Authentication on Ethereum World

The release of Ethereum World v0.1 will include a lot of improvements in terms of UX when compared with the current beta.akasha.world application. This will be possible because of specialized web services that handle complex tasks which previously were executed only on the client-side  (e.g. search indexing).

Some of these services will require user authentication. One example would be a service that stores the user's preferences on a database which is synchronized afterwards on all the devices used to access Ethereum World.

For v0.1 of Ethereum World all the visitors will be able to authenticate using only their Ethereum key without having the need to go through the process of registration or having to remember a username/password combination.

The way it works:

  • the user's Ethereum key is used to create a signature from an authentication message;
// signer https://docs.ethers.io/ethers.js/html/api-wallet.html#signer-api
// the message can be something like
// 'authenticate on ethereum.world on 2020/02/29'
 const sig = signer.signMessage(AUTH_MESSAGE)
  • the signature sig is sent afterwards to a web service which validates it and generates a JWT
  • the JWT is used to store claims, for v0.1 of Ethereum World we're using the standard claims
  • the web service uses also an Ethereum key to sign the JWT and is saved as the Issuer in the standard claims list
{
 Issuer: "0x0A93720048a3E25cD72346bD802DeF4Dc7316b5" // ewa.akasha.eth
 Subject: "0x0A93720048a3E25cD72346bD802DeF4Dc7316b2" // user's public eth address
 Audience: "ethereum.world"
...
}
  • the  user receives a token that can be used for 24h to authenticate on all web services that Ethereum World uses, this must be specified in the  bearer authorization format on the request header , e.g.: Authorization: Bearer eyJhbGciOiJFUzI1.eyJzaWciOiI.-CYOci_mOfR