From 4281a3703ed54e8c46120396f90a6dae1891289e Mon Sep 17 00:00:00 2001 From: Erik Zhang Date: Fri, 19 Mar 2021 16:21:12 +0800 Subject: [PATCH 1/5] Authentication Scheme --- authentication-scheme.mediawiki | 154 ++++++++++++++++++++++++++++++++ 1 file changed, 154 insertions(+) create mode 100644 authentication-scheme.mediawiki diff --git a/authentication-scheme.mediawiki b/authentication-scheme.mediawiki new file mode 100644 index 00000000..a5899d05 --- /dev/null +++ b/authentication-scheme.mediawiki @@ -0,0 +1,154 @@ +
+  NEP: 
+  Title: Authentication Scheme
+  Author: Erik Zhang 
+  Type: Standard
+  Status: Draft
+  Created: 2021-03-19
+
+ +==Abstract== + +This NEP describes a scheme for third-party applications to authenticate users based on NEO. +The third-party applications mentioned here can be any type of application, including Dapps, websites, games, etc. + +==Motivation== + +Usually, an application saves user data on its own server. The authenticated user can modify the corresponding data through application-defined logic. +Traditional Internet applications usually use an authentication scheme based on username and password, which is not suitable for blockchain. +This authentication scheme allows third-party applications to authenticate users based on digital signatures. +In this way, NEO users can log in to any third-party application that supports this scheme without registering, and allow applications to share user data on the blockchain. + +==Specification== + +The authentication process is divided into two steps. +In the first step, the server sends a challenge payload to the client to request authentication. +In the second step, the client sends the response payload to the server to complete the authentication. +The payloads are transmitted in the form of JSON. + +===Challenge payload=== + +
+{
+  "grant_type": "signature",
+  "allowed_algorithms": ["ECDSA-P256"],
+  "network": 5195086,
+  "nonce": "13458238842203010919",
+  "timestamp": 1616131368
+}
+
+ +====grant_type==== + +This field should be fixed to "signature" and can be extended in the future to support more authentication schemes. + +====allowed_algorithms==== + +An array containing the signature algorithms allowed by the server. + +The client should use one of the algorithms to sign the response data. +If none of the algorithms are supported by the client, the authentication fails. + +====network==== + +The magic number of the network. +Indicates which network this authentication will be applied to. + +====nonce==== + +A 64-bit unsigned integer used to identify this authentication. + +The server should record the expiration time of the nonce and check it when the response is received. +The expiration time is recommended to be 5 minutes. + +====timestamp==== + +The timestamp of the server. +This timestamp is used by the client to check whether the local time is synchronized with the server. + +If the local time of the client is not synchronized with the server, the authentication may fail. +In this case, the client should first synchronize the time or prompt the user. + +===Response payload=== + +
+{
+  "algorithm": "ECDSA-P256",
+  "pubkey": "0355912bc4e61c9715c5912397ea53a5ac6c103c4893fbd9c2a9f3be13b7a3e29d",
+  "address": "NfMFWYxaUUQy9SYo6AhRiGmRxfPxe9Edj7",
+  "nonce": "13458238842203010919",
+  "timestamp": 1616131369,
+  "signature": "BAS7Ljufj3vrhOrTAi21D/5Cf62n4r64Suf/do8dq/OCMHiLJl+hLJeMFZwTajVjhcpFLz6FuSEp13vvEqWf1w=="
+}
+
+ +====algorithm==== + +The algorithm used by the client to sign the response data. +It should be one of the values in the allowed_algorithms sent by the server. + +If the algorithm used by the client is not supported by the server, the authentication fails. + +====pubkey==== + +The public key used to verify the signature. +It must correspond to the address, otherwise the authentication fails. + +====address==== + +The address of the user to be authenticated. +It must correspond to the pubkey, otherwise the authentication fails. + +====nonce==== + +A 64-bit unsigned integer used to identify this authentication. +This value must be exactly the same as the nonce sent by the server. + +When the server receives the response, it should check whether the nonce has expired. +If the nonce has expired or not exists, the authentication fails. + +====timestamp==== + +The timestamp of the client. +This timestamp is used by the server to determine the time of the signature to prevent replay attacks. + +====signature==== + +The signature of the response data. +It should be encoded in base64. + +===Response data to sign=== + +{| class="wikitable sortable" style="width: auto; text-align: center; font-size: smaller; table-layout: fixed;" +!Name +!Type +!Offset +!Size +!Description +|- +| network +| uint32 +| 0 +| 4 +| The magic number of the network +|- +| nonce +| uint64 +| 4 +| 8 +| The nonce sent by the server +|- +| timestamp +| uint32 +| 12 +| 4 +| The timestamp of the client +|- +| hash +| uint160 +| 16 +| 20 +| The script hash of the user's address +|} + +==Implementation== From 0a5cbc9f6e841899f4142227f080b170840847db Mon Sep 17 00:00:00 2001 From: Erik Zhang Date: Mon, 5 Apr 2021 11:34:45 +0800 Subject: [PATCH 2/5] Add optional callback url --- authentication-scheme.mediawiki | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/authentication-scheme.mediawiki b/authentication-scheme.mediawiki index a5899d05..f3804190 100644 --- a/authentication-scheme.mediawiki +++ b/authentication-scheme.mediawiki @@ -34,7 +34,8 @@ The payloads are transmitted in the form of JSON. "allowed_algorithms": ["ECDSA-P256"], "network": 5195086, "nonce": "13458238842203010919", - "timestamp": 1616131368 + "timestamp": 1616131368, + "callback": "https://someurl.com/callback" } @@ -69,6 +70,12 @@ This timestamp is used by the client to check whether the local time is synchron If the local time of the client is not synchronized with the server, the authentication may fail. In this case, the client should first synchronize the time or prompt the user. +====callback==== + +''Optional''. An url that used to send the response payload. + +When a callback is provided, the response payload is sent to the callback url in HTTP POST method. + ===Response payload===

