How to generate delegated identity on server and send to browser

ilbert · March 29, 2024, 6:53am

In the current implementation, I’m already creating the link between sub and the user principal derived from the canister signature, because I didn’t want to deal with the expiration of the sub → session_key association. For this reason, I need to pass the id_token again to the get_delegation. Does it make sense security-wise or should I go with the session_key solution?

frederikrothenberger · April 2, 2024, 8:44am

So you are trading computation for state. That is a sound tradeoff to make, yes.

ilbert · April 2, 2024, 9:42am

I’ve updated the README to include more details and a sequence diagram of the authentication flow. Any feedback is really appreciated

ilbert · April 4, 2024, 7:24am

I’ve updated the example to fetch the JSON Web Key Set from the authentication provider using HTTPS outcalls. Here’s the commit:

frederikrothenberger · April 4, 2024, 9:38am

Thanks @ilbert! That’s great.

I’m now just wondering, whether @kristofer and you would like to join forces. Both of you have written code to generate delegations / session handling.
There might be room for a ic-sessions-util library that does the delegation handling. We might also want to improve on that further to then also handle dynamic session lifetimes (i.e. refresh session), and start using that in Internet Identity.

What do you think about that?

ilbert · April 5, 2024, 8:39am

From the in-person discussion that we had yesterday: if the three of us (and any other potential contributor) manage to find bandwidth to work on this, it would be really nice to collaborate.

ilbert · April 5, 2024, 9:03am

@frederikrothenberger do you have any suggestions, references and/or guidelines on how I should implement tests for my demo?

frederikrothenberger · April 5, 2024, 9:16am

I would start using PocketIC. The only thing that is missing is the ability to stub HTTP outcalls (so you would need to make the canister use some pre-configured keys to validate the JWTs).

@michael-weigelt: Are there any plans to support HTTP outcalls in PocketIC anytime soon?

michael-weigelt · April 5, 2024, 10:04am

Yes. The timeline is not set in stone, but I expect it is possible in Q2.

ilbert · April 12, 2024, 10:28am

I’ve added some integration tests together with a GitHub Action!
Integration tests are available at: ic-react-native-jwt-auth/src/ic_backend/tests at main · ilbertt/ic-react-native-jwt-auth · GitHub

@frederikrothenberger should I also test the validity of the canister signature? If yes, is there some code I can look into that does this using PocketIc?

Looking forward to any feedback!

frederikrothenberger · April 12, 2024, 10:35am

Yes! I would just use the verify_canister_signature function offered by PocketIC: PocketIc in pocket_ic - Rust

ilbert · April 12, 2024, 1:02pm

Done in test: verify canister signature by ilbertt · Pull Request #3 · ilbertt/ic-react-native-jwt-auth · GitHub

Topic		Replies	Views
Save generated Identity in browser local storage JavaScript Discussing	2	955	September 20, 2022
Agent-js identity web workers Developers	7	733	August 16, 2021
How to convert public key to principal? JavaScript	6	289	November 12, 2023
How login manually in AuthClient using a generated identity for testing? Developers	7	1033	April 1, 2024
Are Principals unique? Language Support Motoko	3	429	June 29, 2021

How to generate delegated identity on server and send to browser

Related Topics