Pages:
Author

Topic: [BIP][Draft] BitID - "Connect with Bitcoin" protocol (Read 22743 times)

hero member
Activity: 905
Merit: 1001
nice ledgerwallet!
sr. member
Activity: 360
Merit: 250
CEO, Ledger
Ledger Wallet (hardware wallet) supports BitID.
Video demonstration here: https://www.youtube.com/watch?v=6vGxgLB6Y0w

Code is pretty straightforward:

Code:





full member
Activity: 197
Merit: 100
A oAuth bitId server would be nice to be able to integrate with existing apps who support oAuth without the need to learn another auth flow. Anybody working on this maybe?

Let's crowdfund one.
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
Thanks - very interesting.
donator
Activity: 544
Merit: 500
Video is a bit of a problem for me - is there a written reference of what you did?
I typed "ssh localhost", it displayed a QR code and I used my phone (with skubit BitID client) to scan and authenticate it.

In the second attempt, I copy&pasted the BitID URL into a browser, replaced "bitid://" with "http://", the QR code showed in the browser instead of the terminal and I also scanned & authenticated.

Sorry the video is fuzzy.
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
Video is a bit of a problem for me - is there a written reference of what you did?
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
After a long fight, I managed to add QR code output and http callback to Jay's libpam-bitid. Now you can use your mobile phone to authenticate a ssh session. It works for sudo as well, and probably anything that can output the QR code into the terminal. It probably wouldn't work for a graphical session manager / screensaver.
I made a youtube video to show how cool it is: https://www.youtube.com/watch?v=U6I4HuzSTM0.

this is pretty cool.
donator
Activity: 544
Merit: 500
After a long fight, I managed to add QR code output and http callback to Jay's libpam-bitid. Now you can use your mobile phone to authenticate a ssh session. It works for sudo as well, and probably anything that can output the QR code into the terminal. It probably wouldn't work for a graphical session manager / screensaver.
I made a youtube video to show how cool it is: https://www.youtube.com/watch?v=U6I4HuzSTM0.
donator
Activity: 544
Merit: 500
libpam-bitid: A PAM module to use a bitcoin address for credentials.

This is a linux PAM implementation of the BitID protocol. Linux system access is granted using just a bitcoin address.
After a long fight, I managed to add QR code output and http callback to Jay's libpam-bitid. Now you can use your mobile phone to authenticate a ssh session. It works for sudo as well, and probably anything that can output the QR code into the terminal. It probably wouldn't work for a graphical session manager / screensaver.

You can find the fork at https://github.com/PeterSurda/libpam-bitid

Cheers,
Peter
sr. member
Activity: 384
Merit: 258
They may still be a little unstable with regards to threading on Mono (which sometimes cuts a request short and strange things like that), but the code works at a prototype level.
Not sure it will help with your issues but you may have to send additional headers to solve a problem specific to I.E. (I.E. caches XMLHttpRequest responses).
From my souvenirs, the problem was with the '/auth' call.

Quote
'Last-Modified' = ''
'Cache-Control' = 'no-store, no-cache, must-revalidate, post-check=0, pre-check=0'
'Pragma' = 'no-cache'
newbie
Activity: 31
Merit: 0
Two things:

It works.

It's wonderful.

I love this. I'm logged in to Swarmops (my current project) before my phone has even confirmed it has transmitted the signed nonce. This is as smooth as Lastpass' autologins, except 2FA since it combines what you have with what you know (your phone's password, in this case).

If anybody wants to copy my C#/Asp.Net code, feel free. The relevant parts are easy to extract from Login and BitId here:
https://github.com/Swarmops/Swarmops/tree/master/Site5/Security

They may still be a little unstable with regards to threading on Mono (which sometimes cuts a request short and strange things like that), but the code works at a prototype level.

Cheers,
Rick
sr. member
Activity: 384
Merit: 258
Ok, now I know exactly what the HTTP request from Onchain looks like (which works against the BitID demo). No wonder I couldn't get it to work. The phone app doesn't use Json at all, but does a full webform post.
Interesting. I thought that all wallets were using json format to send these parameters but it's true that it's not a requirement made by the protocol.

