travis
commented
1 year ago This all makes sense to me! Couple nit-ish questions about the pin code stuff:
It contains rendering of pin code as android lock pattern Page renders android lock pattern asking user to draw it
I can't quite tell what we're trying to accomplish with this pin code - there are a couple possible UX goals I can think of:
1) to provide the user with assurance that they are receiving a legitimate email auth request 2) to provide us (the service) with assurance that the person confirming an email auth request is the person who initiated it (ie, in w3cli or an app using w3ui)
If I'm reading the above correctly the pin is for (1) in this case - we send the pin in the email and then ask the user to draw it to make double sure that they've paid attention to it - is that correct?
I'd like to at least talk through the potential benefits of (2) above - I think the only difference from what you've described above is that we would not include the PIN in the email we send to the user. By requiring them to provide it separately we'd have a fairly strong guarantee that the user clicking the link in the email and granting permissions is the person who initiated the capabilities request process in w3cli or w3ui, which would give us a fairly strong justification for sending the delegations to that user.
Does this sound right or am I missing/misunderstanding some detail here?
Our current authorization flow is not great, because:
So here is what I had been imagining instead with a goals of:
Here is what I imagine in terms of flow
access/requestspecifying capabilities it requires to function (on demand).did:mailto:derived from user specified email address.access/requestfor somedid:mailto:we resolve account email & derive temporary session principal that can act on behalf of account.*from account to session principal (valid for 15 mins) & associated attestation from us (which we persist withaccess/delegate)consumer/addcapability to the account DID (if we already have it it's a noop)access/requestand generated pin to an account email addressaccess/requestencoded as query params.access/claimin order to get delegations allowing it to act on behalf of account did.access/claimwith account DID.access/requestand renders UI allowing user to grant / select matching capabilities that account has.consumer/add.access/requestreceipt with account DID and user selected capabilities.access/grantwith an ☝️ receipt to us.access/grantcapabilityaccess/delegate.I know this is complicated, but it is complicated for us and not a user or a app dev. Let's also look how this achieves stated goals
App/Agent only gets privileges that user has selected regardless if user had an account and a space yet or not.
App/Agent never has to worry about spaces they just request some capabilities and receive them if user grants them. They don't have to ask user for email or anything ahead of time they just do it on demand. Although we may want to remove email loop on repeated requests.
User clicks link in the email and either clicks "grant" or "create space" and then "grant".
Notice that at every step user is in charge. We derived session keypair and send a link to our authentication page however user could use alternative if they so choose because it's just pin code and account from which all is derived. In other words user could use e.g. native app or a third party app that will do all the steps that our authentication page does.
Also notice that while we have access to the session keypair it has only authority to act on behalf of account for 15mins which is just enough to complete the authorization flow. If that keypair leaks after that time there is no consequences as it does not stay in delegation chains.