Internet Identity used in web2 application

I try to integrate the Internet - Identity into a web2 application as a further possible login method. If I go through the public examples, the principal ID is always given back to identify the caller.

In my usecase I want to let the user log in with his/her II and after logged in I will redirect the user to his own data stored on the server. So I have to sync the user with some data on the server.

What is the best way to achieve this?

Can I store the principal ID for that user to merge his server side data or is there an other ID which I can use. Some times ago I read about an ID which should be uniq for that user and that particular application.

Thanks for any hints.

1 Like

I’d say your approach is absolutely correct. Internet Identity will provide the user with a unique principal for your domain.

The principal ID is the correct ID to use. :+1:

1 Like

Thank you, that was the info I was looking for.

Finally I was able to build an Angular application with II Authentication. The combination II and Angular Route Guard works also well together.

1 Like

Is your app open source or did you share your solution in a post?

A friend of mine who develop Ghostfolio - an open source web2 based portfolio management app - would be interested to give a shot to integrating II in his app developed with Angular.

Hi,
my investigations are not yet finished but there is a Github repo I’m working on.

Feel free to check it out, feedback is always appreciated.

Cheers Roland

2 Likes

Nice! It’s probably exactly what my friend is looking for, I’ll forward the repo. Really cool, thanks :+1:

That was super useful @rbole, my friend has now implemented II in his web2 open source wealth management software Ghostfolio (repo). Thanks for the tips :+1:

4 Likes

Just adding a note about the security to this solution: as far as I understand, this works fine but actually for proper security, it would need a module that checks in the backend that the delegation has not been fished.

The solution relies on the fact that the delegation provided by the client side to the backend to init the session is correct and is owned by the user who provides it but, nothing prevent the fact that a third party malware could have potentially hijacked the delegation on the client side. Such security check exists out of the box with agent-js/canisters but not with a custom web2 backend, at least until someone develop a library for such purpose.

So, again, only my understanding, maybe I am missing something but since my above posts I’ve been made aware that such a potential threat exists.

1 Like

Hi peter! thank you for your concern, i’m wondering if after one year from the original post you know any library that addresses this security??

I gonna ping @domwoe in case he knows something I would not be aware of but, I would say there is still no library that addresses this.

1 Like

I’ve been writing a challenge based delegation check actually while implementing a WalletAgent.

Basically sign a challenge blob received from your web2 server with either the identity or a delegation identity.

(The identity returned by AuthClient is a delegation identity, in typescript you’ll need to cast it to DelegationIdentity to be able to get the chain.)

And then on your server you can validate the challenge with the following implementation:

This implementation supports both regular identities without delegation chain and identities with a delegation chain. For the latter, it requires the delegation chain to be unscoped (no targets) up till and including the key within the chain that signed the challenge (in normal II flow this means the whole chain).

Just to clarify, above implemention is to verify if a user really has acces to an (Internet) Identity on your web2 server or is just sending falsified data to act as if he has access to it while he doesn’t.

It does not prevent any xss attack from hijacking the delegation from the client side, there’s nothing we can do about that on any web2 or web3 app. At least the delegation chain has an expiry so, the identity theft isn’t permanent. And the Internet Identity is specific to your domain, so it won’t affect other websites.

1 Like