Validation of II delegation

I want to use Internet Identity for user authentication and would like to map a user with its II Principal in the backend canister.
For session authorisation I’d like to return a hash of an II delegation that the frontend would pass in after successful login.

But, how can I validate the delegation that client will pass in? I’d love to call ii_canister.validate(delegation) - which is not available to my best knowledge. Is there any validation method?

I’m thinking of a scenario when a malicious client makes up auth_client with his prefabricated delegation that includes a Principal of other user and passes it to my backend (without delegation validation) thus gaining access to other user account.
I’ve seen on few demos that the Principal passed in a (msg.caller) in shared methods is used as a authentication method - and I don’t think it’s secure.

Guys, how do you authenticate/authorise user with II in a secure and trusty manner?

That cannot happen. A client (whether using agent-js agent-rs or anything that speaks to IC API) has to sign on the message before sending it to a canister on IC. Then the IC system will verify that signature, and derive the caller’s principal ID from the signature. So a client cannot fake as someone else’s principal unless a client has the same secret key.

In other words, the validation of II delegation is already done at a system level, your canister doesn’t need to be concerned with checking this, because different II delegation will give different principal IDs. A client can’t fake as someone else.

4 Likes

Cool, thanks! Now I understand where the trust to the delegation comes from.

Can you please forward me to the docs or source where I can learn about this if available?

The internet computer specification is a good place to start The Internet Computer Interface Specification :: Internet Computer

2 Likes