Steemconnect login with posting key instead of active key

Repository

https://github.com/steemscript/steemconnect

What Will I Learn?

• Steemconnect login with posting key (instead of active key!) for apps that has already been authorized to use the posting right.

But you will also learn the following:

• List of posting right authorizations
• List of posting right authorizations via Steemconnect
• Posting right revoke using Steemconnect
• Posting right authorization using Steemconnect
• (Advanced) Behind the scene

Requirements

• Steem posting key
• Steem active key
• App you want to try (e.g., Busy, steempeak, eSteem, Steemhunt, etc)

Difficulty

• Basic (to follow)
• Intermediate (conceptually)
• Advanced (behind the scene)

Tutorial Contents

Background

Steemconnect (SC) is the most popular way of authorization and login for Steem dApps, e.g., busy, steempeak, esteem, partiko, steemhunt, tasteem, ntopaz, etc.

Except for steemit.com, which is the official front-end that most people enter their keys with confidence, let's say someone offers a new Steem-based app that requires your key. Then you'll be hesitant to enter even your posting key.

That's why SC is so popular. While there is still some trust/security issue with SC system itself, basically we believe this open-source authorization method, supported by Steemit Inc.

To use it in the apps that requires posting and voting, we first need to authorize our posting right to each app, and this is the point where SC server security is important. But posting right authorization is to avoid saving posting key which is more insecure. So posting right authorization itself is fine to me.

But the problem is the current SC requires active key for login to apps that have already been authorized when the SC session is expired. This is a known issue and may be resolved in SC3 (SteemConnect 3: A better way to sign, latest post about SC3, 3 months ago).

But we don't know when SC3 will be released.

How do you enter your key? Most likely copy & paste from some other source. This step is very vulnerable and users tend to make a mistake, e.g., posting their keys! due to copy&paste error. That's why there are bots that are trying to steal the keys or protect by notifying the user that the key is exposed. With active keys, financial transactions (transfer, powerdown) are available, so this is a really important security issue.

So I prepare alternative solutions to avoid entering active key until then.

Step 1. Posting right initial authorization

Again, you need to do initial posting right authorization to a dapp. Most likely you already have done this to some dapps, e.g., Busy, steempeak, etc. (I'll explain where you can see the list of the authorized apps in List of posting right authorization section.)

Even if you don't have or don't remember, don't worry. Let's just try with busy.org which is open-source and probably the most mature and widely-used app. If you're sure that you already authorized busy, you can skip this step and go to Step 2.

• Visit https://busy.org and click Log in
• Then, you'll see the following dialog. As it says, it requires you to authorize your posting right (role).

• Click continue

• You need to enter active key to authorize your posting right to the app.

Again, this is fine and necessary for initial authorization!

However, after that, say you use a different browser, or Chrome's incognito mode or such, then you see the same dialog and you are asked to enter your active again!, which it shouldn't be.

So I introduce two methods to avoid entering active key: 1. using a different app, and 2. using the same app. While Method 2 is more natural (at least to me), but it may be slightly more advanced.

Step 2. (Method 1) Login with posting key after the initial authorization: using a different app that only requires posting key

I recommend this way if you're not comfortable with changing the url manually.

• First, make sure that you already authorized your posting right to an app, e.g., busy.app in Step 1.

• Use a different browser or incognito/private mode to make sure you're not using the previous session. (If you're curious, try to log in Busy, then you'll see you need to enter active key again. But don't log in so that you don't save your session again)

• Log in some app that only requires your posting key from the beginning, e.g., @steem-ua is such a good example. https://steem-ua.com/ has a function to show your UA score that requires login with your posting key.
  

  

  https://steem-ua.com smells like they'll only check your identity.

  

  which is true that they only require your posting key.

• Now go to Busy.org then you'll use your saved Steemconnect session which you only entered your posting key as follows.
  

  

• Click the saved session, then you can use Busy without any problem!

Step 2. (Method 2) Login with posting key after the initial authorization

I recommend this way if you're comfortable with changing the url manually.

• First, make sure that you already authorized your posting right to an app, e.g., busy.app in Step 1.
• Use a different browser or incognito/private mode to make sure you're not using the previous session. (If you're curious, try to log in Busy, then you'll see you need to enter active key again. But don't log in so that you don't save your session again)
• Visit https://busy.org and click Log in. Then you'll see the same dialog before which will require you to enter your active key again.

