I want to use Internet Identity for user authentication and would like to map a user with its II Principal in the backend canister.
For session authorisation I’d like to return a hash of an II delegation that the frontend would pass in after successful login.
But, how can I validate the delegation that client will pass in? I’d love to call
ii_canister.validate(delegation) - which is not available to my best knowledge. Is there any validation method?
I’m thinking of a scenario when a malicious client makes up
auth_client with his prefabricated delegation that includes a Principal of other user and passes it to my backend (without delegation validation) thus gaining access to other user account.
I’ve seen on few demos that the Principal passed in a (msg.caller) in shared methods is used as a authentication method - and I don’t think it’s secure.
Guys, how do you authenticate/authorise user with II in a secure and trusty manner?