Using Blockstack for (centralized) server-side authentication

djnicholson · September 11, 2019, 6:05pm

I’m doing some initial research for a new Blockstack app. The app will allow users to sign in with Blockstack and store data in their GAIA storage. However there will also be a scenario where a user can choose to share data with a centralized service.

Technical question:

Is there a suggested/approved way to authenticate a Blockstack user to a server in a trustless way? I do not want to submit any Blockstack auth token or key to the server. The server only needs proof that it is talking to a specific Blockstack ID, it does not need to act on behalf of that user in anyway.

I could build my own “protocol” to do this, e.g. the server could generate a nonce and ask the user to write it to their GAIA storage (publicly viewable) then the server could check that the GAIA URL exists and contains the correct nonce. I don’t want to roll my own protocol if something simpler exists already, though.

App-mining question:

Would this kind of architecture prevent the app from receiving app-mining rewards. The app overall will still be genuinely decentralized and give the user control of their own data stored in GAIA. It will just have some scenarios where the user chooses to also share data with a centralized service.

MichaelFedora · September 11, 2019, 6:55pm

What’s stopping you from authenticating Blockstack on the frontend and then sending the result to the backend (with HTTPS, CORS, etc all enabled)? Or is having a frontend out of the question?

There is no “talking to a specific Blockstack ID;” there is only the authentication request which is returned with a Gaia Token and other information or with an error – that is all.

djnicholson · September 12, 2019, 12:02pm

What do you mean by “sending the result to the backend”. I deliberately do not want to send the token to the backend as this would allow the server to act on behalf of the user. My server just needs proof that the user has control of a specific Blockstack ID.

mikecohen.id · September 12, 2019, 1:04pm

Hi - just curious about this and want to check my understanding…

Json web tokens perform both authentication and resource access. The blockstack auth token is a standard json web token (albeit using elliptic curve cryptography) that is generated by blockstack browser during authentication and can then legitimately be passed to resource server to access some resource.

In this latter case you’d send it to the resource server as a bearer token. The resource server would unpack it and validate its signature and then check the scopes to see if it has permission to access the resource.

Cors headers etc can be used to stop the request ever reaching the resource server e.g. to filter out unwanted traffic at a higher level.

This seems a reasonable thing to do to me in cases where no state is being stored on the resource server - e.g. an ethereum gateway resource server might provide reads of smart contract data to a blockstack user with permission to access the smart contract - this means you can avoid meta mask and perform permissioned reads on ethereum.

It may even be possible to set additional scopes in the auth token on the client to help the resource server decide whether to grant access.

Interested to know how other people see this?

MichaelFedora · September 12, 2019, 1:23pm

I agree with @mikecohen.id – you are only sending the token, not other data/etc. that the user is not allowed to control, so what’s the problem here?

Unless your server is a security risk… in which case you would instead write something to the Gaia Hub, or sign a custom token with the app public/private key given to you from the JWT on the client-side.

djnicholson · September 12, 2019, 2:54pm

Exactly. I’m saying that my users should be able to treat my server as a security risk and still feel secure using my decentralized app. For example: What if my app allowed a user to store all of their photos in GAIA storage and then selectively choose certain photos to share publicly through a centralized service that I run? I would want my users to know (e.g. after reviewing open source code) that my centralized service will only see photos they want it to see, but I still want the centralized service to be able to attribute a specific photo to a specific Blockstack user.

Yes, agree. My question is, does some best practice for this already exist. Or should I just “roll my own”.

mikecohen.id · September 14, 2019, 3:38pm

Hi @djnicholson, sounds like you want to look at the Radiks project @hank is building - this is a way to cache data being stored via Gaia into a centralised mong db. hope this helps…

hank · September 16, 2019, 3:33am

I just wanted to clarify this point. If you pass the authResponse token to the server, the server can validate that the user does own the Blockstack ID, but the server cannot act on behalf of the user. This is because the appPrivateKey is encrypted using a “transit token” that is only stored on the client.

App.co is a centralized app, and it uses this model of server-side Blockstack auth to validate usernames, but it cannot actually do anything on behalf of the user.

