Sign-in with stacks #70
Conversation
| | issued-at | (string-ascii 27) | The ISO 8601 datetime string of the current time. | | ||
| | expiration-time | (string-ascii 27) | (optional) The ISO 8601 datetime string that, if present, indicates when the signed authentication message is no longer valid. | | ||
| | not-before | (string-ascii 27) | (optional) The ISO 8601 datetime string that, if present, indicates when the signed authentication message will become valid. | | ||
| | request-id | (string-ascii 64) | an system-specific identifier that may be used to uniquely refer to the sign-in request. | |
There was a problem hiding this comment.
request-id should be optional too @friedger
|
|
||
| # Abstract | ||
|
|
||
| Web application often provide their services only to authenticated users. In |
|
|
||
| Web application often provide their services only to authenticated users. In | ||
| Web2, this was done through username and password or federated logins. In Web3, | ||
| users can proof their digital identity by cryptographically signing that the |
|
|
||
| | name | type | description | | ||
| | --------------- | --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | title | (string-ascii 126) | Must be the application's domain name (max 80) followed by ` wants you to sign in with your Stacks account` | |
There was a problem hiding this comment.
Can title just be the application name? Then, wants you to sign in with your Stacks account can be localized.
There was a problem hiding this comment.
if going with domain name, shouldn't title then follow domain name limitations, ie 253 characters in size. Also, why (string ascii 126) if max is 80?
| | title | (string-ascii 126) | Must be the application's domain name (max 80) followed by ` wants you to sign in with your Stacks account` | | ||
| | address | principal | The address of the signer | | ||
| | statement | (string-ascii 80) | (optional) Describes the terms and conditions the user agrees to by using the application. | | ||
| | URI | (string-ascii 80) | An RFC 3986 URI referring to the resource that is the subject of the signing (as in the subject of a claim). | |
There was a problem hiding this comment.
Is 80 characters enough for a URL? Shouldn't it be more like 4,096?
| | chain-id | uint | (optional) the chain ID to which the session is bound. This must correspond to the version of the address. | | ||
| | nonce | (string-ascii 64) | randomized token used to prevent replay attacks, at least 8 alphanumeric characters. | | ||
| | issued-at | (string-ascii 27) | The ISO 8601 datetime string of the current time. | | ||
| | expiration-time | (string-ascii 27) | (optional) The ISO 8601 datetime string that, if present, indicates when the signed authentication message is no longer valid. | |
There was a problem hiding this comment.
One of the tricky things with authentication tokens like this is making sure they can't be replayed by someone who captures them. Is there a way we can mandate expiration-time or perhaps use a timeout? Maybe we could use the Stacks blockchain height to determine how long a login token is good for (e.g. "This token expires at Stacks block height 12345").
This PR defines a standard for message used for sign-in with stacks (#69)
It is mainly inspired by EIP-4361.
The standard requires the following limits that can be discussed: