Web3 ID is a blockchain-based Authentication and Authorization system that uses Decentralized Identifiers (DIDs) and Verifiable Credentials. There is an existing live service hosted at https://auth.dock.io however you may clone this repository/deploy it to vercel to spin up your own instance. It is mostly stateless, but does rely on a memcached instance currently for short-lived data transfer. No long term storage of user data is used, tokens and codes are obtained through cryptography. You can use this service to allow your users to provide their own user data, like you would request from "Login with Facebook" or "Sign in with Github".

Note: You will still want to verify a users email if requested with this service.

Features:

• No long term storage of user/client data
• User provides and controls their own data
• Uses did:dock and did:key DIDs
• Cryptographic client id/secrets
• OAuth 2.0 spec compliant

Roadmap:

• Support requesting specific credentials/data
• Decouple verification from the Dock API
• Look into supporting the SIOP spec
• OpenID Connect implementation
• Support more DID types
• Support non self-signed credentials
• Zero Knowledge Proofs

For more information about the upcoming features, get in touch.

This service can be used directly as an OAuth 2.0 provider with your favourite OAuth library. See the documentation for OAuth 2.0 setup. You are welcome to use our hosted version or your own. Setup instructions are for the hosted vesion, simply replace with your own domain to configure for another endpoint.

Decentralized Identifiers (DIDs) are cryptographically verifiable pseudonymous identifiers created by the user, owned by the user, and independent of any organization. DIDs contain no personal data about the user, the user may provide extra data you request such as their name, email etc. An example of a DID stored on the Dock blockchain could look like this:

Each DID is supported by a Public-Private cryptographic key pair.

When a user scans the QR Code generated by the Dock Web3 ID service they are prompted to provide their data as requested by the scopes. The user’s Private Key associated with the DID digitally signs a Verifiable Credential. This Verifiable Credential with that data contains a cryptographic hash that ensures that it wasn’t modified since it was created and signed - and most importantly verifies that the user who owns that DID is providing that data.

This Authentication Verifiable Credential is sent to this auth service, which verifies that the credential was indeed cryptographically signed by the correct user and grants the user access to the application. Your server can then request the user data using the access token provided through the standard OAuth 2.0/Auth0 flow.

First, setup the environment variables and pre-requisite services and then you can run the development server:

npm run dev
# or
yarn dev

Open http://localhost:3000 with your browser to see the result.

Building the application for production can be done with:

npm run build
# or
yarn build

or you may wish to run it as a custom server with:

npm run start
# or
yarn start

Running the auth server requires:

• A free Dock Certs API key in order to verify credentials. Set through API_KEY
• A memcached instance, you can find many free ones online for a small project or use a local docker container. Set through MEMCACHIER_SERVERS
• A secure, randomly generated cryptographic key for authorizing clients set through CRYPTO_KEY
• A public domain set through SERVER_URL (defaults to localhost:3000)

Example .env.local file:

API_KEY=certs-api-key
MEMCACHIER_SERVERS=your-memcached-uri:11211
CRYPTO_KEY=32charactersecurecryptokey
SERVER_URL=https://mydomain.com/

Deploy to vercel in one click with this button