Login to Streamr with Ethereum

A preview of the new login UI with added Ethereum login

As we move towards a decentralized Streamr platform, featuring a close symbiotic relationship with the Ethereum blockchain, we needed to provide a way to sign up and login with an Ethereum address. This approach has several advantages over the traditional username/password-based login. First, it does not require users to remember or type anything, but most importantly, it removes the need to trust the backend with a shared secret.

Effectively, every Ethereum address is also now a Streamr account!

So how can you sign in with Ethereum?

The feature is already supported by the API and implemented in the JavaScript client library. On the Streamr web UI, support for Ethereum login will be included in the upcoming frontend rewrite/redesign which is due for release in late-March early April.

Assuming you have Metamask or another Web3 wallet installed, when you click the “Sign in with Ethereum” link in the upper left corner, a request to sign a randomly generated challenge will pop up.

Signing in using Metamask

Once you click ‘SIGN’, you’re logged in! Two clicks. No need to type anything on your keyboard, remember a password or provide any personal information like an email address.

What about sign up?

There is absolutely no difference. During the login protocol, if the provided Ethereum address does not exist on the backend database, it is registered there. Once you have an Ethereum-linked Streamr account, whether you’re a new or old Streamr user, the login procedure remains the same.

Note that if you want to bind an Ethereum address to your existing Streamr account instead of creating a new one, you can do so on the user profile page. Afterwards you can use the Ethereum login for that account.

Authenticating to the API with Ethereum

Authenticating to the API is easiest with one of the provided client libraries. The examples below use the JavaScript library, which is the first to receive support for this new feature.

Instead of the usual API key, you can pass an Ethereum private key to the StreamrClient constructor. Under the hood, the client library will automatically authenticate by signing a similar challenge as described above for the interactive UI login. Note that your private key never leaves the computer you run your script on.

const client = new StreamrClient({
auth: {
privateKey: 'YOUR-PRIVATE-KEY',
}
})

For interactive applications in the browser, you can pass a Web3 provider to authenticate with private keys held inside a Web3 wallet. In this case, the user will be prompted with a signature request exactly as if you were logging into the Streamr web UI.

const client = new StreamrClient({
auth: {
provider: web3.currentProvider,
}
})

Next, we’ll dive into the details of what actually happens during the authentication procedure.

A challenge-response protocol to prove Ethereum account ownership

In the following, every communication between the the user and the backend server is secured with TLS. The goal is to authenticate users with their Ethereum private keys without asking them to reveal that private key. To that end, the user sends his/her public Ethereum address to the backend. A random text called a challenge is generated and sent back to the user. The user signs the challenge with his/her private key to produce a signature which constitutes the “response” to the challenge. The backend receives and verifies the signature with the provided public Ethereum address, thus obtaining proof that the user owns the corresponding private key.

Once the challenge is verified, the user is identified by his/her Ethereum address. A session token is generated, associated with that Ethereum address and sent to the user. Now every request can be authenticated by including this session token in the HTTP headers like a standard session cookie. When the session token expires, a new challenge has to be signed.

A step towards decentralization

The legacy email/password authentication as well as API keys remain supported for now. But in the final stages of the Streamr P2P Network, all users will be identified solely with their Ethereum address or another digital cryptographic identity solution. That will enable self-sovereign people and machines to publish and consume data on Streamr. It will also ensure that the platform is as trustless as can be. While we’re still a few years away from the final milestones, shipping this feature is a step towards that vision.

Ethereum login…. will enable self-sovereign people and machines to publish and consume data on Streamr.

What’s up next: signing data to make it tamper-proof!

In this post, we showed how users with Ethereum addresses can now sign login challenges. That features open up the path to something even better. If subscribers want to make sure that the data points they receive haven’t been tampered with, and that they come from a trusted publisher, the publisher will need to cryptographically sign their data points.

So in my next blog post I will show how Ethereum keys can be used to sign actual data points published to streams, making them tamper-proof!