Create Identity from Principal ID or _delegations

Developers JavaScript
1

Support | Question

I’m trying to call a canister from my backend using the identity that the user obtained from the frontend. Is it possible to recreate this identity using the principal ID or from a _delegation by stringifying the Identity object? Thank you.

2

Delegations are a great way to send a user’s identity to the server without actually sending the private key.

Basically you’d:

  1. Creat identity on client side (can be ed25519, ecdsa etc)
  2. Create identity on server side (can be ed25519, ecdsa etc, doesn’t need to match client identity type)
  3. Send public key of server side identity to client
  4. Use DelegationChain.create with client identity and server identity public key
  5. Call toJSON on this delegation chain and send JSON to server
  6. Use DelegationChain.fromJSON to re-create it from the received JSON
  7. Use DelegationIdentity.fromDelegation with server identity and delegation chain
  8. Now you can make calls on behalf of user using this DelegationIdentiy
1 Like
3

Hey I am trying to work on an OAuth kit to onboard web 2 users just so I understand it correctly I will leave my train of thought here.

Client-Side Initial Setup

1.Create a Secp256k1KeyIdentity on the client and store it in localStorage.
2.Encode the session key’s public key as part of the state parameter.
3.Redirect the user to OAuth authorization endpoint with appropriate parameters.

Server-Side Authentication

4.Receive the Oauth callback from with the authorization code and state.
5.Use the code to get an access token from Oauth provider.
6.Use the access token to retrieve the user’s profile.
7.Either fetch an existing identity for this user or create a new one.
8.Load application’s server identity.
9.Have the user’s identity delegate authority to the server identity, creating a signed delegation with an expiration time.
10.Create a delegation chain containing the signed delegation.
11.Redirect back to the client with the serialized delegation chain in the URL.

Client-Side Authentication Completion

12.Parse the delegation chain from the URL.
13.Get the previously stored session key.
14.Combine the session key and delegation chain to create a DelegationIdentity.
15.Save the delegation chain for persistence across page reloads.

Using the Authenticated Identity

16.Initialize an HttpAgent with the delegated identity.
17.Create an actor for your canister using the authenticated agent.
18.Call methods on the actor to interact with your canister.

Does that cover cover everything? Another thing I was considering is if all of this could be done in a single frontend canister. My suspicion is that even if it was split (server vs client logic in separate canister) without vet keys encrypting the server’s identity it would not be secure as a malicious node provider on that subnet could potentially see the canister’s heap/state. I think it might be easier to have it in a single canister but it is significantly less secure to do so.