How to generate delegated identity on server and send to browser

In the current implementation, I’m already creating the link between sub and the user principal derived from the canister signature, because I didn’t want to deal with the expiration of the subsession_key association. For this reason, I need to pass the id_token again to the get_delegation. Does it make sense security-wise or should I go with the session_key solution?

So you are trading computation for state. That is a sound tradeoff to make, yes. :+1:

1 Like

I’ve updated the README to include more details and a sequence diagram of the authentication flow. Any feedback is really appreciated :wink:

I’ve updated the example to fetch the JSON Web Key Set from the authentication provider using HTTPS outcalls. Here’s the commit:

Thanks @ilbert! That’s great. :slight_smile:

I’m now just wondering, whether @kristofer and you would like to join forces. Both of you have written code to generate delegations / session handling.
There might be room for a ic-sessions-util library that does the delegation handling. We might also want to improve on that further to then also handle dynamic session lifetimes (i.e. refresh session), and start using that in Internet Identity.

What do you think about that?


From the in-person discussion that we had yesterday: if the three of us (and any other potential contributor) manage to find bandwidth to work on this, it would be really nice to collaborate.


@frederikrothenberger do you have any suggestions, references and/or guidelines on how I should implement tests for my demo?

I would start using PocketIC. The only thing that is missing is the ability to stub HTTP outcalls (so you would need to make the canister use some pre-configured keys to validate the JWTs).

@michael-weigelt: Are there any plans to support HTTP outcalls in PocketIC anytime soon?

1 Like

Yes. The timeline is not set in stone, but I expect it is possible in Q2.


I’ve added some integration tests together with a GitHub Action!
Integration tests are available at: ic-react-native-jwt-auth/src/ic_backend/tests at main · ilbertt/ic-react-native-jwt-auth · GitHub

@frederikrothenberger should I also test the validity of the canister signature? If yes, is there some code I can look into that does this using PocketIc?

Looking forward to any feedback!

1 Like

Yes! I would just use the verify_canister_signature function offered by PocketIC: PocketIc in pocket_ic - Rust :wink:

1 Like

Done in test: verify canister signature by ilbertt · Pull Request #3 · ilbertt/ic-react-native-jwt-auth · GitHub

1 Like