Authenticating a user to a 3rd party server

Apps Identity
#1

With OI Chat, I developed a mechanism to authenticate a user to a 3rd party server. Could you please review it and find flaws?

The context is the federated matrix chat protocol. There are several so-called home servers that talk to each other. Users register with their home server of choice, similar to the gaia storage providers. The user would like to sign in with the chat client of choice. So, the client app needs to authenticate the user with the home server, ideally using the blockstack id as username.

The authentication flow to the 3rd party server (matrix home server) is as follows:

  1. user open chat client and logs in with the blockstack id (as usual)
  2. chat client creates nonce and requests a challenge from the home server
  3. chat client writes the challenge in the chat client’s gaia bucket (file mxid.json)
  4. chat clients informs home server that the challenge was taken by sending the nonce and the app domain together with the blockstack id
  5. home server takes the blockstack id looks up the gaia storage
  6. home server verifies the challenge found in mxid.json
  7. if the challenge was correct the user is authenticated with the blockstack id

That is how it is implemented now. Some notes:

  • The home server is a trusted server in the same way as the gaia server
  • For privacy reasons, it might be better if the home server tells the chat client where to publish the challenge response (instead of using the public gaia storage) and the chat client signs the challenge. Then the homeserver just needs to retrieve the keys from the blockstack profile and verify the signature. (This would also scale for other decentralized identifiers)
  • Different apps can sign in using the same matrix user (=blockstack id) as long as the user signs in with them. Is that problematic? If the apps are chat clients, no. If the apps are bot like utilities that send notifications about signed documents, new photos in the gallery, then yes. (Potential risk of spam.) Maybe the user should be able to white list apps that can sign in with the blockstack id, other apps would sign is as blockstackId + appDomain. These would then act as their own matrix user (and the user’s app matrix user could be banned, in contrast to the user’s own (blockstack id) matrix user).

Do you see security risks? Privacy risks?