nips icon indicating copy to clipboard operation
nips copied to clipboard
verified publisher icon nostr-protocol

NIP-97 Login with Nostr

Open Semisol opened this issue 1 year ago • 26 comments

This spec proposes a simple login flow to allow easy authentication to services like nostr.build without having to deal with DM verification or other confusing flows.

Semisol avatar Feb 12 '24 20:02 Semisol

Looks good, as long as the server doesn't use the identifier as the session cookie.

created_at check (must be < 5 minutes from the request) could also be performed.

vitorpamplona avatar Feb 12 '24 20:02 vitorpamplona

Looks good, as long as the server doesn't use the identifier as the session cookie.

created_at check (must be < 5 minutes from the request) could also be performed.

The identifier is associated with the session cookie in some way, but it shouldn't be it. The created_at check is a part of NIP-98 and services can also determine when to expire a login string.

Semisol avatar Feb 12 '24 21:02 Semisol

Why not use NIP-98?

EDIT: I see NIP-98 is already a part of this. I don't understand what this is solving.

alexgleason avatar Feb 12 '24 21:02 alexgleason

I don't get this at all. What happens when you click? Who is going to handle that link? I think it's better to let websites come up with their own login process using NIP-98. Maybe recommend a common pattern on that NIP.

fiatjaf avatar Feb 12 '24 21:02 fiatjaf

I don't get this at all. What happens when you click? Who is going to handle that link? I think it's better to let websites come up with their own login process using NIP-98. Maybe recommend a common pattern on that NIP.

not everyone has an extension. the point of this is if you don't have an extension, you could just scan a QR code/click a link and prove you control an npub without inputting your nsec everywhere.

Semisol avatar Feb 14 '24 22:02 Semisol

What about NIP-46?

fiatjaf avatar Feb 14 '24 22:02 fiatjaf

not everyone has an extension. the point of this is if you don't have an extension, you could just scan a QR code/click a link and prove you control an npub without inputting your nsec everywhere.

I missed the part where you prove anything. Is that part of this NIP? How does clicking a link prove anything? Maybe it is just missing a sentence where this is explained.

mikedilger avatar Feb 15 '24 07:02 mikedilger

cc @danieldaquino for review since you introduced a similar flow for damus purple

jb55 avatar Feb 15 '24 18:02 jb55

not everyone has an extension. the point of this is if you don't have an extension, you could just scan a QR code/click a link and prove you control an npub without inputting your nsec everywhere.

I missed the part where you prove anything. Is that part of this NIP? How does clicking a link prove anything? Maybe it is just missing a sentence where this is explained.

The request has a nip-98 header

Egge21M avatar Feb 15 '24 18:02 Egge21M

not everyone has an extension. the point of this is if you don't have an extension, you could just scan a QR code/click a link and prove you control an npub without inputting your nsec everywhere.

I missed the part where you prove anything. Is that part of this NIP? How does clicking a link prove anything? Maybe it is just missing a sentence where this is explained.

your client sends a POST request that is authenticated with your public key (NIP-98) with an identifier in the login link

Semisol avatar Feb 17 '24 23:02 Semisol

What about NIP-46?

@fiatjaf This is for use cases where you don't need signing access and only need to prove your ownership of a key.

Semisol avatar Feb 18 '24 20:02 Semisol

@Semisol do you have any server where this was implemented already? I need to test Amethyst's implementation of this.

vitorpamplona avatar Feb 27 '24 14:02 vitorpamplona

@Semisol do you have any server where this was implemented already? I need to test Amethyst's implementation of this.

I'll implement one on nostr.build in the next couple of days.

fishcakeday avatar Mar 02 '24 03:03 fishcakeday

This looks good I will implement it also.

fabianfabian avatar Mar 02 '24 17:03 fabianfabian

For testing: https://media.utxo.nl/nip97test/nip97login.php

fabianfabian avatar Mar 03 '24 15:03 fabianfabian

For testing: https://media.utxo.nl/nip97test/nip97login.php

@fabianfabian I don't think your server properly enforces NIP-98. It expects the event to have a u tag containing only the URL without the query parameters and then the i query parameter is in a separate tag. But if you look at the spec for NIP-98, the u tag should include the entire absolute request URL including query parameters.

