Currently trying to develop a login/registration system based on browserid.
I have a server which local IP is 192.168.0.106 and that runs on "http://localhost"
The process works perfectly when doing it from a browser on the server machine by sending a verification with audience: "localhost"
The problem is when i try to identify from another machine on the same local network, which address is not localhost, but something like 192.168.0.101 : the verification process returns an "audience mismatch" failure because the client connects to 192.168.0.106 (the server's local address) and not localhost
Any ideas or suggestions ?
The audience-match check by the verifer is to ensure that the assertion you've been given is fresh, and hasn't been harvested from another site.
In 'production' you'd usually know the address which clients will connect to your site with, and hard-code that into your call to the verifier.
In development, there are 2 options which I've used: 1. add an explicit mapping to /etc/hosts files from the clients I'm testing with so all use the same address 2. use the value from the 'Host' header as the audience value (this is likely to be completely insecure depending on the middleware/intermediaries you're using, so it should only be done in development)