Diploma project about Blockstack authentication protocol

Hello, I’m writing my bachelor diploma project and its topic is “Decentralized authentication system”. I stumbled upon Blockstack authentication protocol and thought maybe I could help somehow to get this protocol to plug-and-play state and write my project simultaneously? Can I do this, and if yes, what exactly could be done on my side? And just for sure: this protocol can be used with regular websites (not built on Blockstack), right?

2 Likes

Yes! Blockstack Authentication can be used both with regular websites, native apps and decentralized Blockstack Apps.

That’s really cool!

It should be plug and play now depending on what you’re plugging and playing with. :wink:

Right now we have Javascript and Ruby that let you add log in with Blockstack existing web apps. If you’re looking to add Blockstack Authentication to a ruby web app that uses Omniauth, it’s even easier…we have an Omniauth strategy that does that. Adding Blockstack auth to a Discourse forum (like this one!) is easy and only requires you to install the discourse-blockstack plugin.

The easiest way to enable support for logging in with Blockstack on the client side is to install the latest pre-release build of Blockstack for macOS.

Let us know if you have any questions…we’d love to help!

2 Likes

Okay, it seems all work is actually done :slight_smile:
But I guess backend plugins need to exist in all major platforms, not only Ruby. I’m a Python and Django developer, I could make a Django application that handles authentication using Blockstack protocol and Onename user credentials. Do you think it could be useful?

1 Like

That would be great!

@jude might already have some Python code that you could. Use. also tagging @ryan who designed the authentication protocol.

Good! I’ll start my work then.

I have several questions about the protocol though. What is Blockstack Protocol for? It’s client-side software required for authentication, right? Why is is used and why not use Onename as identity provider in OAuth manner (i.e. user tries to login in app, app redirects user to Onename, user approves authentication, Onename redirects authenticated user to app).

Onename is a registrar app that runs on Blockstack. It is one of several ways to register names.

If we used OAuth in the manner you described, users and app developers would have to trust the Onename website. This is how centralized systems like log in with Facebook or Google work. By trusting a third party (how OAuth works), the third party can impersonate users, prevent them from logging in, collect information or track the users’ usage of your app, etc. It also introduces a single point of failure.

With Blockstack running as client-side software on the user’s computer, we remove that element of trust. A user can log into your app. You, as the app developer, don’t have to trust any one.

2 Likes

Agree, it sounds rational. It also conforms to my diploma topic.
But it can be also useful for end-users to have a choice: either to login with some identity provider (they have to trust it, of course, that’s a disadvantage) or to login with their own client-side Blockstack portal. Although the second choice is more preferable, some users may not want to install additional software, especially if this technology is not widely accepted yet.

This client-side auth is similar to what I want for my secure email client at https://boilerbay.com/boilerbase-email-project/ but I just want to be able to use pre-existing namespaces like twitter, email, facebook, etc. I need a trusted third party to be able to validate that a new client installation has control over a given name like @Rlderan. The validation would work like:

  • user installs boilerbase
  • user tells boilerbase to use @myuser twitter address as a possible address for secure email from other boilerbase users
  • boilerbase provides a code number
  • user tweets the number
  • trusted (distributed) third-party verifies that tweet happened by using the twitter API, and registers it on blockchain
  • others can now use boilerbase for secure email by directing it to @myuser in the twitter namespace.

Is this already available? In Java? I would like to pliug it into my app.

Am I right that blockchainauth Python module (https://github.com/blockstack/blockstack-auth-python) is old and does not work with current installation involving client redirection to Blockstack Portal? I was exploring source code and it seems that request formats in blockchainauth and blockstack.js do not match.
Tagging @ryan as he is the author of the Python package.

@spankratov Yes that’s correct. The python library is outdated and the current JS library needs to be ported over to python. Sorry for the confusion. I can let you know when we start on this. Would appreciate some help as well.

Thanks, @ryan. No problem, I can start working on the port to Python, I need this code for my project anyway. Updates will be posted here, if it’s appropriate.

@spankratov you can take a look at the blockstack ruby library which I ported from the current JS library. Might help in working on the python version:

Thanks, @larry! I will take a look.

It’s done! @ryan, I made pull request to your base repository: https://github.com/blockstack/blockstack-auth-python/pull/5
It seems that profiles part of blockstack.js library has been already ported in Python (https://github.com/blockstack/blockstack-profiles-py), so I didn’t code this.
I’m also not sure about “core session” part of blockstack.js library, as I didn’t find documentation about it.

What is the correct way to fetch profile associated with some name on the server which tries to authenticate this name? Right now I see several possible ways:

  1. Just trust “profile” value of AuthResponse body. But it seems unreliable as this information is generated on a user side and a user could potentially provide invalid data, i.e. not the one from a link from a zone file.
  2. Install Blockstack Core and run Blockstack API on the server side, get a zone file from URL like http://localhost:6270/v1/names/ and fetch profile URI in the zone file.
  3. Use blockstack explorer. Found this one in the code: https://explorer-api.appartisan.com/lookup/

Hey @spankratov thanks for the PR. @larry merged it in and identified a few more issues to work on, which it seems like you’re already getting started on.

The first option is great if you want to listen to what the user claims. It’s not great if you want the user to commit to the same profile that they share with all apps. Depends whether you’re the DMV or a social app. I’ll let you be the judge here.

For the second option, I’m thinking we need a call inside of blockstack.js to help out with this. It should check to see if there’s a local Blockstack Core node running and do name lookups there if it’s present. If it’s not present, it should fall back to resolvers in the cloud.

What do you think?

Thanks, @ryan. Sorry for delay, I submitted a new PR for these issues: https://github.com/blockstack/blockstack-auth-python/pull/9

I agree, this sounds like a proper method to deal with profile fetching. I implemented this logic in blockchainauth Python library.

I also started to work on Django application using blockchainauth: https://github.com/spankratov/django-blockstack
Will be glad if you take a look and see if Blockstack could make use of my application and what can be made to make it better :slight_smile:

Tagging @ryan and @larry just to make sure my PR and Django app got noticed :slight_smile: