Invalidate II delegation

If there is a way to invalidate II delegation?

It is like “sign out on all devices” feature that exist on web2.0 services.

Let’s say particular IC web app uses 30 days invalidation timeout (maxTimeToLive parameter in AuthClient.login).
Once I “login” on any device and forget to do a proper “logout” (remove delegation from localStorage) - anyone can use that delegation for the whole month!
It is my (as a user) fault, but IC could have feature to invalidate either all delegations or particular delegation.

Community developers - what do you think?

Dear @diegop @kpeacock please tag someone who can help.

2 Likes

I pinged the II team

Hi @alexeychirkov

II dev here. You raise a good point. Thanks!
There is now way to do it right now. And I agree that 30 days is very long for a non-revocable credential.

So far, the SDK team has addressed this by implementing idle timeouts. However, this is also a client side solution and can be controlled by the developer.

To give users more power, we would have to switch the way delegations are issued to make them revocable. We do have plans for that, but unfortunately have not yet had the time to address it. But it is part of the current set of requirements in the working group discussion about interoperability with regards to identity (R5).

TLDR: We are aware of the issue and are working on a solution. But resources are tight, so it might still take a while.

4 Likes

@frederikrothenberger Thank you for a quick response.

Do resources depend on ICP price in any way? Or there’s just a budget and/or limited dev power for any reason.

@alexeychirkov Frederik has already answered correctly about invalidating the delegation canister-side.

I’d like to note that client-side, in addition to to the idleManager logic, there is also an option available to developers to invalidate an identity in an already instantiated Agent.

If you have a reference to an Agent, you can use the invalidateIdentity method, which will set it to null and make all calls fail until you replaceIdentity with a new one.

If the Agent is inside an already initialized Actor, you can do the same for that Actor’s Agent with

Actor.agentOf(exampleActor).invalidateIdentity();
1 Like