From a8f5102e247e315954d3135ab068e99410cee6dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Friedger=20M=C3=BCffke?= Date: Wed, 18 May 2022 12:29:10 +0200 Subject: [PATCH 1/4] initial draft for sign in with stacks --- .../sip-x-sign-in-with-stacks.md | 87 +++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 sips/sip-x sign-in-with-stacks/sip-x-sign-in-with-stacks.md diff --git a/sips/sip-x sign-in-with-stacks/sip-x-sign-in-with-stacks.md b/sips/sip-x sign-in-with-stacks/sip-x-sign-in-with-stacks.md new file mode 100644 index 00000000..818bbaf6 --- /dev/null +++ b/sips/sip-x sign-in-with-stacks/sip-x-sign-in-with-stacks.md @@ -0,0 +1,87 @@ +# Preamble + +SIP Number: X + +Title: Sign In With Stacks + +Author: Friedger Müffke (mail@friedger.de), Leo Pradel + +Consideration: Technical + +Type: Standard + +Status: Draft + +Created: 18 May 2022 + +License: CC0-1.0 + +Sign-off: + +Layer: Applications + +Discussions-To: https://github.com/stacksgov/sips + +# Abstract + +Web application often provide their services only to authenticated users. In +Web2, this was done through username and password or federated logins. In Web3, +users can proof their digital identity by cryptographically signing that the +user ownes the private key associated with that digital identity. + +SIP-018 defines the structure of signatures in general. This SIP defines the +message format that web applications and similar off-chain services should use for their users to sign. + +# License and Copyright + +This SIP is made available under the terms of the Creative Commons CC0 1.0 Universal license, available at https://creativecommons.org/publicdomain/zero/1.0/ +This SIP’s copyright is held by the Stacks Open Internet Foundation. + +# Introduction + +# Specification + +Sign-In with Stacks works as follows: + +1. The wallet presents the user with a structured message as defined in SIP-018. The message is a clarity value of type `tuple` with the properties described below. +2. The signature is then presented to the server, which checks the signature’s validity and message content. +3. Additional fields, including expiration-time, not-before, request-id, chain-id, and resources may be incorporated as part of authentication for the session. +4. The server may further fetch data associated with the public key, the stacks address, or other data sources that may or may not be permissioned. + +## Properties + +| name | type | description | +| --------------- | --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| title | (string-ascii 305) | Must be the application's domain name (max 255) followed by ` wants you to sign in with your Stacks account:` | +| address | principal | The address of the signer | +| statement | (string-ascii 80) | (optional) Describes the terms and conditions the user agrees to by using the application. | +| URI | (string-ascii 80) | An RFC 3986 URI referring to the resource that is the subject of the signing (as in the subject of a claim). | +| version | uint | is the current version of the message, which MUST be X for this specification. | +| chain-id | uint | (optional) the chain ID to which the session is bound. This must correspond to the version of the address. | +| nonce | (string-ascii 64) | randomized token used to prevent replay attacks, at least 8 alphanumeric characters. | +| issued-at | (string-ascii 27) | The ISO 8601 datetime string of the current time. | +| expiration-time | (string-ascii 27) | (optional) The ISO 8601 datetime string that, if present, indicates when the signed authentication message is no longer valid. | +| not-before | (string-ascii 27) | (optional) The ISO 8601 datetime string that, if present, indicates when the signed authentication message will become valid. | +| request-id | (string-ascii 64) | an system-specific identifier that may be used to uniquely refer to the sign-in request. | +| resources | (list 10 (string-ascii 80)) | (optional) A list of information or references to information the user wishes to have resolved as part of authentication by the relying party. They are expressed as RFC 3986 URIs | + +# Related work + +## Ethereum EIP4361 + +[Ethereum EIP4361 standard](https://eips.ethereum.org/EIPS/eip-4361) + +## DID Auth + +[DID Auth Working +group](https://identity.foundation/working-groups/authentication.html) + +[OpenID Connect for Verifiable Presentations](https://openid.net/specs/openid-connect-4-verifiable-presentations-1_0.html) + +# Backwards Compatibility + +Not applicable + +# Activation + +TODO From fb22d746ffda909980091ce0f2aa17224a5cd82e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Friedger=20M=C3=BCffke?