Topic: [BIP][Draft] BitID - "Connect with Bitcoin" protocol (Read 22686 times)
nice ledgerwallet!
Ledger Wallet (hardware wallet) supports BitID.
Video demonstration here: https://www.youtube.com/watch?v=6vGxgLB6Y0w
Code is pretty straightforward:
onclick="Ledger.bitid('BITID_URL')">
Login with your Ledger Wallet
Video demonstration here: https://www.youtube.com/watch?v=6vGxgLB6Y0w
Code is pretty straightforward:
Code:
onclick="Ledger.bitid('BITID_URL')">
Login with your Ledger Wallet
A oAuth bitId server would be nice to be able to integrate with existing apps who support oAuth without the need to learn another auth flow. Anybody working on this maybe?
Let's crowdfund one.
Let's crowdfund one.
Thanks - very interesting.
Video is a bit of a problem for me - is there a written reference of what you did?
I typed "ssh localhost", it displayed a QR code and I used my phone (with skubit BitID client) to scan and authenticate it.In the second attempt, I copy&pasted the BitID URL into a browser, replaced "bitid://" with "http://", the QR code showed in the browser instead of the terminal and I also scanned & authenticated.
Sorry the video is fuzzy.
Video is a bit of a problem for me - is there a written reference of what you did?
After a long fight, I managed to add QR code output and http callback to Jay's libpam-bitid. Now you can use your mobile phone to authenticate a ssh session. It works for sudo as well, and probably anything that can output the QR code into the terminal. It probably wouldn't work for a graphical session manager / screensaver.
I made a youtube video to show how cool it is: https://www.youtube.com/watch?v=U6I4HuzSTM0.this is pretty cool.
After a long fight, I managed to add QR code output and http callback to Jay's libpam-bitid. Now you can use your mobile phone to authenticate a ssh session. It works for sudo as well, and probably anything that can output the QR code into the terminal. It probably wouldn't work for a graphical session manager / screensaver.
I made a youtube video to show how cool it is: https://www.youtube.com/watch?v=U6I4HuzSTM0. libpam-bitid: A PAM module to use a bitcoin address for credentials.
This is a linux PAM implementation of the BitID protocol. Linux system access is granted using just a bitcoin address.
After a long fight, I managed to add QR code output and http callback to Jay's libpam-bitid. Now you can use your mobile phone to authenticate a ssh session. It works for sudo as well, and probably anything that can output the QR code into the terminal. It probably wouldn't work for a graphical session manager / screensaver.This is a linux PAM implementation of the BitID protocol. Linux system access is granted using just a bitcoin address.
You can find the fork at https://github.com/PeterSurda/libpam-bitid
Cheers,
Peter
They may still be a little unstable with regards to threading on Mono (which sometimes cuts a request short and strange things like that), but the code works at a prototype level.
Not sure it will help with your issues but you may have to send additional headers to solve a problem specific to I.E. (I.E. caches XMLHttpRequest responses).From my souvenirs, the problem was with the '/auth' call.
Quote
'Last-Modified' = ''
'Cache-Control' = 'no-store, no-cache, must-revalidate, post-check=0, pre-check=0'
'Pragma' = 'no-cache'
'Cache-Control' = 'no-store, no-cache, must-revalidate, post-check=0, pre-check=0'
'Pragma' = 'no-cache'
Two things:
It works.
It's wonderful.
I love this. I'm logged in to Swarmops (my current project) before my phone has even confirmed it has transmitted the signed nonce. This is as smooth as Lastpass' autologins, except 2FA since it combines what you have with what you know (your phone's password, in this case).
If anybody wants to copy my C#/Asp.Net code, feel free. The relevant parts are easy to extract from Login and BitId here:
https://github.com/Swarmops/Swarmops/tree/master/Site5/Security
They may still be a little unstable with regards to threading on Mono (which sometimes cuts a request short and strange things like that), but the code works at a prototype level.
Cheers,
Rick
It works.
It's wonderful.
I love this. I'm logged in to Swarmops (my current project) before my phone has even confirmed it has transmitted the signed nonce. This is as smooth as Lastpass' autologins, except 2FA since it combines what you have with what you know (your phone's password, in this case).
If anybody wants to copy my C#/Asp.Net code, feel free. The relevant parts are easy to extract from Login and BitId here:
https://github.com/Swarmops/Swarmops/tree/master/Site5/Security
They may still be a little unstable with regards to threading on Mono (which sometimes cuts a request short and strange things like that), but the code works at a prototype level.
Cheers,
Rick
Ok, now I know exactly what the HTTP request from Onchain looks like (which works against the BitID demo). No wonder I couldn't get it to work. The phone app doesn't use Json at all, but does a full webform post.
