NFID authorization security ensuring

Nikita_TTC · May 8, 2024, 1:01pm

Hi all! I’m integrating NFID into my project and trying to figure out how I can ensure authorization security.

For the frontend, I use @nfid/embed library.
Project backend is on PHP.

Currently, I only transfer to my backend the public key and store it there, and then issue an internal session token, but now the public key can be sending from anywehere, including Postman, and anyone can do this as I don’t check if the public key id valid or not.

I’m trying to figure out how I can validate that authorization on the frontend actually happened successfully on the NFID side, and the public key is valid?

There is an idea to encrypt the public key using the signature from the response and OpenSSL, but this is a fallback option, and if possible I’d like to use a native security method.

Thanks for your answers!

jennifertran · May 10, 2024, 12:25am

I think @dostro and his team can help with this one!

olekid · May 13, 2024, 12:57pm

@nfid/embed is frontend library, so it seems you are looking for smth like https://internetcomputer.org/docs/current/developer-docs/web-apps/independently-verifying-ic-signatures, unfortunately there is no php cdk, but u can theoretically use @dfinity/standalone-sig-verifier-web npm package and run js in php

Topic		Replies	Views
NFID: Can't verify a delegation JavaScript	1	135	May 20, 2024
Integration of @nfid/embed and @nfid/identity-kit for Secure Data Signing JavaScript	7	279	June 5, 2024
Internet Computer Authetication internet-identity	1	78	August 1, 2024
Let's Learn from the Odin.fun Hack - Preventing Attack Vectors Developers Discussing	58	1103	May 12, 2025
In which package is NFID frame located? JavaScript	1	247	November 10, 2023

NFID authorization security ensuring

Related topics