Development Tips for Identity Providers
Use Responsive Design Techniques
Your authentication page should use responsive web design techniques, as it will appear in everything from small pop-ups to full-screen windows on tablets or in some desktop browsers. Being responsive will ensure that your authentication page looks good in any content frame.
Serving the Support Document
To be recognized as an Identity Provider, your domain must publish a support document at
/.well-known/browserid. Be sure to review its documentation.
In particular, you'll want to double check that:
- The document is formatted as valid JSON
- The document is served over SSL
- The document is served with a content type of "
- The document is hosted on on the bare domain itself, not a subdomain. For example:
- If delegating to another Identity Provider, the
authorityvalue is a bare domain name of the target IdP.
Many of these can be tested automatically with the check_primary_support script from the Persona codebase.
For use in production, the SSL certificate must be signed by a trusted CA. For Persona, the list of trusted CAs is dervied from Firefox's certificate bundle. As an example, you can download Persona's bundle from June 2012.
You can use a self-signed certificate for development and testing in pre-production environments.
Your Development Server
For ease of development, it helps to have IdP available on the public internet so that you can test it by using Persona-enabled sites like 123done.org.
During development, you can deploy your IdP on a subdomain like
dev.example.com and attempt to log in with Persona as
authentication_api.js from the same domain. This means that if the site you're logging in to uses https://login.persona.org/include.js, then your IdP must use https://login.persona.org/provisioning_api.js and so on. In production, this should always be https://login.persona.org/.
These domains only a concern if you want to test your IdP against pre-release versions of Persona. In that case, you'll have to log into a website that also uses the same pre-release version of Persona. You can also use the sites below:
login.persona.org, you can run a local instance of the Persona implementation and point your script tags to that. The implementation also provides a local Persona-enabled site to log into. However, this option is not recommended unless you are comfortable with Node.js and grepping around the source. If you go this route, you'll want to look into the
SHIMMED_PRIMARIES environment variable to ease pointing your local Persona instance to your local IdP.
Use Several Browsers
And while you're there, don't forget to read the bodies of network responses!
Use the Persona WSAPI and Testing Scripts
Does Persona think your domain is an Identity Provider? Find out by using
check_primary_support codebase can automatically diagnose many misconfigurations.