Skip to content
This repository has been archived by the owner on May 10, 2019. It is now read-only.
clarkbw edited this page Aug 9, 2011 · 10 revisions

1. Enable BrowserID

Include the BrowserID JavaScript library in your site by adding a script tag to your

<script src="https://browserid.org/include.js" type="text/javascript"></script>

2. Identify the User

Instead of displaying a form on your site which takes a username and password, use the BrowserID JavaScript API when the user clicks your sign-in button:

navigator.id.getVerifiedEmail(function(assertion) {
    if (assertion) {
        // This code will be invoked once the user has successfully
        // selected an email address they control to sign in with.
    } else {
        // something went wrong!  the user isn't logged in.
    }
});

Upon a successful sign-in, you'll be called back with an assertion, a string containing a signed claim that proves the user is who they say they are.

NOTE: While completely optional, you might consider replacing your sign-in button with a pretty BrowserID button:

sign in button - red sign in button - blue sign in button - orange sign in button - green sign in button - grey

3. Verify the User's Identity

You must verify the assertion is authentic, and extract the user's email address from it. The easiest way to do these is to use the free verification service provided by BrowserID.

To use it, you send a request to https://browserid.org/verify with two POST parameters:

  1. assertion: The encoded assertion
  2. audience: The hostname and optional port of your site

The verifier will check the the assertion was meant for your site and is valid, here's an example:

$ curl -d "assertion=<ASSERTION>&audience=mysite.com" "https://browserid.org/verify"
{
    "status": "okay",
    "email": "[email protected]",
    "audience": "mysite.com",
    "valid-until": 1308859352261,
    "issuer": "browserid.org:443"
}

NOTE: You may choose to validate assertions on your own server. While a bit more complicated you can reduce your dependencies on others. Refer to the specification and the source for the reference validator.

4. Complete the sign in!

Having completed the steps above, you can trust that the present user really owns the email address returned by the verifier. You don't need to perform any additional authentication unless you want to! From here, you can perform whatever post-authentication steps you like.