From a871de712d1a781b9a9ead4e3e0caca9e118fccc Mon Sep 17 00:00:00 2001
From: Erik Zhang 
Date: Mon, 5 Apr 2021 12:11:07 +0800
Subject: [PATCH 3/5] Add three modes

---
 authentication-scheme.mediawiki | 90 +++++++++++++++++++++++++++------
 1 file changed, 75 insertions(+), 15 deletions(-)

diff --git a/authentication-scheme.mediawiki b/authentication-scheme.mediawiki
index f3804190..780797f9 100644
--- a/authentication-scheme.mediawiki
+++ b/authentication-scheme.mediawiki
@@ -21,12 +21,14 @@ In this way, NEO users can log in to any third-party application that supports t
 
 ==Specification==
 
+===Payloads===
+
 The authentication process is divided into two steps.
 In the first step, the server sends a challenge payload to the client to request authentication.
 In the second step, the client sends the response payload to the server to complete the authentication.
 The payloads are transmitted in the form of JSON.
 
-===Challenge payload===
+====Challenge payload====
 
 
 {
@@ -39,30 +41,30 @@ The payloads are transmitted in the form of JSON.
 }
 
-====grant_type==== +=====grant_type===== This field should be fixed to "signature" and can be extended in the future to support more authentication schemes. -====allowed_algorithms==== +=====allowed_algorithms===== An array containing the signature algorithms allowed by the server. The client should use one of the algorithms to sign the response data. If none of the algorithms are supported by the client, the authentication fails. -====network==== +=====network===== The magic number of the network. Indicates which network this authentication will be applied to. -====nonce==== +=====nonce===== A 64-bit unsigned integer used to identify this authentication. The server should record the expiration time of the nonce and check it when the response is received. The expiration time is recommended to be 5 minutes. -====timestamp==== +=====timestamp===== The timestamp of the server. This timestamp is used by the client to check whether the local time is synchronized with the server. @@ -70,13 +72,13 @@ This timestamp is used by the client to check whether the local time is synchron If the local time of the client is not synchronized with the server, the authentication may fail. In this case, the client should first synchronize the time or prompt the user. -====callback==== +=====callback===== ''Optional''. An url that used to send the response payload. When a callback is provided, the response payload is sent to the callback url in HTTP POST method. -===Response payload=== +====Response payload====
 {
@@ -89,24 +91,24 @@ When a callback is provided, the response payload is sent to the 
 
-====algorithm====
+=====algorithm=====
 
 The algorithm used by the client to sign the response data.
 It should be one of the values in the allowed_algorithms sent by the server.
 
 If the algorithm used by the client is not supported by the server, the authentication fails.
 
-====pubkey====
+=====pubkey=====
 
 The public key used to verify the signature.
 It must correspond to the address, otherwise the authentication fails.
 
-====address====
+=====address=====
 
 The address of the user to be authenticated.
 It must correspond to the pubkey, otherwise the authentication fails.
 
-====nonce====
+=====nonce=====
 
 A 64-bit unsigned integer used to identify this authentication.
 This value must be exactly the same as the nonce sent by the server.
@@ -114,17 +116,17 @@ This value must be exactly the same as the nonce sent by the server
 When the server receives the response, it should check whether the nonce has expired.
 If the nonce has expired or not exists, the authentication fails.
 
-====timestamp====
+=====timestamp=====
 
 The timestamp of the client.
 This timestamp is used by the server to determine the time of the signature to prevent replay attacks.
 
-====signature====
+=====signature=====
 
 The signature of the response data.
 It should be encoded in base64.
 
