Authentication Scheme

[erikzhang]

[igormcoelho]

Amazing path @erikzhang ! It was less than a month ago that @vncoelho and I got a discussion on the matter. Structure looks nice, it would be interesting to provide some example perhaps, with Alice and Bob, and maybe sone contextualization over existing OAuth 2. Neo can certainly be such pioneer, specially with oracle technology.

[erikzhang]

Any comment? @neo-project/everyone

[chenzhitong]

Rename nonce to UUID?

[chenzhitong]

To prevent site A from using site B's QR code to trick you into logging in. We should add the website name to the Challenge payload. When you scan the code, you will be prompted with "You will be logged in to **** website". It's like having the website name in the SMS verification code.

[chenzhitong]

Do we need to add an expiration timestamp to the Challenge payload.

[djnicholson]

To prevent site A from using site B's QR code to trick you into logging in. We should add the website name to the Challenge payload. When you scan the code, you will be prompted with "You will be logged in to **** website". It's like having the website name in the SMS verification code.

The challenge payload will also need to be signed by the website (or the attacking site can just modify it)

[erikzhang]

Rename nonce to UUID?

It's not UUID. It is a one-time random number.

Do we need to add an expiration timestamp to the Challenge payload.

I don't think it's necessary.

[erikzhang]

To prevent site A from using site B's QR code to trick you into logging in.

In QR mode, there is a callback field. The client should show the domain of the callback url to the user. And the user can verify whether the website they are logging in is the domain name.