This is what I was asking for in the spec as a sample:

Quote
POST http://dev.swarmops.com/Security/BitId.aspx HTTP/1.0
Content-Length: 272
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
Host: dev.swarmops.com
User-Agent: android-async-http/1.4.4 (http://loopj.com/android-async-http)

signature=H2ooalc68rfcS%2FnEIrrCH2zUKYvjIuj%2Bp9DoQoVVkW39R3wVfNnbO7Pmd4UdkNf6FpQ%2FUGV3pfm4vrE9541za%2Fg%3D&uri=bitid%3A%2F%2Fdev.swarmops.com%2FSecurity%2FBitId.aspx%3Fx%3D4b593383a4674b83b31d066e0e87e60f8d1c1df565f568f%26u%3D1&address=14fRQCbR62EGzjPQks9XRAVRiqWhftn3dA
If you have some time, send me a PM with your comments/fixes about the draft in my previous post. I'll gather everything and send it to Eric to get something on github.


And here I was trying to interpret Json and wonder why the server did absolutely nothing... Smiley
Arfff. I know this feeling when you spend time looking for the causes of a bug and finally notice that you didn't look at the right causes. I fear it's the curse of all developers.  Wink
By the way, it's great that you work on this integration of BitId with C#. It's a great platform and I expect we see more .NET bitcoin projects thanks to efforts like yours or NBitcoin.
hero member
Activity: 707
Merit: 500
This is big.

It is enabled in the mycelium testnet app, if you want to try. Smiley
donator
Activity: 1736
Merit: 1014
Let's talk governance, lipstick, and pigs.
Do we have any idea (best wild-ass guess) when bitID may be available in the mainline Android client, something even marginally better than "between yesterday and in two forevers"?

In the case of Mycelium, we have a working demo in our dev build, but we are going to hold off until we get HD wallets finished. Reason is that without, your BitID will only be tied to a single address, and with HD you will be able to have a different ID for different sites, all coming from the same seed used for your bitcoin addresses.
This is big.
newbie
Activity: 31
Merit: 0
Ooops. That sounds like a more serious issue.
On its side, BitID protocol does not state any specific order for the parameters.

I may be wrong but to my knowledge, there's no notion of order in json. A lib forcing an order for json content seems to me like a bad implementation of json.

I would agree with this and I'm not certain this is even the case. I'm on a wild goose chase for bugs at this point to find out why my implementation isn't responding.

Cheers,
Rick
newbie
Activity: 31
Merit: 0
Ok, now I know exactly what the HTTP request from Onchain looks like (which works against the BitID demo). No wonder I couldn't get it to work. The phone app doesn't use Json at all, but does a full webform post.

This is what I was asking for in the spec as a sample:

Quote
POST http://dev.swarmops.com/Security/BitId.aspx HTTP/1.0
Content-Length: 272
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
Host: dev.swarmops.com
User-Agent: android-async-http/1.4.4 (http://loopj.com/android-async-http)

signature=H2ooalc68rfcS%2FnEIrrCH2zUKYvjIuj%2Bp9DoQoVVkW39R3wVfNnbO7Pmd4UdkNf6FpQ%2FUGV3pfm4vrE9541za%2Fg%3D&uri=bitid%3A%2F%2Fdev.swarmops.com%2FSecurity%2FBitId.aspx%3Fx%3D4b593383a4674b83b31d066e0e87e60f8d1c1df565f568f%26u%3D1&address=14fRQCbR62EGzjPQks9XRAVRiqWhftn3dA

And here I was trying to interpret Json and wonder why the server did absolutely nothing... Smiley
sr. member
Activity: 384
Merit: 258
Sorry for the late answer. Was musing in the french subforum  Roll Eyes

Does it have to be this (partial) URI, or is it just a header describing this section? That's unclear. I have been using a different URI, as I'm using the [WebMethod] feature of Asp.Net that lets you embed a Json-callable function on any page.
The uris "/callback" can be something else. The client should only rely on what it has received in the bitid_uri.
I think we've all followed a kind of implicit norm by reusing the same "/callback" uri but the protocol does not state any such rule.
EDIT: Here is an example of a different callback uri used in my 2FA demo (uses a "/tfa_activation_callback" uri)

Quote
   Parameters:
        uri : string - required - bitid uri used as the challenge
        signature : string - required - signature of the bitid uri
        address : string - required - address used for authentication

Can we lock down that the parameters come IN THIS ORDER? That's not explicitly written, and some implementations (like C# which I'm using) are or can be order-sensitive, even with parameter names supplied.
Ooops. That sounds like a more serious issue.
On its side, BitID protocol does not state any specific order for the parameters.
Main problem is that such a rule would have a direct impact for wallets developers.
Thus, I think it's better if Eric answers this point.

