Skip to content

Commit

Permalink
[ANCHOR-591] Add clients config to sep10 auth configuration (stellar#347
Browse files Browse the repository at this point in the history
)

* add clients config to sep10 auth

* prettier

* address comments

* format and lint

* address comments
  • Loading branch information
JiahuiWho authored Mar 5, 2024
1 parent 70d9ecc commit 3a65957
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 7 deletions.
49 changes: 44 additions & 5 deletions docs/anchoring-assets/anchor-platform/sep10/configuration.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -40,17 +40,56 @@ By default, the Anchor Platform allows anyone with a Stellar account to authenti
```bash
# dev.env
SEP10_CLIENT_ATTRIBUTION_REQUIRED=true
SEP10_CLIENT_ATTRIBUTION_ALLOWLIST=lobstr.co,api.vibrantapp.com,decaf.so,api.beansapp.com
```

</CodeExample>

<CodeExample>

SEP10_REQUIRE_KNOWN_OMNIBUS_ACCOUNT=true
SEP10_OMNIBUS_ACCOUNT_LIST=GBIBMZNXMD3P7HXVQCYIWWT5NG43NEIIY7VYBQ5SADV6UULUKCAJTGPG
```yaml
clients:
# Each item in the list may contain the following fields:
# - name: (required) the name of the client
# - type: (required) `custodial` or `noncustodial`
#
# If the type is `custodial`,
# - signing_key: (required) the custodial SEP-10 signing key of the client.
# - callback_url: (optional) the URL of the client's callback API endpoint.
# - allow_any_destination: (optional) default to false. If set to true, allows any destination for deposits.
# - destination_accounts: (optional) list of accounts allowed to be used for the deposit. If allows_any_destinations set to true, this configuration option is ignored.
#
# If the type is `noncustodial`,
# - domain: (required) the domain of the client.
# - callback_url: (optional) the URL of the client's callback API endpoint
# - signing_key: (optional) the signing key of the client.

# custodial client
- name: custodial-client1
type: custodial
signing_key: "the custodial SEP-10 signing key of the client1"
callback_url: https://callback.custodial-client1.com/api/v1/anchor/callback
allow_any_destination: false
destination_accounts:
- name: custodial-client2
type: custodial
signing_key: "the custodial SEP-10 signing key of the client2"

# noncustodial client
- name: noncustodial-client1
type: noncustodial
domain: noncustodial-client1.co
callback_url: https://callback.noncustodial-client1.co/api/v2/anchor/callback
signing_key: "the signing key of the client1"
- name: noncustodial-client2
type: noncustodial
domain: noncustodial-client2.com
```
</CodeExample>
`SEP10_CLIENT_ATTRIBUTION_REQUIRED` informs the Anchor Platform whether or not it should allow users of non-custodial wallets to authenticate without the wallet also identifying itself, and `SEP10_CLIENT_ATTTRIBUTION_ALLOWLIST` is the list of non-custodial wallets that can create authenticated sessions with your services.
`SEP10_CLIENT_ATTRIBUTION_REQUIRED` informs the Anchor Platform whether it should allow users of noncustodial wallets to authenticate without the wallet also identifying itself.

`SEP10_REQUIRE_KNOWN_OMNIBUS_ACCOUNT` informs the Anchor Platform whether or not it should allow users of custodial wallets to authenticate without the custodial wallet's public key being included in the `SEP10_OMNIBUS_ACCOUNT_LIST`.
`CLIENTS` is the list of outside wallet servers or clients for the Anchor server to safely communicate with.

## Modify a Stellar Info File

Expand Down
5 changes: 3 additions & 2 deletions docs/anchoring-assets/anchor-platform/sep24/faq.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ This JWT token will contain:
1. `exp` is the expiration time of the token. You should check that the provided token has not expired.
2. `sub` is the account associated with this transaction. It can be used to identify the user account. Note that this value may be different from the account that will be used to receive/send funds.
3. `jti` is the hash of the transaction.
4. `data` is the extra payload that has been set by the user. It will always contain the Stellar `asset` wants to deposit or withdraw. If provided by the client, it will also contain the `amount` the user wants to transact, the `client_domain` of the wallet verified during SEP-10 authentication, and the `lang` (language) preference of the user.
4. `data` is the extra payload that has been set by the user. It will always contain the Stellar `asset` wants to deposit or withdraw. If provided by the client, it will also contain the `amount` the user wants to transact, the `client_domain` of the wallet verified during SEP-10 authentication, and the `lang` (language) preference of the user, and `client_name` (defined as 'name' in [clients] configuration if provided).

### How To Provide Fees?

Expand All @@ -32,7 +32,8 @@ You should use the `sub` field of the JWT token. For custodial wallets, this val

### How to identify the wallet?

You should use a combination of `sub` and `data.client_domain` fields of the JWT token. For custodial wallets, the `sub` value will be in the format `account:memo`. Use the account to identify the wallet. For noncustodial wallets, use the `data.client_domain` field. Note that the wallet must provide the `client_domain` beforehand as a part of SEP-10 authentication.
Utilize the `data.client_domain` attributes within the JWT token. In the presence of [clients] configuration, the JWT token will additionally incorporate the `data.client_name` field, enabling wallet identification.

[sep-9]: https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0009.md
[sep-24]: https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0024.md
[clients]: docs/anchoring-assets/anchor-platform/sep10/configuration.mdx

0 comments on commit 3a65957

Please sign in to comment.