How to check if a given user is logged in?

Developers JavaScript
7

Since you’re referring to onSuccess I assume you’re referring to an Internet Identity?

An Internet Identity is different from a normal public/private key identity. Since it uses delegation, which basically means the following process happens when a user authenticates:

  1. Dapp generates public/private key pair
  2. Dapp asks auth client to authenticate with II, the public key from the previous step is sent in this request to II
  3. User logs in with II
  4. II will create a delegation and return it to the dapp
  5. When the dapp calls a canister it will sign the request with private key from step 1 and also send the delegation in this request
  6. The IC receives the signed request, verifies that it indeed has been signed by private key from step 1
  7. Since also a delegation is received it will check which public key has been delegated towards and checks if the signature of the delegation has indeed been signed by the II canister
  • AuthClient by default generates the key in step 1 and sends it in step 2 for you.
  • A delegation is a signed message by private key B that states that public key A can make calls for public key B. This means that private key B never has to leave the II canister.

So all this means that you have to verify two signatures for II just like the IC does in step 6 and 7. A JS implementation for this can be found at signer-js/src/signature/identity.ts at master · slide-computer/signer-js · GitHub

As far as I’m aware there’s no Python implementation, you’ll likely have to implement it from scratch. Depending on the key algorithm that has been delegated towards (ecdsa p256 by default in AuthClient), you’ll need different signature verification libraries. You’ll also need to verify the IC canister signature in the delegation (bls signature)

Also to clearify, the principal is a unique hash of the public key of an identity. It’s enough to differentiate between identities but you’ll need the public key instead to actually verify signatures.

A simpler identity verification approach without the need for any signature verification in python would be e.g. creating a canister that keeps a list of principals that have called the canister. You could then query the canister with a principal as argument to check if it’s within the list and return true/false. This basically moves the signatures check onto the IC.