Suggestion: Add cookie-attribution based authentication to Steem KeyChain.
Repository
Proposal Description
There are two types of DApps on the STEEM blockchain. Those that want to run like an agent with part of your authority for performing operations on the blockchain, and those that merely want you to prove your identity to them. I've written a proposal before for addressing security and interaction design concerns with the first type of DApp, but with this sugestion for Steem KeyChain, I want to look at facilitating a least authority solution for the second type. The proposed feature is based upon the underused technique of doing micro-transaction-based steem user authentication, but without the actual micro transactions.
Cookie-attribution based authentication
In this post on using micro transaction based user authentication, we see, within the context of writing a Python Twisted based DApp with the asyncsteem Python(2) library, how cookie-attribution based authentication can work with a micro transaction and the memo field in the transfer operation. In short, the web server generates a large random number that it uses as an unguessable session id. Ti than creates a signature using a server side secret and the BLAKE2 keyed hashing algorithm. The session id and the signature are then concatenated together and are used for the creation of a cookie. The user is then requested to authenticate herself by using the session id in a micro transaction. In the blog post, the DApp owner is used as target, but this could as well be the @null account. The idea is that by being the first to use the unguessable session id in a memo field, the user allows the DApp that is monitoring the chain for new transactions to attribute the cookie that her browser is using to her account, during the lifetime of the cookie.
A generic steem-dapp-session div
Given that Steem KeyChain is a browser extension that may or may not be there, I want to propose a generic div definition meant to allow a site using micro-transaction based user authentication to identify the fields relevant to cookie attribution as described above. The idea is that the steem-dapp-session div be made invisible by Steem KeyChain if the plugin is present and that the plugin can than offer the user to authenticate with the supplied. If the plugin isn't there, the steem-dapp-session div could contain the text asking the user to do the micro transaction from an other tab. The div , when the plugin isn't active, might also contain a button for displaying the QR code described later in order to allow the alternative of a mobile phone memo-key based off-chain authentication. More on that below.
On-chain authentication: custom json instead of the memo field
While a micro transaction may be best for people authenticating through a standard wallet, there are a few issues with the concept when doing the same with Steem Keychain. For one, it is probably a bad idea to trust Steem KeyChain with more than your posting key. From a monitoring perspective, monitoring for transfer operations or custom json . operations really 'isnt all that different, the use of a custom json operation instead of a micro transaction would seem the more appropriate choice for a Steem KeyChain implementation.
Off-chain authentication: memo-key signed custom json posted to DApp
While on-chain operations would be easiest from the perspective of DApps that already use micro transactions to integrate, and while replacing micro transactions with custom json operations removes the financial incentives for looking for an off-chain form of authentication, there are a few independent advantages of doing off-chain authentication if the DApp supports it. That is, a DApp won't have to validate any crypto other than the BLAKE2 signature of the cookies it signed if it is monitoring the chain through a trusted full-API node, but if the DApp is capable of validating operations, there is a speed and privacy advantage to just posting the signed operation to the DApp server instead of putting it on the blockchain. The idea is simple. Steem Keychain creates the signed transaction with a custom json as it would do with on-chain authentication. Now instead of publishing it to the blockchain through a full-API node, Steem Keychain posts it to a resource on the DApp server instead. It might be desireable to crete the transaction against the genesis block instead of a recent block in order to prevent the DApp from posting it to the chain anyway, but this is an implementation detail irrelevant to server side validation.
Off-chain authentication beyond KeyChain: steem-dapp-session div QR
While not all that relevant for the implementation in Steem KeyChain, as Steem Keychain most likely won't be handling the users memo key, I feel discussing the posibility of memo-key signed off-chain authentication is important to show the potential of off-chain authentication with cookie attribution. Imagine the user has a mobile phone with a cookie attribution App that caries her memo key. The reason for using the memo key is that the memo key won't be shared with any websites or DApps, normally, caries no authority other than being bound to your identity and as such is the perfect least authority identity proving key. Now imagine a piece of HTML/JS code that allows the user to push a little button in the steem-dapp-session div, that brings up a QR code containing just enough info for the cookie-attribution App to do the post to the DApp, attributing the session id to the owner of the memo key.
Mockups / Examples
<div id="steem-dapp-session"
data-sessionid="f75...bb5"
data-realm="mylittledapp"
data-ofchainposturl=
"https://mylitledapp.com/attribute-cookie">
...
</div>
The above shows a little example of how a div section could look. The plugin should make this div invisible and offer an option to the user to start authentication.
Benefits
The benefits of this proposal to the user is that she can minimize her risks while merely authenticating to a service that requires zero user authority. She also does not need to spent STEEM or SBD on micro transactions and can authenticate even if she has zero liquid coins set aside. This feature should make Steem Keychain an even better alternative for SteemConnect than it already is, by expanding its usability from just authority driven operations to including authentication, without the use of exces authority.
Hi @mattockfs, thank you for your contribution.
You made a good post. The overall presentation is great.
Since I am not an expert on that topic, I will not give you advice on the technical aspects. But the post itself is great as always.
Your contribution has been evaluated according to Utopian policies and guidelines, as well as a predefined set of questions pertaining to the category.
To view those questions and the relevant answers related to your post, click here.
Need help? Chat with us on Discord.
[utopian-moderator]
Thank you for your review, @favcau! Keep up the good work!
Hey, @mattockfs!
Thanks for contributing on Utopian.
We’re already looking forward to your next contribution!
Get higher incentives and support Utopian.io!
Simply set @utopian.pay as a 5% (or higher) payout beneficiary on your contribution post (via SteemPlus or Steeditor).
Want to chat? Join us on Discord https://discord.gg/h52nFrV.
Vote for Utopian Witness!
Hi @mattockfs!
Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your post is eligible for our upvote, thanks to our collaboration with @utopian-io!
Feel free to join our @steem-ua Discord server