I host my own static HTML site, which also serves as an OpenID delegate. This means I can use my own URL for OpenID logins, but hand over the actual work to someone else (with the associated cost of having to trust them).
How can I do something similar with BrowserID?
- I don't want to implement my own IdP, I want to delegate
- I don't want to host a mail server
- I am aware of the cost of trusting a third-party
The delegated support docs say:
A domain may delegate to any other domain, so long as the other domain publishes a /.well-known/browserid document.
So I'm guessing I can:
- Get myself a free StartSSL certificate (which I would have to renew annually)
- Switch over to HTTPS
- Create a valid
browseridfile on my site, accessible at https://mysite.example.com/.well-known/browserid, containing:
{
"authority": "login.persona.org"
}...which should delegate BrowserID queries to Mozilla Persona.
But, if I'm not running my own mail server, what happens next? What (non-functional) email address do I log in with? Assuming I can do that, how is verification handled?
Alternatively, does Persona have a generic OpenID identity bridge, in addition to the Yahoo- and Gmail-specific ones? (Again, the question becomes which email address would I use in this case?)
There's no point in delegating to
login.persona.orgbecause that's the fallback identity provider which will be used if you don't delegate. Also, if you're not running a mail server on your domain then the fallback won't work for you because it's email-based.On the other hand, the rest of the steps you wrote would work if you were to delegate to a service like https://persowna.net/ which shouldn't require you to have a mail server on your domain.
There is no generic OpenID bridge, but here's a Persona identity provider I wrote to allow me to delegate to an OpenID provider manually: https://github.com/fmarier/persona-openid-delegation