TheRebelOfBabylon avatar Apr 13 '24 01:04 TheRebelOfBabylon

For testing: https://media.utxo.nl/nip97test/nip97login.php

@fabianfabian I don't think your server properly enforces NIP-98. It expects the event to have a u tag containing only the URL without the query parameters and then the i query parameter is in a separate tag. But if you look at the spec for NIP-98, the u tag should include the entire absolute request URL including query parameters.

I'm checking the i tag for the challenge but I see the spec doesn't describe it like that, not sure what happened there probably I read it too quick, I'll update the test code later, this is the current test code: https://gist.github.com/fabianfabian/0c68d75aeb84860dcd7fc2995ec98af6

fabianfabian avatar Apr 13 '24 09:04 fabianfabian

I've also implemented a server for testing but only accessible via REST API: https://git.rebelofbabylon.com/api/v1/login

TheRebelOfBabylon avatar Apr 14 '24 04:04 TheRebelOfBabylon

I really like this spec, and I think it will be very useful.

Only thing I would add to it is an optional redirect_url field to the JSON response from the server, but otherwise it looks good to me.

agreed, this is pretty important.

jb55 avatar Apr 29 '24 20:04 jb55

What are the security trade-offs? I am assuming it's less secure than NIP-98, but it's not 100% clear how. Perhaps a security considerations section in the NIP could explain more.

melvincarvalho avatar Jun 04 '24 14:06 melvincarvalho

What are the security trade-offs? I am assuming it's less secure than NIP-98, but it's not 100% clear how. Perhaps a security considerations section in the NIP could explain more.

You cannot compare apples to oranges

Semisol avatar Jun 04 '24 14:06 Semisol

Security concerns: Domain compromise could impact login systems, potentially harming Nostr's reputation. Motivation and security surface would benefit from further elaboration.

Existing efforts: Consider ongoing Nostr integration with Oauth/OIDC for new authentication methods.

Suggestion: Future auth NIPs should include a comparison section:

  • Comparison with existing auth methods, e.g. nostrlogin, nip98, nwc, nsecbunker, there's more ongoing oauth and oidc integrations ive seen too
  • Advantages offered
  • Use cases
  • Adoption status

Concept NACK: Needs clearer explanation and/or broader adoption to justify implementation (IMHO).

Just my 2 cents.

melvincarvalho avatar Jun 05 '24 19:06 melvincarvalho

Aside: would we benefit from a label: auth, for auth related PRs?

melvincarvalho avatar Jun 05 '24 19:06 melvincarvalho

@Semisol do you have any server where this was implemented already? I need to test Amethyst's implementation of this.

I'll implement one on nostr.build in the next couple of days.

@fishcakeday is this available on nostr.build? I want to try it out

fabianfabian avatar Jul 04 '24 15:07 fabianfabian

Security concerns: Domain compromise could impact login systems, potentially harming Nostr's reputation. Motivation and security surface would benefit from further elaboration.

Existing efforts: Consider ongoing Nostr integration with Oauth/OIDC for new authentication methods.

Suggestion: Future auth NIPs should include a comparison section:

  • Comparison with existing auth methods, e.g. nostrlogin, nip98, nwc, nsecbunker, there's more ongoing oauth and oidc integrations ive seen too
  • Advantages offered
  • Use cases
  • Adoption status

Concept NACK: Needs clearer explanation and/or broader adoption to justify implementation (IMHO).

Just my 2 cents.

The main usecase we had is that we wanted to explicitly give memberships to npubs to have the ability to display stars on profiles and to give them a purple member number, I see this as more of a thing for niche thing for specifically verifying that a user controls a key to an npub, not as a generic login mechanism, although its true its likely this will be abused for that.

I think pushing npubs as a login mechanism is a bit sketchy, because once your key leaks you basically have doors wide open into all the websites you visit. Maybe we should make this explicit in the NIP that this should be probably just be used as a two factor mechanism or for niche use cases like verifying a user controls a key to an npub? Not as a main login mechanism.

jb55 avatar Jul 05 '24 15:07 jb55

I think pushing npubs as a login mechanism is a bit sketchy, because once your key leaks you basically have doors wide open into all the websites you visit. Maybe we should make this explicit in the NIP that this should be probably just be used as a two factor mechanism or for niche use cases like verifying a user controls a key to an npub? Not as a main login mechanism.

Not even as two factor. The intent for this NIP was to allow easy login to services already linked to your nostr account, like relays, media hosts or NIP-05 providers.

Semisol avatar Jul 05 '24 20:07 Semisol