Here is the app.co API code for server-side Blockstack auth:

github.com

blockstack/app.co-api/blob/master/controllers/user-controller.js#L141


        update_existing: true,
        double_optin: false,
      },
    );
    res.json({ success: true });
  } catch (error) {
    res.json({ success: false, error: error.message });
  }
});


router.post('/authenticate', async (req, res) => {
  const { authToken } = req.query;
  if (!authToken) {
    return res.status(400).json({ success: false });
  }


  const nameLookupURL = 'https://core.blockstack.org/v1/names/';
  if (!(await verifyAuthResponse(authToken, nameLookupURL))) {
    console.log('Invalid auth response');
    return res.status(400).json({ success: false });
  }

friedger · September 16, 2019, 7:24am

I use the authentication through a nonce on gaia for OI Chat. Here is the server part:

OI Chat is taking part in the app mining program.

If you want to include any user with a DID then there is a proposal for did auth at:

github.com

WebOfTrustInfo/rwot6-santabarbara/blob/master/final-documents/did-auth.md

# Introduction to DID Auth

**Authors:** Markus Sabadello, Kyle Den Hartog, Christian Lundkvist, Cedric Franz, Alberto Elias, Andrew Hughes, John Jordan, Dmitri Zagidulin

**Contributors:** Eugeniu Rusu, Adam Powers, John Callahan, Joe Andrieu


# Abstract

The term DID Auth has been used in different ways and is currently not well-defined. We define DID Auth as a ceremony where an _identity owner_, with the help of various components such as web browsers, mobile devices, and other agents, proves to a _relying party_ that they are in control of a DID. This means demonstrating control of the DID using the mechanism specified in the DID Document's "authentication" object. This could take place using a number of different data formats, protocols, and flows. DID Auth includes the ability to establish mutually authenticated communication channels and to authenticate to web sites and applications. Authorization, Verifiable Credentials, and Capabilities are built on top of DID Auth and are out of scope for this document. This paper gives on overview of the scope of DID Auth, supported protocols and flows, and the use of components of the DID Documents that are relevant to authentication, as well as formats for challenges and responses.

# Resources

This paper is a continuation of ongoing work by [Rebooting the Web of Trust](https://www.weboftrust.info/) and other communities. Previous work includes:

* [RWoT IV: James Monaghan's topic paper "DID Auth"](https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2017/blob/master/topics-and-advance-readings/did-auth.md)
* [RWoT VI: Markus Sabadello's topic paper "DID Auth: Scope, Formats, and Protocols"](https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/blob/master/topics-and-advance-readings/DID%20Auth:%20Scope,%20Formats,%20and%20Protocols.md)
* [RWoT VI: Kyle Den Hartog's topic paper "DID-Auth protocol"](https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/blob/master/topics-and-advance-readings/DID-Auth%20protocol.md)

Portions of the work on this paper have been funded through a Code With Us contract awarded by the BC Developers' Exchange (https://bcdevexchange.org/) of the Province of British Columbia, Canada.

This file has been truncated. show original

djnicholson · September 17, 2019, 8:13pm

Awesome. I was unaware of the transit token. Thanks for explaining that, Hank. Also the sample code you provided to validate the authresponse on the server and extract the username will be very useful.

seanwaye.id.blocksta · March 11, 2020, 11:48pm

Suppose I have a backend server that must store some user data as it has its own proprietary database. I would want to maximize anonymity by storing some unique identifier that cannot be traced back to the users blockstack id. What is the best way for the server to know that it is taking requests from an authenticated id without actually knowing what that ID is? i.e. separate the centralized service so that it doesn’t know who its communicating with, but ensure others cannot make requests on behalf of the authenticated user.

The only two solutions i can think of is

Generate uuid server side and send this back to client to ‘create account’. User must then return signed uuid jwt to the server to make authenticated requests.
Have the client encrypt the name of their blockstack ID and pass it as a jwt to the server.

Which method would be considered best practice/is there a better way of doing this?

mikecohen.id · March 12, 2020, 8:32am

Best practice here is to organise things so the user data is not stored centrally.

It’d be decentralised via user’s gaia hub under their control. Some data - with the users consent - can be considered public and indexed somewhere like a lucene index to make e.g. marketplace functionality possible. Radiks is the main resource for collaboration between users but you can roll your own.

seanwaye.id.blocksta · March 12, 2020, 2:02pm

I understand this would be best practice to completely decentralize but assuming this is not possible due to database constraints which would be preferred option?

Im trying to create custodial lightning wallets and the database cannot be moved to Gaia storage. Additionally these require 100% server uptime which is not possible with current dApp model as far as im aware

The majority of user info would be decentralized but the server would need to query the lightning node to find out what the balance of a user is, not necessarily who that user is.

friedger · March 13, 2020, 5:41pm

My preferred option would be 1. where the user signs the uuid. This goes also in the same direction as self-issued openid providers