-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign-in with stacks #70
base: main
Are you sure you want to change the base?
Conversation
| issued-at | (string-ascii 27) | The ISO 8601 datetime string of the current time. | | ||
| expiration-time | (string-ascii 27) | (optional) The ISO 8601 datetime string that, if present, indicates when the signed authentication message is no longer valid. | | ||
| not-before | (string-ascii 27) | (optional) The ISO 8601 datetime string that, if present, indicates when the signed authentication message will become valid. | | ||
| request-id | (string-ascii 64) | an system-specific identifier that may be used to uniquely refer to the sign-in request. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
request-id should be optional too @friedger
|
||
# Abstract | ||
|
||
Web application often provide their services only to authenticated users. In |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo: "applications"
|
||
Web application often provide their services only to authenticated users. In | ||
Web2, this was done through username and password or federated logins. In Web3, | ||
users can proof their digital identity by cryptographically signing that the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo: "prove"
|
||
| name | type | description | | ||
| --------------- | --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| title | (string-ascii 126) | Must be the application's domain name (max 80) followed by ` wants you to sign in with your Stacks account` | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can title
just be the application name? Then, wants you to sign in with your Stacks account
can be localized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if going with domain name, shouldn't title then follow domain name limitations, ie 253 characters in size. Also, why (string ascii 126)
if max is 80?
| title | (string-ascii 126) | Must be the application's domain name (max 80) followed by ` wants you to sign in with your Stacks account` | | ||
| address | principal | The address of the signer | | ||
| statement | (string-ascii 80) | (optional) Describes the terms and conditions the user agrees to by using the application. | | ||
| URI | (string-ascii 80) | An RFC 3986 URI referring to the resource that is the subject of the signing (as in the subject of a claim). | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is 80 characters enough for a URL? Shouldn't it be more like 4,096?
| chain-id | uint | (optional) the chain ID to which the session is bound. This must correspond to the version of the address. | | ||
| nonce | (string-ascii 64) | randomized token used to prevent replay attacks, at least 8 alphanumeric characters. | | ||
| issued-at | (string-ascii 27) | The ISO 8601 datetime string of the current time. | | ||
| expiration-time | (string-ascii 27) | (optional) The ISO 8601 datetime string that, if present, indicates when the signed authentication message is no longer valid. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One of the tricky things with authentication tokens like this is making sure they can't be replayed by someone who captures them. Is there a way we can mandate expiration-time
or perhaps use a timeout
? Maybe we could use the Stacks blockchain height to determine how long a login token is good for (e.g. "This token expires at Stacks block height 12345").
This PR defines a standard for message used for sign-in with stacks (#69)
It is mainly inspired by EIP-4361.
The standard requires the following limits that can be discussed: