klesun
commented
1 year ago We could use the https://auth.unstoppabledomains.com/userinfo API from server to validate the accessToken, but I don't see a way to confirm that this access token was issued for our client ID, so the owner of any other website using uauth would be able to impersonate a user on our website using an accessToken issued on their website.
Hello. I'm trying to integrate a web3 authentication through your service on my website following the: https://docs.unstoppabledomains.com/login-with-unstoppable/get-started-login/#step-3-display-the-users-domain
When I pass authentication result from frontend, I succeed in verifying that the signature matches the message, but I can't find any means in the documentation to prove that the message belongs to my Client ID/domain when I want to issue a session token for the user on my server. Without that proof any other web site could use their own message/signature to forge the identity of a user on my web site.
All eip4361 messages uauth requests user to sign seem to be completely same on any domains and with any client ID. They differ only in nonce.
Is there a way, perhaps, to determine that authentication belongs to my client ID by this nonce? Or to somehow pass a custom nonce or an identifiable extra eip4361 field to the message before offering user to sign it? Or perhaps maybe there is a REST API that I could call from server to confirm that this signature was indeed issued for my web site, not for some other?
https://en.wikipedia.org/wiki/Replay_attack