Closed BoiseITGuru closed 2 years ago
thanks for the submission @BoiseITGuru. could you also add the USD proposal to each milestone for our review? thanks!
Few questions:
thanks for the submission @BoiseITGuru. could you also add the USD proposal to each milestone for our review? thanks!
@alxflw Certainly!, when we originally copied the issue template it still had the option for leaving them TBD to allow your team to proposal amounts. I have a meeting with the rest of the team tomorrow afternoon, we will discuss this and will get back to you ASAP.
Few questions:
- How do you solve privacy concerns of end-users?
- How do you solve privacy concerns of dapps? Not all dapps want to expose their user-base on a public blockchain.
- How do you comply with regulations such as GDPR?
@chandanworkacct 1 & 2. We are using String/Password-Based Asymmetric Key Derivation to encrypt data at the Identity Provider level, depending on what type of data is used the strings or "passwords" used to created the keys are generated using one or more unique salts from either the dapp and/or the Identity Provider. For example your reference in question 2 to dapps not wanting to expose their user-base to the public; Any specific identifiers to the dapp or end user would be stored as an encrypted string on-chain, requiring you to know the encrypted value of the dapp and end-users identifiers to search for the users account public resource capability for that auth-system, to then decrypt their user data accessing their roles and permissions. In the case of logging in the end user this encryption and decryption or as I like to think of it "data translation" is handled by the Identity Provider and our sdks during the account-proof verification process.
Hi @BoiseITGuru!
Thanks for your previous responses the additional details - have 2 follow up questions for you:
Hi @BoiseITGuru - just wanted to follow up again on the two questions above so that we can push the review of this proposal forward, thanks!
Hi @BoiseITGuru - I'm going to close this issue out for now, but please feel free to re-open if/when you're ready to dive back in. Thanks!
AuthFlow: AuthFlow is an Identity & Access Management (IAM) system secured by the Flow Blockchain
Grant category
Please select one or more of:
Description
AuthFlow is an on-chain Identity & Access Management system and a replacement for services like Amazon’s AWS IAM or Microsoft’s Azure Active Directory, secured by the Flow Blockchain. Working in partnership with Emerald City DAO, EmeraldID will be updated to be the sole public Identity Provider for AuthFlow.
Problem statement
Current blockchain-based authentication methods typically only allow a developer to confirm who a user is and has to utilize other Web2 authentication methods and services (ex. Auth0, Okta) to do anything beyond smart contract interactions. As we move into a Web3 world there are still many use cases that require secure access to Web2 technologies. Such as accessing simple things like role-based access control to an app’s functions or a simple backend.
How it Works Today
As a developer creating an application, you want to provide secure access to your app. You allow users to log in using their Web3 Wallets, in the case of the Flow blockchain this is a multi-step process that provides you with a user identifier (Flow address) proving ownership of their on-chain account. This process is done through the FCL account proof process which provides functionality to prove a user is in control of a Flow address. All other aspects of authentication, authorization and session management are up to the application.
This current Web3 solution puts a heavy burden on the DApp developer(s) requiring them to write an extensive backend system to manage user access and authorized access to functionality.
Proposed solution
AuthFlow is an on-chain Identity & Access Management system, essentially a replacement for services like Amazon’s AWS IAM, Microsoft’s Azure Active Directory, and Auth0. Utilizing the Flow Blockchain, AuthFlow will return control of user identification and authentication to the app developer and end-users by merging Web3 with known authentication methods like JWT and OAuth 2.0.
Each app will create its own AuthSystem with an Identity Provider that can be managed by multiple AuthSystemAdmins. To ensure the integrity of the Authentication System, once the contract is deployed, all keys will be removed from the account. This prevents any future modification of the contracts that change the way the system authenticates users.
AuthFlow is THE security solution for developers and end-users operating across Web2 and Web3 spaces. The functionality can be defined as an Identity Provider and Password Manager merged into one. Your wallet interacts with Web2 as a password manager across all websites and also serves as your identity provider on Web2 and Web3.
Identity Providers
Server/Client SDKs
Impact
Let’s face it, getting authentication right is complicated and one screw-up can lead to costly data leaks. The AuthFlow SDKs allow you to secure both your front and backend resources with easy-to-use methods that will verify which roles/permissions the user has, as well as evaluate any access policies to ensure users only have access to authorized resources.
The server SDKs not only allow you to protect server-side resources but also allow you to stand up your own Identity Provider server that supports JWT, oAuth2.0, and SAML2.0 authentication methods.
Currently, The security measures that are present in Web2 authentication offered by identity providers like Auth0, Amazon’s AWS IAM, or Microsoft’s Azure Active Directory are superior to those on Web3. Not only does AuthFlow protect its user from vulnerabilities in the Web3 space, but it will also tighten user security across Web2 sites.
AuthFlow is THE security solution for developers and end-users operating across Web2 and Web3 spaces.
Milestones and funding
- Emerald Shield contract audits may require rewrites to the SDK specifications which would extended the overall project timeline.
- Audits of server and client SDK’s may require rewrites to the SDK specifications which would extended the overall project timeline.
- Upgrading EmeraldID to be an AuthFlow identity provider could require rewrites to the EmeraldID contract.
- The FCL-Swift SDK has not been completed yet and specifically does not support account proofs yet, however the FCL-Swift SDK team received a grant to complete the SDK with current timeline estimation showing completion prior to work required on the Swift SDK..
Team
His life long mission of helping businesses grow through the better use of technology has lead to him becoming proficient in PHP, NodeJS/JS, Swift, Go, and now Cadence.