In the spirit of getting started early on 2018’s spring cleaning, we’re going to conduct a review of the Blockstack Authentication with an eye towards fixing any outstanding issues before codifying it into a more formal specification.
I propose a process something like this:
- Review the authentication process and token format
- Discuss any issues that come up and decide whether or not we should address them at this time
- Assign a person to address each issue
- Iterate on and accept their changes
- Assign person to create draft of specification document
- Comment/revision period on specification document
Outstanding issues
- Sign in to native apps that don’t have a manifest.json available: https://github.com/blockstack/blockstack.js/issues/270
- Passing token by other methods to excessive URI length problems with servers: https://github.com/blockstack/blockstack.js/issues/284
- Mechanism to pass user’s trusted core node: https://github.com/blockstack/blockstack.js/issues/228
- Update token to use production decentralized identifier format: https://github.com/blockstack/blockstack.js/issues/316
- define
blockstack:
custom protocol schema, versioning and mechanism for extensibility https://github.com/blockstack/blockstack.js/issues/228 - Should authentication fail if profile doesn’t exist? https://github.com/blockstack/blockstack.js/issues/307
- Should app trust be based on app origin or app domain? (We currently use web browser origin but call the field
domain_name
- Communication of authentication rejection to requesting app (rejecting authentication currently does nothing)
Authentication Token formats
Below, I’ve included commented versions of the authentication request and response tokens as they are in blockstack.js 0.15.0
for those who might not be familiar with the contents of these structures.
Authentication Request Format
const requestPayload = {
jti, // UUID
iat, // JWT creation time in seconds
exp, // JWT expiration time in seconds
iss, // legacy decentralized identifier generated from transit key
public_keys, // single entry array with public key of transit key
domain_name, // app origin
manifest_uri, // url to manifest.json file - must be hosted on app origin
redirect_uri, // url to which browser redirects user on auth approval - must be hosted on app origin
version, // version tuple
do_not_include_profile, // a boolean flag asking browser to send profile url instead of profile object
supports_hub_url, // a boolean flag indicating gaia hub support
scopes // an array of string values indicating scopes requested by the app
}
Authentication Response Format
const responsePayload = {
jti, // UUID
iat, // JWT creation time in seconds
exp, // JWT expiration time in seconds
iss, // legacy decentralized identifier (string prefix + identity address)
private_key, // encrypted private key payload
public_keys, // single entry array with public key
profile, // profile object or null if passed by profile_url
username, // blockstack id username (if any)
core_token, // encrypted core token payload
email, // email if email scope is requested & email available
profile_url, // url to signed profile token
hubUrl, // url pointing to user's gaia hub
version // version tuple
}
Next Steps
We can discuss this plan in either the next weekly meeting or next engineering meeting. In the meantime, if there are some issues you have with authentication that are not on the list above, please comment on this topic!