NimiqID Authenticate with your Nimiq Account

The general idea came from Telegram: Enable Nimiq Account Authentication on the Nimiq forum.

By signing a message, a user can prove they own certain Nimiq Account. By adding text to the message they could also choose or change their username.

The first step of the project could be to create a SSO server that can be self-hosted. Maybe add it to NWM.

Second step would be to create a Discourse Plugin that connects to sso using the existing Discourse functionality.

Just some ideas. Discussion is appreciated.

As far as I know the new Nimiq KeyGuard/AccountsManager will also allow to sign arbitrary messages. @NimiqSoeren probably knows more about it.

Yes, ‘single-sign-on’ functionality is planned to be supported by the new accounts manager via signed messages. However, the first version will likely not include message signing, as we are not sure about the design and the API for that yet.

But we have it in our minds.

Sounds really neat, could even do something akin to 2 factor authentication that requires you to sign some message.

I’m thinking about the format for such a ‘NimiqID’. What parameters are required and should be supported by the format.

I’m thinking the Keyguard would set the current UTC datetime and the caller origin url into the message, also a version number for the standard.

Then I would allow a data field that could be filled with a JSON object by the calling application with whatever extra info they need signed.

What do you think? Are there other properties such a system must provide?

The result of the request would be the signed message (as an Uint8Array buffer), the signer’s public key and the signature also as Uint8Arrays. Those would then have to be validated by the application to grant access. The address of the login can be determined from the pub key.

Hmm in terms of a log in system that sounds good, but my interest in signed messages through the keyguard is in it’s rawest form. Whether we send a JSON object in the data field or a String doesn’t matter too much to me because we can always stringify JSON. I’ve done some research on a Nimiq Address sign in system (instead of user names and passwords, although just for a single site not SSO or 2 factor through signing) for months but it’s useless if I have to ask the user for their key manually, that’s worse than a password.

I was looking forward to keyguard so that the Devs can do whatever they want with the ability to sign messages. I wouldn’t try to bake too much into the keyguard and instead let things get built on top of it, and you could always bake more in at a later point. Personally I always envisioned the Keyguard as a thin interface allowing interaction with the user’s PKs through requests without those PKs being revealed to the developer directly, similar to how Metamask works with Web3JS.

That’s exactly how we see the new Keyguard as well. An app with a defined API to interact with the secure priv keys inside the keyguard, without leaking anything. It’s Nearly done, and will then go into its audit phase. We are still targeting end of the quarter for it.

This is great! Could this be rolled out to merchants? One of the biggest ideas I would like to see from Nimiq is the ability to use it as a payment and log-in method for onlines newsites/blogs/magazines/etc. Being able to pay with Nimiq or access paywall sites with a stored nimiqID would be great for the user. I think alot of media companies would warmly welcome it as well.

Single-Sign-On would be amazing to have. I’d need it for the XPBots on Discord and Telegram.

I don’t think a self-hosted SSO server is user-friendly though.
How about an append-only hash chain that gets a new block with every sign-in or sign-out? Because the amount of data is small enough, Nimiq servers, S3 or company-backed IPFS nodes could host the auth chains.

Ideally, there would be an OAuth2-like API for any app to use.

Keybase shows how it’s really done! They have a Merkle tree that saves all users on the platform and their keys. A typical login proof of login looks like this: https://gist.github.com/terorie/26877f0d6f9cb05a0e9fafd8a8d71b37