alice@eyede
* The user-agent loads, in an invisible IFRAME, the provisioning URL https://eyedee.me/browserid/provision.html, delivering to that URL any cookies that have previously been set and making available to that page's JavaScript any localStorage that corresponds to the eyedee.me origin.
* The provisioning URL's script determines if Alice is properly authenticated and, if so, triggers key generation within the user agent, obtains the public key, signs it, and registers the resulting certificate with the user agent:
-
+```javascript
// get parameters of provisioning
navigator.id.beginProvisioning(function(email, cert_duration) {
@@ -355,11 +376,11 @@ Consider Alice, a user of EyeDee.me, with email address alice@eyede
});
});
});
-
+```
* If Alice is not properly authenticated, the user agent loads the authentication URL https://eyedee.me/browserid/authenticate.html in a dialog interface, where Alice can then proceed to log into EyeDee.me using whatever flow/method EyeDee.me wishes.
-
+```javascript
// set up UI
navigator.id.beginAuthentication(function(email) {
// update UI to display the email address
@@ -374,7 +395,7 @@ Consider Alice, a user of EyeDee.me, with email address alice@eyede
function onCancel() {
navigator.id.raiseAuthenticationFailure("user canceled");
}
-
+```
Once this is successfully completed, the user-agent returns to the BrowserID user-interface, and attempts to load the provisioning URL as in the previous step.
@@ -617,30 +638,30 @@ The domain SHOULD deliver HTML and JavaScript at that URI, which it can expect t
The domain SHOULD determine, without any user-facing content, the user's state of authentication with the domain. The domain MAY use cookies or localStorage to make this determination.
The domain MUST call, in JavaScript:
-
+```javascript
navigator.id.beginProvisioning(provisionEmailFunction);
-
+```
with provisionEmailFunction a function that accepts an email address and a certificate validity duration as parameters.
Once the email address determined, the domain SHOULD check that the user is properly authenticated to use this email address. If she isn't, the domain SHOULD call
-
+```javascript
navigator.id.raiseProvisioningFailure(explanation)
-
+```
with explanation a string explaining the failure. The domain SHOULD concludes all JavaScript activity after making this call.
You SHOULD use one of the following explanation codes:
* user is not authenticated as target user - Indicates UA should show sign in screen again, due to an error
If the user is properly authenticated, the domain MUST call:
-
+```javascript
navigator.id.genKeyPair(gotPublicKey);
-
+```
with gotPublicKey a function that accepts a JWK-string-formatted public-key.
The domain's JavaScript SHOULD then send this JWK string to the domain's backend server. The domain's backend server SHOULD certify this key along with the email address provided to its provisionEmailFunction function, and an expiration date at least 1 minutes in the future. The backend server SHOULD NOT issue a certificate valid longer than 24 hours. The domain's backend server SHOULD then deliver an Identity Certificate back to its JavaScript context. The domain's JavaScript MUST finally call:
-
+```javascript
navigator.id.registerCertificate(certificate);
-
+```
with the Identity Certificate string.
Assertion Verification