Introducing DAuth - A decentralized authentication for DApps
eip: ERC 1115
title: DAuth - Decentralized authentication mechanism for DApps
author: madhavanmalolan
discussion-to: [email protected]
status: Draft
type: Standards Track
category: ERC
created: 2018-05-23
Simple Summary
This is an authentication mechanism like "Login with Facebook" and "Sign in with Google" that is completely decentralized and helps DApps authenticate users.
Abstract
DAuth is a specification for an alternative to OAuth that allows DApps to accept user logins in a completely decentralized way - helping the DApp acertain the Ethereum address owned by the user. This login uses a familiar username-password pair that would allow logins to happen from any device or environment without the need for external libraries and extensions like Web3.
Motivation
Many DApps that perform some form of personalization need to identify the user. Consider, for example, the case of a popular DApp - CryptoKitties. CryptoKitties is a web based DApp and allows users to view, buy, sell and breed CryptoKitties. The only way to login into the application is using MetaMask which is a Web3 injector. It is not possible to view My kitties using a device that doesn't have MetaMask installed even if I do not intend to make any transactions.
DAuth will enable DApps to allow users to establish their identity by proving the ownership of their Ethereum address.
Design
We first describe the Authentication Game which takes place to authenticate a user.
0. Registration
A user registers by setting up a HTTP server (called the Dauth server). The user generates a password and a public-private key pair and stores the private key and the hash of the password on the server. Then, registers a username on the smart contract by providing the desired username, the public key and the address of the DAuth server.
All usernames on the contract are unique.
1. DApp Login
To login into a DApp, the user provides the following to the endpoint that performs the authentication on the DApp.
- Code : This is a random string that identifies the current authentication session. The authentication will go through only once for a given code.
- HashCode :
sha3(sha3(password), code) - Username : The username that was registered and confirmed on the smart contract.
In order to verify this request, the DApp will fetch the public key and DAuth server address from the smart contract.
The DApp shall then generate a Secret string - which may be a random string. It will then pass the following parameters to the DAuth server's verification endpoint.
- Code : As provided by the user
- HashCode : As provided by the user
- Username : As provided by the user
- Cipher : The Secret string encrypted using the user's public key
2. DAuth server verification
The DAuth server on receiving the request from the DApp, fetches the hash of the password and the private key from its database corresponding to the username in the request.
It then validates if HashCode = sha3(hash of password, code)
If the HashCode is valid, and the code has not been used before, it tries to decrypt the Cipher using the private key and sends the decrypted value back to the DApp
3. Verification
The DApp may authenticate the user if the response from the DAuth server is the same as the Secret it used to generate the Cipher.
Specification
Smart Contract
set
function set(string username, string dauth_url, string public_key) public returns (bool)
event NewUser(address from, string username, bool success);
Must insert a mapping between the msg.sender and the username, DAuth Server address, and public key.
Must emit NewUser(address, username, true) if successfully created, NewUser(address, username, false) if it fails.
getUsername
function getUsername(address user_address) public view returns (string)
Returns the username associated with a given address. Returns a blank string if no username exists for that address.
getAddress
function getAddress(string username) public view returns (address)
Returns the address associated with the username. Returns a blank string if the username is not registered.
getDauthUrl
function getDauthUrl(string username) public view returns (string)
Returns the DAuth Server address associated with the username. Returns a blank string if the username is not registered.
getDauthPublicKey
function getDauthPublicKey(string username) public view returns (string)
Returns the public key associated with the username. Returns a blank string if the username is not registered.
DAuth Server
The DAuth server must expose two endpoints
Verification Endpoint
This is the endpoint using a POST request to the DAuth Server address. This takes as parameters
{
username : string,
cipher : string,
code : string,
hashcode : string
}
If verification is successful, returns
200
{ data : <decrypted value> }
else,
403
{ data : <reason for failure> }
Login Page
This is a GET request to the DAuth Server address. This takes as query parameter the verifier url.
On the webpage it must accept the username and password, generate the code and hashcode and transmit the username, code and hashcode to the verifier (DApp).
DApp
The Dapp must provide an endpoint called the verifier URL that is a GET request that can be accessed from a web browser. This endpoint gets the following query parameters : code, hashcode, username. This endpoint may respond accordingly based on the success of the login.
Implementation
Smart Contract
The smart contract is hosted on the Rinkeby testnet - Link
DAuth Server
A user may run a self hosted DAuth Server by cloning this repository.
For the sake of simplicity and a demo, a DAuth Server has been setup at dauth.co on which users may choose to host their credentials if they are not able to host a server on their own.
Verifier
The DApps may use a the promise based nodejs implementation, which abstracts out all implementation details.
Source
All the code for the smart contract and the Dauth Server are opensourced at this repository.
Demo
A demo is available at dauth.co
More details
A white paper is made available that digs deeper into technical details : dauth.pdf
Participate
Please do join in the discussions on GitHub for ERC 1115
Hey great content..
I'm also a blogger on latest upcoming ICOs.
If you find interest please do follow me and i will follow you back!!