• Change scope= to scope=login which makes SC request posting key instead of active key. (Depending on apps, they may have something after scope=, e.g., scope=comment,delete_comment,comment_options where the app only specifies the necessary functions. In that case, delete it and make it into scope=login anyway. See the Behind the scene Section for more details.)

Change scope= to scope=login.

• Then, you'll see the following login dialog that only requires posting key
  

  

  Using scope=login enable to use your posting key for login

• Log out!
  What?? But this is necessary. Since SC only provided the functions you requested, which is login in this case, you cannot actually make a post or vote.

• Now click Log in again, then you'll use your saved Steemconnect session which you only entered your posting key as follows.
  

  

• Click the saved session, then you can use Busy without any problem!

List of posting right authorizations

If you have followed this tutorial, you may wonder if how many apps to which you have authorized your posting key.

• To check the list of authorized apps, visit steemd, e.g., https://steemd.com/@blockchainstudio (of course with your id)

https://steemd.com shows apps that have already been authorized to use posting right in Posting section.

• The literals starting with STM is your public keys, don't worry about them :)

(Advanced: Unless you're an advanced user, you don't need to worry about threshold. Simply it means the minimum % that is required to use its right. In the above example, it's 12.5% and each app has the weight of 12.5%, so every app can use the posting right. The weight can be different for multisignature setup.)

Note: It is a very rare situation that you have authorized your active or owner right to others. If you're a normal user, you should suspect if your account has been compromised.

List of posting right authorizations / Posting right revoke via Steemconnect

If you want to know the apps you authorized vis Steemconnect, here is the way.

• Visit https://app.steemconnect.com/apps/authorized
  

https://app.steemconnect.com/apps/authorized shows the authorized apps via SC

• As you can see, if you click Revoke, you can revoke the authorization to the app. You need active key for this step. Of course, you can authorize again if you need, as in Step 1.
• If you click Revoke All OAuth Tokens then, you will revoke all authorizations, which you may not want to use :)

• Or you can visit https://app.steemconnect.com/dashboard and then click Authorized Apps which will redirect you to https://app.steemconnect.com/apps/authorized
  

https://app.steemconnect.com/dashboard

Posting right authorization using Steemconnect

This step is not needed for most users. If you don't know that you're doing, don't follow this step.

As you can imagine, SC provides an easy way for posting right authorization.

The url you need is https://app.steemconnect.com/authorize/@[APPNAME] where [APPNAME] is the name of the app account to which you authorize. See the example for @busy.app which busy.org uses.

• Enter the url https://app.steemconnect.com/authorize/@busy.app
  

https://app.steemconnect.com/authorize/@busy.app authorizes your posting right to busy.app

• Click continue, then you need to enter your active key, as you did in Step 1.

(Advanced) Behind the scene

Please read this only if you're a little bit advanced and curious user :)

You may have too much got used to use your active key for login using SC, so you may wonder how using posting key is actually possible. Then you totally misunderstood the concept of posting right authorization. The posting right authorization actually means the authorized account can do whatever they want with the posting key on behalf of you.

That's how steemauto can vote while you're not even log in, and steempeak can do scheduled posts.

Then why apps require active keys again and again?

It's simply because SC doesn't provide a way to distinguish the logins for authorized and unauthorized apps. (Of course, they can't before login, but if SC provides a separate keyword, for instance scope=inherit or such, so that apps can use posting key to check whether posting right has already been authorized, and if so, inherit the posting right without asking active key.)

Why simply using scope=login doesn't work (i.e., why logout and login again needed) for the same app?

Basically, SC only provides the functions you requested, which itself makes sense to me. So even if you already authorized your posting right to busy.app, if you use scope=login, SC doesn't allow you to comment or vote. If you don't believe this, then try it yourself. Then you'll see the following error messages.

Without relogin with the stored session, login=scope doesn't allow you to vote or comment.

I'm not saying this itself is wrong. But there should be a way for users to log in only with posting key after the initial authorization. If you're worried about using your active key again and again, then use my methods 1 or 2 (whichever you want) in Step2 until SC3 will be released with the feature of login with posting key.

Proof of Work Done

This tutorial doesn't require coding (except for url modification), but https://github.com/economicstudio/ is my github account with which I made other Utopian contributions.