Continued from:
https://read.cash/@jimtendo/cashid-adoption-bdad3431
I've got the OIDC Gateway for CashID fairly stable now and I thin it should be safe for general use. What this means is that if your service or site supports OIDC, you should with little effort be able to integrate CashID as an authentication mechanism.
Some platforms that I think may support OIDC (and should therefore be compatible) are:
Wordpress
https://wordpress.org/plugins/miniorange-openid-connect-client/Magento
https://marketplace.magento.com/miniorange-inc-miniorange-oauth-sso.htmlDiscourse
https://meta.discourse.org/t/openid-connect-authentication-plugin/103632
The below gives an example of how an OIDC Authentication flow using CashID might look:
You can also try it yourself using the below link (use the WebApp if you do not have a CashID App on your phone):
https://v1.cashid.infra.cash/oidc/auth?client_id=cashid&redirect_uri=https%3A%2F%2Foidcdebugger.com%2Fdebug&scope=openid%20name%20family%20nickname%20email%20country&response_type=id_token&response_mode=form_post&nonce=fhu9ts9cugp
Configuration
Would very much appreciate it if OIDC services could test the following and give feedback on success/failure:
To configure, there is an OIDC configuration file available here:
https://v1.cashid.infra.cash/oidc/.well-known/openid-configuration
Details are as follows:
Authorize URL: https://v1.cashid.infra.cash/oidc/auth
Client ID: cashid
Client Secret: cashid
Scopes supported: name, family, nickname, age, gender, birthdate, picture, national, country, state, city, streetname, streetnumber, residence, coordinate, email, instant, social, phone, postal, openid
Response Types supported: Code, Token, ID Token
All URL's are Whitelisted (see questions below)
Please reach out to me on Telegram if any problems/questions:
https://t.me/jimtendo
Questions/Answers
What does this mean for the average BCH user?
CashID will allow you to login to any CashID supporting services using your BCH Cryptographic Keys. In general, this means easy password-less authentication and quick registration to services as CashID can also request common information required during Registration Flows.
However, Wallet support for CashID is not quite there yet. The intent of this particular project is to prep services for when CashID becomes a common feature in BCH Wallets.
For now, an Identity Manager that can be used for testing is available at https://cashid.app .
Is this service self-hostable or do I have to use your instance?
The service is self-hostable, but I would not recommend hosting your instance quite yet until this has gone through more testing. Otherwise, you may find yourself redeploying while bugs are kinked out.
Nevertheless, code is available here:
https://github.com/developers-cash/cashid-gateway
Is the personal information of users retained on the server?
The BCH Address and the CashID payload are stored in memory for 1 minute only. This is required in order for the OIDC Code and Token flows to function correctly. However, no data is retained long-term.
Does this follow the full OIDC specification?
Not entirely. This is not technically an "IdP" (Identity Provider) as most traditional OIDC Providers would be. Instead, this is more of an "Identity Verifier" in that it validates the CashID payload and then forwards OIDC-compatible responses to the Relying Parties.
Additionally:
All URL's are Whitelisted (this would generally be considered bad practice, but should not matter in this case)
All services share the same Client Secret (I do not think, for this particular use, this presents a security concern as it still requires explicit user consent and a code/token to access account data)
Is this service secure?
I believe it should be. However, I would welcome an audit of the code if someone familiar with OIDC could take a look.
Is the CashID WebApp complete?
There will be some changes to the key derivation. The WebApp is mainly intended as a PoC and as a means of demonstrating the login flow.
Could you add a comment to address what steps are necessary for this to become accessible and useful to the average BCH user? (not average person - that's another huge step).