search

hicommonwealth / commonwealth

A platform for decentralized communities
https://commonwealth.im
GNU General Public License v3.0
67 stars 42 forks source link

Integrate Telegram Login Option via Magic IDP for Crypto Users #9025

Open dillchen opened 2 weeks ago

dillchen commented 2 weeks ago

Description

We need to add an integration for Telegram login as an option via Magic IDP for our crypto-native users. This involves enabling users to log in through the Telegram Widget or directly via an associated Telegram Mini App.

Project Owner

@dillchen

Bucket ID

No response

User Stories / Acceptance Criteria

  1. Users can log in using the Telegram Widget seamlessly.
  2. The login flow should support direct login URL via the associated Telegram Mini App.
  3. The integration should work in tandem with the existing Magic SSO, with clear documentation on how it interacts.
  4. Ensure compatibility with both Magic’s OIDC and the specific Telegram bot login requirements.
  5. Successful verification of Telegram user data with the bot’s token.

Question: We need to clarify if there is any overlap or conflict with the upgrade(s) to Magic SSO and how this impacts the integration #8989

Design Devlink

No response

Design Screenshot

No response

Additional Context

The integration is crucial due to Telegram’s role as a major platform for crypto-native interactions, and a potential partnership with TON.

dillchen commented 2 weeks ago

Pseudocode for Telegram Login Integration via Magic IDP

Here's a high-level pseudocode outlining how to integrate Telegram login using Magic IDP based on the documentation provided.

# Pseudocode: Integrate Telegram Login with Magic IDP

# Step 1: Setup Magic SDK with OIDC Extension
initialize magic_sdk with Magic_API_key
add OpenIdExtension to magic_sdk

# Step 2: Setup Telegram Bot and Widget
initialize telegram_bot with Telegram_Bot_Token
configure telegram_widget with Bot_Username and domain

# Embed Telegram Widget in Web Page
embed telegram_widget_script in HTML
configure onTelegramAuth callback to handle login response

# Step 3: User Authentication Flow

function onTelegramAuth(user_data):
    # Extract necessary fields from user_data
    user_id = user_data['id']
    first_name = user_data['first_name']
    last_name = user_data['last_name']
    username = user_data['username']
    auth_date = user_data['auth_date']
    hash = user_data['hash']

    # Verify the authenticity of the data
    if verify_telegram_data(user_data):
        # Generate OIDC Token using Magic SDK
        oidc_token = generate_oidc_token(user_id, username, auth_date)

        # Login with OIDC Token via Magic
        did_token = magic.openid.loginWithOIDC({
            jwt: oidc_token,
            providerId: magic_provider_id
        })

        # Handle successful login
        if did_token is valid:
            redirect_user_to_dashboard()
        else:
            display_error("Login failed: Invalid OIDC Token")
    else:
        display_error("Login failed: Verification failed")

function verify_telegram_data(user_data):
    data_check_string = concatenate_fields(user_data)
    secret_key = hash_telegram_bot_token()
    calculated_hash = calculate_hmac_sha256(data_check_string, secret_key)

    return calculated_hash == user_data['hash']

function generate_oidc_token(user_id, username, auth_date):
    # This token could be generated via an external identity provider (e.g., Auth0)
    # or custom implementation that is compatible with Magic's OIDC extension.
    return external_idp.generate_token(user_id, username, auth_date)

# Step 4: Integration with Magic OIDC
function configure_magic_oidc():
    POST to https://api.magic.link/v1/api/magic_client/federated_idp with:
        - issuer: "https://auth.yourdomain.com"
        - audience: "Your Audience ID"
        - display_name: "Your Display Name"
        - sandbox_mode: true/false based on environment
    store the returned providerId for future logins

# Step 5: Updating Magic OIDC Configuration
function update_magic_oidc():
    PATCH to https://api.magic.link/v1/api/magic_client/federated_idp/{providerId} with:
        - new issuer, display_name, etc.

# Step 6: Error Handling
handle_errors {
    - Invalid OIDC Token
    - Failed Verification
    - Magic API errors
}

Feasibility

Based on the documentation provided, the integration seems feasible. The key steps involve:

  1. Setting up the Magic SDK with OIDC: This allows us to authenticate users via OIDC tokens generated from an external IDP like Telegram.
  2. Configuring Telegram Bot and Widget: This step is straightforward, following Telegram’s setup guide.
  3. User Authentication and Verification: Verifying Telegram’s user data is crucial and can be done via HMAC-SHA-256.
  4. OIDC Integration with Magic: This involves setting up and configuring the OIDC provider with Magic to handle JWTs.

Follow-up Questions

  1. Identity Provider (IDP): What IDP will be used for generating the OIDC tokens? Is it something like Auth0, or will we be building this ourselves?
  2. Existing Infrastructure: Is there an existing OIDC integration or will this be a fresh setup? Are there any existing identity providers already configured with Magic?
  3. Security Considerations: How strict are the security requirements for this login flow, especially around handling and storing JWTs and other sensitive data?
  4. Error Handling: What are the specific error codes or edge cases we need to handle, particularly with Magic's OIDC extension?
  5. Environment Setup: Will this be initially set up in a sandbox/test environment, or are we going directly to production?