= Date: Wed, 18 May 2022 12:38:44 +0200 Subject: [PATCH 2/4] fix: reduce title length --- sips/sip-x sign-in-with-stacks/sip-x-sign-in-with-stacks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sips/sip-x sign-in-with-stacks/sip-x-sign-in-with-stacks.md b/sips/sip-x sign-in-with-stacks/sip-x-sign-in-with-stacks.md index 818bbaf6..44880f50 100644 --- a/sips/sip-x sign-in-with-stacks/sip-x-sign-in-with-stacks.md +++ b/sips/sip-x sign-in-with-stacks/sip-x-sign-in-with-stacks.md @@ -52,7 +52,7 @@ Sign-In with Stacks works as follows: | name | type | description | | --------------- | --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| title | (string-ascii 305) | Must be the application's domain name (max 255) followed by ` wants you to sign in with your Stacks account:` | +| title | (string-ascii 126) | Must be the application's domain name (max 80) followed by ` wants you to sign in with your Stacks account` | | address | principal | The address of the signer | | statement | (string-ascii 80) | (optional) Describes the terms and conditions the user agrees to by using the application. | | URI | (string-ascii 80) | An RFC 3986 URI referring to the resource that is the subject of the signing (as in the subject of a claim). | From 22f964ca9beddf9fd750d466b4a20568435f3911 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Friedger=20M=C3=BCffke?= Date: Wed, 18 May 2022 14:10:36 +0200 Subject: [PATCH 3/4] add section about localization --- sips/sip-x sign-in-with-stacks/sip-x-sign-in-with-stacks.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sips/sip-x sign-in-with-stacks/sip-x-sign-in-with-stacks.md b/sips/sip-x sign-in-with-stacks/sip-x-sign-in-with-stacks.md index 44880f50..f9c5241e 100644 --- a/sips/sip-x sign-in-with-stacks/sip-x-sign-in-with-stacks.md +++ b/sips/sip-x sign-in-with-stacks/sip-x-sign-in-with-stacks.md @@ -65,6 +65,10 @@ Sign-In with Stacks works as follows: | request-id | (string-ascii 64) | an system-specific identifier that may be used to uniquely refer to the sign-in request. | | resources | (list 10 (string-ascii 80)) | (optional) A list of information or references to information the user wishes to have resolved as part of authentication by the relying party. They are expressed as RFC 3986 URIs | +## Presentation and Localization + +TODO + # Related work ## Ethereum EIP4361 From e426e59edea65b0e24e4e3e6fdcdd622f36652b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Friedger=20M=C3=BCffke?= Date: Thu, 1 Dec 2022 22:38:00 +0100 Subject: [PATCH 4/4] start to adapt to caip-122, add related work, fix typos --- .../sip-x-sign-in-with-stacks.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/sips/sip-x sign-in-with-stacks/sip-x-sign-in-with-stacks.md b/sips/sip-x sign-in-with-stacks/sip-x-sign-in-with-stacks.md index f9c5241e..51d93c49 100644 --- a/sips/sip-x sign-in-with-stacks/sip-x-sign-in-with-stacks.md +++ b/sips/sip-x sign-in-with-stacks/sip-x-sign-in-with-stacks.md @@ -24,9 +24,9 @@ Discussions-To: https://github.com/stacksgov/sips # Abstract -Web application often provide their services only to authenticated users. In +Web applications often provide their services only to authenticated users. In Web2, this was done through username and password or federated logins. In Web3, -users can proof their digital identity by cryptographically signing that the +users can prove their digital identity by cryptographically signing that the user ownes the private key associated with that digital identity. SIP-018 defines the structure of signatures in general. This SIP defines the @@ -52,12 +52,11 @@ Sign-In with Stacks works as follows: | name | type | description | | --------------- | --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| title | (string-ascii 126) | Must be the application's domain name (max 80) followed by ` wants you to sign in with your Stacks account` | -| address | principal | The address of the signer | +| domain | (string-ascii 126) | Must be the application's domain name (max 80) followed by ` wants you to sign in with your Stacks account` | +| address | string-ascii | The address of the signer in CAPI-10 format, including the chain id. | | statement | (string-ascii 80) | (optional) Describes the terms and conditions the user agrees to by using the application. | -| URI | (string-ascii 80) | An RFC 3986 URI referring to the resource that is the subject of the signing (as in the subject of a claim). | -| version | uint | is the current version of the message, which MUST be X for this specification. | -| chain-id | uint | (optional) the chain ID to which the session is bound. This must correspond to the version of the address. | +| uri | (string-ascii 80) | An RFC 3986 URI referring to the resource that is the subject of the signing (as in the subject of a claim). | +| version | string | is the current version of the message, which MUST be X for this specification. | | nonce | (string-ascii 64) | randomized token used to prevent replay attacks, at least 8 alphanumeric characters. | | issued-at | (string-ascii 27) | The ISO 8601 datetime string of the current time. | | expiration-time | (string-ascii 27) | (optional) The ISO 8601 datetime string that, if present, indicates when the signed authentication message is no longer valid. | @@ -71,6 +70,9 @@ TODO # Related work +## Stacks Auth +The Stacks authentication protocol uses a signed JWT with data similar to this SIP to authenticate the user to the app. However, this signed token contains data that should not be shared outside the app without the users' consent. + ## Ethereum EIP4361 [Ethereum EIP4361 standard](https://eips.ethereum.org/EIPS/eip-4361)