Join 53,741 users and earn money for participation
read.cash is a platform where you could earn money (total earned by users so far: $ 236,128.71).
You could get tips for writing articles and comments, which are paid in Bitcoin Cash (BCH) cryptocurrency,
which can be spent on the Internet or converted to your local money.
I've got the OIDC Gateway for CashID fairly stable now and I thin it should be safe for general use. What this means is that if your service or site supports OIDC, you should with little effort be able to integrate CashID as an authentication mechanism.
Some platforms that I think may support OIDC (and should therefore be compatible) are:
What does this mean for the average BCH user?
CashID will allow you to login to any CashID supporting services using your BCH Cryptographic Keys. In general, this means easy password-less authentication and quick registration to services as CashID can also request common information required during Registration Flows.
However, Wallet support for CashID is not quite there yet. The intent of this particular project is to prep services for when CashID becomes a common feature in BCH Wallets.
For now, an Identity Manager that can be used for testing is available at https://cashid.app .
Is this service self-hostable or do I have to use your instance?
The service is self-hostable, but I would not recommend hosting your instance quite yet until this has gone through more testing. Otherwise, you may find yourself redeploying while bugs are kinked out.
Nevertheless, code is available here: https://github.com/developers-cash/cashid-gateway
Is the personal information of users retained on the server?
The BCH Address and the CashID payload are stored in memory for 1 minute only. This is required in order for the OIDC Code and Token flows to function correctly. However, no data is retained long-term.
Does this follow the full OIDC specification?
Not entirely. This is not technically an "IdP" (Identity Provider) as most traditional OIDC Providers would be. Instead, this is more of an "Identity Verifier" in that it validates the CashID payload and then forwards OIDC-compatible responses to the Relying Parties.
All URL's are Whitelisted (this would generally be considered bad practice, but should not matter in this case)
All services share the same Client Secret (I do not think, for this particular use, this presents a security concern as it still requires explicit user consent and a code/token to access account data)
Is this service secure?
I believe it should be. However, I would welcome an audit of the code if someone familiar with OIDC could take a look.
Is the CashID WebApp complete?
There will be some changes to the key derivation. The WebApp is mainly intended as a PoC and as a means of demonstrating the login flow.