To become a federated Identity Provider (IdP), a domain must publish metadata in a well-formed JSON document. This document must be located at /.well-known/browserid, it must be available over SSL/TLS, and it must be served with Content-Type: application/json.
By publishing a support document, a domain may opt to:
Each option takes precedence over those below it in the list.
By setting the key disabled to the boolean value true, a domain may explicitly opt-out of being a native Identity Provider. When encountering this, clients may fail over to a Fallback Identity Provider.
By setting the key authority to a hostname, a domain may explicitly delegate authority to a designated host.
To natively support the BrowserID protocol, three values must be present:
authentication, absolute path to the user authentication page.provisioning, absolute path to the headless user provisioning page.keys, array of public keys used for signing Identity Certificates.Notes:
- Absolute paths must start with
/, for example,/foo/bar.- Public keys must be serialized as JWKs.
- When acting as an identity provider, the support document fulfills the requirements of a JWK Set and should be treated as such.