The goal of Sign-in With Ethereum work is to create a specification and reference implementation, which aims to provide an end-to-end identity authentication process for users to log in to traditional Web2 services with an Ethereum account, and use the Ethereum domain name system as the main user control Data aggregator.
Original title: “Login with Ethereum-Proposed Workflow”
Written by: Spruce
Compilation: ETH Chinese Station
Translator’s note: Spruce is an open source software company that focuses on decentralized identity and data. It has evolved from “not your key, not your coin” to “not your key, not your identity.” Earlier, ENS and Spruce announced a partnership. Spruce posted that Sign-in with Ethrereum will enable users to use their Ethereum accounts instead of accounts owned by large companies to access Web2 network services.
Regarding the work of promoting the use of Ethereum login, our initial goal is to create a specification and reference implementation, which aims to provide an end-to-end identity authentication process for users to log in to traditional Web2 services with an Ethereum account, and use ENS as the main The user controls the data aggregator.
This will allow Ethereum users to provide their digital identities based on keys instead of relying on centralized identity providers such as Google, Facebook, or Amazon. We will further describe how relying parties can retrieve and verify user identity information, such as email accounts, phone numbers, and social media accounts, while protecting user privacy.
Currently, if users want to log in to the website, they need to choose one of several large Internet companies as their identity providers (identity providers, IdPs). The designers of OAuth 2.0 and OpenID Connect initially intended to produce a complete identity provider ecosystem for users to choose from, rather than just a few unified entities. These large identity providers control the identity of users by simplifying the authentication of end users and developers, which means they also control access to key services (including banking, payments, and social networks) (they even have visible privileges) . This kind of intermediary structure restricting people’s direct access to online services is largely similar to that of centralized banks restricting users’ direct access to financial markets.
Ethereum-compatible wallets are becoming more and more popular. For example, MetaMask has more than 5 million monthly active users. There is now a new way to provide direct authentication for logging into Web2 services: that is, use the message front and statement aggregation directly from the user’s Web3 wallet and ENS, instead of relying on traditional intermediaries.
These statements can be used not only for the login process, but also to convert existing Web2 accounts into cryptocurrency applications more widely.
By logging in with Ethereum, users will be able to:
Use the Ethereum wallet that supports WalletConnect to log in to the Web2 service that has installed the “Sign-in With Ethereum Server SDK”.
Understand what information the Web2 service needs to verify and what sources are used to complete the login process.
Select the statement to be presented to the server from “Sign-in with Ethereum Client SDK” (the client SDK logged in with Ethereum) so that the server can retrieve and verify information from various sources, including Ethereum Name Service (ENS), Interplanetary File System (IPFS), HTTPS, etc.
Use encryption and require authorization statement (note: this may be separated from the core library and specification in the extension specification).
And Web2 service hosting will be able to:
Integrate the Sign-in with Ethereum Server SDK or specification into popular web frameworks and authorization libraries to support Sign-in with Ethereum either directly or through authentication method aggregators (such as Auth0 or Passport.js).
Clarify the requirements of Sign-in with Ethereum. As part of the login process, the service can retrieve and verify claims submitted by users and/or aggregated by ENS, such as Web3 account balances, NFT ownership, W3C verifiable credentials, etc.
Link the Web2 account to the Ethereum address. The service can retrieve and verify claims submitted by users and/or ENS to expand their Web2 accounts with new features, such as special portals or downloads only for NFT owners, private off-chain management panels for DAO members, or from Other decisions made by on-chain data or off-chain signature credentials.
Use configuration only to integrate the Sign-in with Ethereum workflow into existing OAuth 2.0/OpenID Connect relying parties. This workflow relies on a trusted identity provider that supports the Sign-in With Ethereum identity authentication method and can establish OAuth 2.0/OpenID Connect sessions.
In terms of how the workflow works, the relying party will first present the user with login requirements, including which claims from ENS are required for different authentication types, a random number to prevent replay, and a unique site identity. In this case, ENS domain ownership can be used as a basic anti-witch mechanism.
Then, the user performs Ethereum-based authentication through the WalletConnect signature, and the signature is sent to the relying party. This step will use a data model that supports the user’s selection of related claims, allowing the user to specify which claims the relying party should query (ie, the selected facts about its account that should be used to establish a session). These facts are retrieved by value or by reference (ie URL) through ENS as a TXT record.
Next, the relying party uses the claim query method to retrieve and verify the related claims of the Ethereum account, such as ENS address, email verification, social media account linking or verification (for example, via Uniswap Sybil), and any other claims supported by both the user and the server .
Then users can access and interact with the service as usual, and can provide their own digital identity instead of being dominated by a centralized identity provider. We believe this will be a great advancement for users to control and manage network interactions.
A note about privacy. We will first focus on those Web3 users who are accustomed to associating their Ethereum address with their public image and understand its meaning, such as many who proudly display their NFTs as their profile picture (pfp) on Twitter people. We believe that privacy should be about achieving proper information flow, not absolute confidentiality. As the privacy requirements of different user groups (such as mainstream Internet users) change, our methods of using privacy tools must also change, such as using newly derived Ethereum addresses on the basis of each interaction, or combining zero-knowledge privacy Technology to reduce relevance.
Source link: blog.spruceid.com
Disclaimer: As a blockchain information platform, the articles published on this site only represent the author’s personal views, and have nothing to do with the position of ChainNews. The information, opinions, etc. in the article are for reference only, and are not intended as or regarded as actual investment advice.