I may be wrong but to my knowledge, there's no notion of order in json. A lib forcing an order for json content seems to me like a bad implementation of json.

newbie
Activity: 31
Merit: 0
Here's my notes, written while working on the python library. Hope it helps.

Thanks, it does! I found at least one reason my server doesn't pick up the response.

Quote
/callback

Does it have to be this (partial) URI, or is it just a header describing this section? That's unclear. I have been using a different URI, as I'm using the [WebMethod] feature of Asp.Net that lets you embed a Json-callable function on any page.

Quote
   Parameters:
        uri : string - required - bitid uri used as the challenge
        signature : string - required - signature of the bitid uri
        address : string - required - address used for authentication

Can we lock down that the parameters come IN THIS ORDER? That's not explicitly written, and some implementations (like C# which I'm using) are or can be order-sensitive, even with parameter names supplied.

Testing again now.

Cheers,
Rick
sr. member
Activity: 384
Merit: 258
Here's my notes, written while working on the python library. Hope it helps.

Quote
/callback

Request sent by the browser or the wallet as a response to a challenge Request can be sent in two formats: json or html form

Request

    Http method: POST

    Parameters:
        uri : string - required - bitid uri used as the challenge
        signature : string - required - signature of the bitid uri
        address : string - required - address used for authentication

    Headers:
        Content-Type : string - required = "application/json" if request sent by a wallet, otherwise server should assume a manual signing submitted via an html form (see demo)

Response

    Process completed

        Response format:
            address : string - required - address used for authentication
            nonce : string - required - session id associated to the authentication

        Http code: 200

    Process failed

        Response format:
            message : string - required(?) - message describing the error

        Http codes / messages:
            Invalid adress
                Http code : 401
                message : Address is invalid or not legal
            Address is valid but not associated to an existing account
                Http code : 401
                message : Address is invalid or not legal
            Invalid BitId uri
                Http code : 401
                message : BitID URI is invalid or not legal
            Invalid signature
                Http code : 401
                message : Signature is incorrect
            Illegal nonce
                Http code : 401
                message : NONCE is illegal
            Expired nonce
                Http code : 401
                message : NONCE has expired
            Server error (pb with db, ...)
                Http code : 500
                message : Huh
            Misc error (specific to implementations by websites)
                Http code : 401
                message : [...]


/auth

Request sent by the browser to check if authentication has succeeded

Request

    Http method: GET

    Parameters: None

    Headers Cookie: stores the session id

Response

    Process completed

        Response format:
            auth : int - required - 1 if authentication successfully completed, otherwise 0

        Http code: 200

newbie
Activity: 31
Merit: 0
http://bitid.bitcoin.blue/login
And click on "manual", you'll get a curl example showing exactly how to POST on the demo server implementation.

Thanks, but that's not what I need. I'm trying to write a server-side implementation. I need to know what the client is sending to me, and to be honest, that's not specified. I'm in the blind. I'm trying to use a BitID client and just see whatever it is sending by pushing debug code out to production (accessible) servers. That's not how any development should be done but I'm given no choice right now.

In a spec, I'm expecting, and asking for something like this:

SAMPLE CLIENT LOGIN REQUEST

Quote
POST /Security/BitId HTTP/1.1
Host: bitid.example.com
Content-Type: application/json

{ "addr":"1dsfagahigaeguropiaasdazd","sign":"ÖIUYFQ(Et5yn9se8hgs8f9dghjf","callback_uri":"https://bitid.example.com","bitid_uri":"https://login.example.com" }

SAMPLE SERVER RESPONSE

Quote
200 OK
(a HTTP response)

Do you see where I'm coming from? It just says that four specific parameters are submitted as part of an HTTP POST. It doesn't say anywhere how those four parameters are encapsulated and encoded. I need to know that in order to implement this. (In this example, I wrote the spec part as if they were submitted using Json, which I don't think they are, but you get the point.)

Cheers,
Rick
Pages:
Jump to: