Blockchain Auth: Passwordless login with the Blockchain using JSON wcb tokens

From IIW
Jump to: navigation, search

BlockChain Auth: Passwords login w/blockchain using JSON web tokens

Wednesday 3D

Convener: Ryan Shea

Notes-taker(s): Ryan Shea

Tags for the session - technology discussed/ideas considered:

  • #blockchain #JSON

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

An authentication flow with Blockchain Auth looks like this:

1. the app creates a signed authentication request and delivers it to the user

2. the user's client verifies the authenticity of the request

3. the user's client compiles information for an authentication response

  • it grabs the challenge inside of the request
  • it looks at the permissions and pulls together the necessary data to deliver

4. the user's client creates a signed authentication response with the compiled information

5. the user's client sends a message to the app's server with both the app-produced authentication request and the user-produced authentication response

6. the app looks at the request and response and performs a few checks

  • "hey, this auth request was really signed by me"
  • "hey, this auth response was really signed by the user who claims to have produced the token"
  • "hey, the request and response have the same challenge"

7. the app logs the user in

Blockchain Auth does not require third party identity providers. In a sense, the blockchain is the identity provider. It has the directory of identities.

There are two types of auth responses - pseudo-anonymous auth responses and identified auth responses.

With pseudo-anonymous auth responses, only a persistent public key is specified, as well as optional private information. No blockchain ID, and by extension public profile, is provided by the user.

With identified auth responses, the user additionally provides a blockchain ID, as well as evidence that they are the owner of said blockchain ID.

Quote: It looks like this is looking to replace OpenID Connect. I’m just trying to call a spade a spade

Passwordless login blockchain json web tokens.jpg