How Dauth works
A decentralized authentication mechanism for Ethereum
DAuth is to Ethereum what OAuth is to the web.
Here, I describe briefly the architecture of how DAuth works.
The person who wants to login using credentials on the Dauth System.
A service that wishes to authenticate a user using the Dauth System.
A server that will authenticate a user’s claim of credentials and pass on the verification to the client. This server may be hosted by the user or may use a server setup by a person or an organization she trusts. A Dauth provider exposes 2 endpoints — login page, verification REST API.
Flow of control
The authentication is controlled by a smart contract. To register on DAuth, a user should bind her ethereum address with the following parameters, all stored on the blockchain :
- Username : All usernames on the Dauth system are unique, thereby removing the need to remember complicated keys.
- Public Key : Each Dauth user has a public-private key pair that will be used for authentication. This key is independent of the keys used to sign transactions. This keeps the Ethers decoupled with authentication.
- DAuth Provider address : Every user may choose a DAuth Provider. This may be self hosted or on a server providing Dauth as a service. This Provider is responsible for maintaining the Private key associated with the above mentioned Public Key.
- Verifiers : A list of Dauth accounts that have verified this address. Eg. “An email address has been verified by Google”, “A phone number has been verified by True Caller” — This allows clients to use Dauth for services that needs a unique login (fighting sybil). The verifiers can add a new entry to the list of verifiers for any user, and mentioning the type of verification (“email”, “phone”, “facebook”)
Registration with a Dauth Provider
The user must provide the following to the Dauth Provider
- Password : The user must provide a password that must be used by the Dauth Provider to validate that the authentication claims are indeed arising from the user claimed by the client.
- Private Key : This is the private key associated with the public key stored on the blockchain associated with the users’ address.
- Presenting login page 1. The client must redirect the user to a page that accepts the user’s username and redirects the user to the login page on the DAuth Provider. The Dauth provider address must be fetched from the blockchain. It must pass a redirect url to the login page 2.
- Presenting login page 2. This is the login page on the Dauth Provider. The user must verify that she has been redirected to the correct Dauth Provider (by validating the URL or any other identification like UI or display text), and enter the password. Once the password has been entered, two strings are generated.
- Code : A random string
- CodeHash : SHA256(Code, Password)
The Code and the CodeHash are passed to redirectURL, which is the endpoint exposed by the client.
- Redirect URL verification : The client receives the Code and CodeHash on the Redirection URL endpoint as a POST request. This endpoint must pass the following parameters on a POST request to the Dauth Provider’s second endpoint — verification api :
- Code : The code that this endpoint received from the login page 2
- CodeHash : The code hash this endpoint received from the login page 2
- MessageCipher : A random string encrypted using the user’s public key.
- Username : username received from the login page 2
- Verification API. The verification api verifies that the CodeHash = SHA256(Code, Password) of the user identified by the username. If true, it decrypts the MessageCipher using the registered private key and sends that back as a response.
- Final authentication. The client receives the decrypted message as a response to the call to verification api. It may then verify that the random string that was encrypted using the public key is the same as the string that it received in response. If true, it may proceed with a successful authentication for the user.
Try it out at https://dauth.co
Motivation for Dauth was covered in a previous post
You may check out the smart contract, Dauth Provider and Client code on github.