-===Response data to sign===
+====Response data to sign====
 
 {| class="wikitable sortable" style="width: auto; text-align: center; font-size: smaller; table-layout: fixed;"
 !Name
@@ -158,4 +160,62 @@ It should be encoded in base64.
 | The script hash of the user's address
 |}
 
+===Scene modes===
+
+====QR code mode====
+
+A website can allow NEO users to log in directly.
+
+The login process is:
+
+#The user clicks the login button with the NEO icon.
+
+#The QR code for login is displayed on the webpage. The challenge payload is encoded in the QR code. In this case, the callback must be included.
+
+#The user opens the mobile wallet and scans the QR code.
+
+#After the wallet recognizes the QR code, a pop-up window asks the user to confirm login.
+
+#If the user cancels the login, the authentication process ends. Otherwise, go to the next step.
+
+#The wallet sends the response payload to the callback url through the HTTP POST method.
+
+#After the website receives the response payload and the verification is successful, it notifies the front end to refresh the page.
+
+#The authentication is complete and the login is successful.
+
+====Plug-in mode====
+
+If the user uses a plug-in wallet, it will be able to automatically log in to the supported website.
+
+The login process is:
+
+#The front end of the website detects whether a supported plug-in wallet is installed.
+
+#The front end requests challenge payload from the server.
+
+#The front end calls the authenticate method of the plug-in wallet and passes the challenge payload as a parameter.
+
+#The plug-in automatically selects an account, or the user specifies an account for the authentication process.
+
+#The wallet sends the response payload as the return value of the authenticate method to the front end.
+
+#The front end verifies the response payload and notifies the server.
+
+#The authentication is complete and the login is successful.
+
+====Connection mode====
+
+This authentication scheme can also be used in connection mode. For example, game clients, command line wallets, etc.
+
+The login process is:
+
+#The client connects to the server.
+
+#The server sends the challenge payload to the client.
+
+#The client sends the response payload to the server.
+
+#If the authentication is successful, then keep the connection and continue the business logic. Otherwise, send an error code and disconnect.
+
 ==Implementation==

From 32c55da68ab2e278b68d883cd5de3811a56da982 Mon Sep 17 00:00:00 2001
From: Erik Zhang 
Date: Wed, 21 Apr 2021 11:37:46 +0800
Subject: [PATCH 4/5] Add action

---
 authentication-scheme.mediawiki | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/authentication-scheme.mediawiki b/authentication-scheme.mediawiki
index 780797f9..4389cdc6 100644
--- a/authentication-scheme.mediawiki
+++ b/authentication-scheme.mediawiki
@@ -32,7 +32,8 @@ The payloads are transmitted in the form of JSON.
 
 
 {
-  "grant_type": "signature",
+  "action": "Authentication",
+  "grant_type": "Signature",
   "allowed_algorithms": ["ECDSA-P256"],
   "network": 5195086,
   "nonce": "13458238842203010919",
@@ -41,9 +42,13 @@ The payloads are transmitted in the form of JSON.
 }
 
+=====action===== + +This field should be fixed to "Authentication" and can be extended in the future to support more actions. + =====grant_type===== -This field should be fixed to "signature" and can be extended in the future to support more authentication schemes. +This field should be fixed to "Signature" and can be extended in the future to support more authentication schemes. =====allowed_algorithms===== From cdfcab6c3d692dba585f3e9eab7f724eb36227df Mon Sep 17 00:00:00 2001 From: Erik Zhang Date: Thu, 9 Dec 2021 13:50:11 +0800 Subject: [PATCH 5/5] Update networks --- ...ication-scheme.mediawiki => nep-20.mediawiki | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) rename authentication-scheme.mediawiki => nep-20.mediawiki (95%) diff --git a/authentication-scheme.mediawiki b/nep-20.mediawiki similarity index 95% rename from authentication-scheme.mediawiki rename to nep-20.mediawiki index 4389cdc6..b35e9114 100644 --- a/authentication-scheme.mediawiki +++ b/nep-20.mediawiki @@ -1,9 +1,9 @@
-  NEP: 
+  NEP: 20
   Title: Authentication Scheme
   Author: Erik Zhang 
   Type: Standard
-  Status: Draft
+  Status: Accepted
   Created: 2021-03-19
 
@@ -35,7 +35,7 @@ The payloads are transmitted in the form of JSON. "action": "Authentication", "grant_type": "Signature", "allowed_algorithms": ["ECDSA-P256"], - "network": 5195086, + "networks": [860833102], "nonce": "13458238842203010919", "timestamp": 1616131368, "callback": "https://someurl.com/callback" @@ -57,10 +57,9 @@ An array containing the signature algorithms allowed by the server. The client should use one of the algorithms to sign the response data. If none of the algorithms are supported by the client, the authentication fails. -=====network===== +=====networks===== -The magic number of the network. -Indicates which network this authentication will be applied to. +The magic number of the supported networks. Indicates which networks this authentication will be applied to. =====nonce===== @@ -88,6 +87,7 @@ When a callback is provided, the response payload is sent to the { "algorithm": "ECDSA-P256", + "network": 860833102, "pubkey": "0355912bc4e61c9715c5912397ea53a5ac6c103c4893fbd9c2a9f3be13b7a3e29d", "address": "NfMFWYxaUUQy9SYo6AhRiGmRxfPxe9Edj7", "nonce": "13458238842203010919", @@ -103,6 +103,11 @@ It should be one of the values in the allowed_algorithms sent by th If the algorithm used by the client is not supported by the server, the authentication fails. +=====network===== + +The magic number of the network. +It must be one of the networks in the challenge payload, otherwise the authentication fails. + =====pubkey===== The public key used to verify the signature.