Hi! I am happy to announce a follow up project to IC-SIWE: IC-SIWS.

IC-SIWS allows you to easily add Solana as an authentication method to you ICP project.

1.

Just as Internet Identity, IC-SIWS validates the authentication payload in an identity provider canister and then generates a delegate identity for the user. This provider canister comes pre built and can be added to your project dfx.json like this:

{
  "canisters": {
    "ic_siws_provider": {
      "type": "custom",
      "candid": "https://github.com/kristoferlund/ic-siws/releases/download/v0.0.1/ic_siws_provider.did",
      "wasm": "https://github.com/kristoferlund/ic-siws/releases/download/v0.0.1/ic_siws_provider.wasm.gz"
    },
    ...
  },
  ...
}

2.

Configure the canister with project specific settings during deployment:

dfx deploy ic_siws_provider --argument "( \
    record { \
        domain = \"127.0.0.1\"; \
        uri = \"http://127.0.0.1:5173\"; \
        salt = \"salt\"; \
        chain_id = opt \"mainnet\"; \
        scheme = opt \"http\"; \
        statement = opt \"Login to the app\"; \
        sign_in_expires_in = opt 300000000000; /* 5 minutes */ \
        session_expires_in = opt 604800000000000; /* 1 week */ \
        targets = opt vec { \
            \"$$(dfx canister id ic_siws_provider)\"; \
            \"$$(dfx canister id backend)\"; \
        }; \
    } \
)"

3.

Hook the support hook up to your React based frontend to interact with the provider canister to generate identities, etc.

import { useSiwsIdentity } from "ic-use-siws-identity";

function LoginButton() {
  const { login, clear, identity, ... } = useSiwsIdentity();
  // ...
}

Provider canister, Rust library and Reaxt hook: GitHub - kristoferlund/ic-siws: SIWS, Sign in with Solana for ICP, the Internet Computer. Build cross chain Solana apps on ICP!

Rust template and demo app: GitHub - kristoferlund/ic-siws-react-demo-rust: React demo and template for IC-SIWS, Sign in with Solana for ICP, the Internet Computer. Build cross chain Solana apps on ICP!

Live demo: https://guidq-3qaaa-aaaal-qiteq-cai.icp0.io/

Why do we need to call a canister? Can this be done client-side only from js without any canisters?..

Generating the message to sign in the client is possible but it removes one layer of security. Since the client cannot be trusted, it makes no sense including a nonce, a date or any other data that changes in the message that the user signs. If the message changes, that would also lead to the generated identity being different each time since the identity is based on the signature. So, the message will be the same every time a user logs in. The signature will be the same.

If my signature is leaked, the holder of that signature can log in as me forever.

Generating and verifying the message in the canister, including a nonce, radically improves security.

Hi Kris,

This is very interesting, I’ve been working on something like this but non-custodial for EVM or SOL wallet for quite a while, here’s a sample code

Couple questions,
How are the keys being generated from the Message?
Have you considered a non-custodial way for the user to access their keys or any recovery method?

extra: What is your take on security without a custodial wallet?

This actually is a very good explanation. Thank you
Makes perfect sense now

See the source code here:

What do you mean by “non custodial” in this context?

I had a brief look at your code and believe you risk running into the same issues as I described to @let4be. Generating an identity in the browser is possible but less secure than generating it in the canister.

Yes so non-custodial in the sense that the user have access to their keys locally.

It’s a concern if signing calls with the private keys, but the delegation provides an extra layer of security with the auth-client.

So for a video game or social dapp focused on user experience the preferred method could be the fastest or the more familiar.

Oh thanks for the code reference, I’d be looking into implement the delegation!