I want to use Internet Identity for user authentication and would like to map a user with its II Principal in the backend canister.
For session authorisation I’d like to return a hash of an II delegation that the frontend would pass in after successful login.
But, how can I validate the delegation that client will pass in? I’d love to call ii_canister.validate(delegation) - which is not available to my best knowledge. Is there any validation method?
I’m thinking of a scenario when a malicious client makes up auth_client with his prefabricated delegation that includes a Principal of other user and passes it to my backend (without delegation validation) thus gaining access to other user account.
I’ve seen on few demos that the Principal passed in a (msg.caller) in shared methods is used as a authentication method - and I don’t think it’s secure.
Guys, how do you authenticate/authorise user with II in a secure and trusty manner?
1 Like
That cannot happen. A client (whether using agent-js agent-rs or anything that speaks to IC API) has to sign on the message before sending it to a canister on IC. Then the IC system will verify that signature, and derive the caller’s principal ID from the signature. So a client cannot fake as someone else’s principal unless a client has the same secret key.
In other words, the validation of II delegation is already done at a system level, your canister doesn’t need to be concerned with checking this, because different II delegation will give different principal IDs. A client can’t fake as someone else.
5 Likes
Cool, thanks! Now I understand where the trust to the delegation comes from.
Can you please forward me to the docs or source where I can learn about this if available?
I want to check the delegation independently of the ICP. What should I use as a verification “message”?
@mrZedov: Please take a look at this draft PR. It showcases verification of an II delegation in an off-chain context.
1 Like