JavaScript SHOULD then send this JWK string to the domain's backend server. The domain's backend server SHOULD certify this key along with the email address provided to its <tt>provisionEmailFunction</tt> function, and an expiration date at least 1 minutes in the future. The backend server SHOULD NOT issue a certificate valid longer than 24 hours. The domain's backend server SHOULD then deliver a JWCert-string-formatted certificate back to its JavaScript context. The domain's JavaScript MUST finally call: | ||
navigator.id.registerCertificate(certificate); | |||
with the JWCert string. | |||
== Assertion Verification == | == Assertion Verification == | ||