Interesting. I thought that all wallets were using json format to send these parameters but it's true that it's not a requirement made by the protocol. This is what I was asking for in the spec as a sample:
If you have some time, send me a PM with your comments/fixes about the draft in my previous post. I'll gather everything and send it to Eric to get something on github.Quote
POST http://dev.swarmops.com/Security/BitId.aspx HTTP/1.0
Content-Length: 272
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
Host: dev.swarmops.com
User-Agent: android-async-http/1.4.4 (http://loopj.com/android-async-http)
signature=H2ooalc68rfcS%2FnEIrrCH2zUKYvjIuj%2Bp9DoQoVVkW39R3wVfNnbO7Pmd4UdkNf6FpQ%2FUGV3pfm4vrE9541za%2Fg%3D&uri=bitid%3A%2F%2Fdev.swarmops.com%2FSecurity%2FBitId.aspx%3Fx%3D4b593383a4674b83b31d066e0e87e60f8d1c1df565f568f%26u%3D1&address=14fRQCbR62EGzjPQks9XRAVRiqWhftn3dA
Content-Length: 272
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
Host: dev.swarmops.com
User-Agent: android-async-http/1.4.4 (http://loopj.com/android-async-http)
signature=H2ooalc68rfcS%2FnEIrrCH2zUKYvjIuj%2Bp9DoQoVVkW39R3wVfNnbO7Pmd4UdkNf6FpQ%2FUGV3pfm4vrE9541za%2Fg%3D&uri=bitid%3A%2F%2Fdev.swarmops.com%2FSecurity%2FBitId.aspx%3Fx%3D4b593383a4674b83b31d066e0e87e60f8d1c1df565f568f%26u%3D1&address=14fRQCbR62EGzjPQks9XRAVRiqWhftn3dA
And here I was trying to interpret Json and wonder why the server did absolutely nothing... 
Arfff. I know this feeling when you spend time looking for the causes of a bug and finally notice that you didn't look at the right causes. I fear it's the curse of all developers. 
By the way, it's great that you work on this integration of BitId with C#. It's a great platform and I expect we see more .NET bitcoin projects thanks to efforts like yours or NBitcoin.
This is big.
It is enabled in the mycelium testnet app, if you want to try.
Do we have any idea (best wild-ass guess) when bitID may be available in the mainline Android client, something even marginally better than "between yesterday and in two forevers"?
In the case of Mycelium, we have a working demo in our dev build, but we are going to hold off until we get HD wallets finished. Reason is that without, your BitID will only be tied to a single address, and with HD you will be able to have a different ID for different sites, all coming from the same seed used for your bitcoin addresses.
Ooops. That sounds like a more serious issue.
On its side, BitID protocol does not state any specific order for the parameters.
I may be wrong but to my knowledge, there's no notion of order in json. A lib forcing an order for json content seems to me like a bad implementation of json.
On its side, BitID protocol does not state any specific order for the parameters.
I may be wrong but to my knowledge, there's no notion of order in json. A lib forcing an order for json content seems to me like a bad implementation of json.
I would agree with this and I'm not certain this is even the case. I'm on a wild goose chase for bugs at this point to find out why my implementation isn't responding.
Cheers,
Rick
Ok, now I know exactly what the HTTP request from Onchain looks like (which works against the BitID demo). No wonder I couldn't get it to work. The phone app doesn't use Json at all, but does a full webform post.
This is what I was asking for in the spec as a sample:
And here I was trying to interpret Json and wonder why the server did absolutely nothing...
This is what I was asking for in the spec as a sample:
Quote
POST http://dev.swarmops.com/Security/BitId.aspx HTTP/1.0
Content-Length: 272
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
Host: dev.swarmops.com
User-Agent: android-async-http/1.4.4 (http://loopj.com/android-async-http)
signature=H2ooalc68rfcS%2FnEIrrCH2zUKYvjIuj%2Bp9DoQoVVkW39R3wVfNnbO7Pmd4UdkNf6FpQ%2FUGV3pfm4vrE9541za%2Fg%3D&uri=bitid%3A%2F%2Fdev.swarmops.com%2FSecurity%2FBitId.aspx%3Fx%3D4b593383a4674b83b31d066e0e87e60f8d1c1df565f568f%26u%3D1&address=14fRQCbR62EGzjPQks9XRAVRiqWhftn3dA
Content-Length: 272
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
Host: dev.swarmops.com
User-Agent: android-async-http/1.4.4 (http://loopj.com/android-async-http)
signature=H2ooalc68rfcS%2FnEIrrCH2zUKYvjIuj%2Bp9DoQoVVkW39R3wVfNnbO7Pmd4UdkNf6FpQ%2FUGV3pfm4vrE9541za%2Fg%3D&uri=bitid%3A%2F%2Fdev.swarmops.com%2FSecurity%2FBitId.aspx%3Fx%3D4b593383a4674b83b31d066e0e87e60f8d1c1df565f568f%26u%3D1&address=14fRQCbR62EGzjPQks9XRAVRiqWhftn3dA
And here I was trying to interpret Json and wonder why the server did absolutely nothing...
Sorry for the late answer. Was musing in the french subforum 
I think we've all followed a kind of implicit norm by reusing the same "/callback" uri but the protocol does not state any such rule.
EDIT: Here is an example of a different callback uri used in my 2FA demo (uses a "/tfa_activation_callback" uri)
Can we lock down that the parameters come IN THIS ORDER? That's not explicitly written, and some implementations (like C# which I'm using) are or can be order-sensitive, even with parameter names supplied.
Ooops. That sounds like a more serious issue.
On its side, BitID protocol does not state any specific order for the parameters.
Main problem is that such a rule would have a direct impact for wallets developers.
Thus, I think it's better if Eric answers this point.
I may be wrong but to my knowledge, there's no notion of order in json. A lib forcing an order for json content seems to me like a bad implementation of json.
Does it have to be this (partial) URI, or is it just a header describing this section? That's unclear. I have been using a different URI, as I'm using the [WebMethod] feature of Asp.Net that lets you embed a Json-callable function on any page.
The uris "/callback" can be something else. The client should only rely on what it has received in the bitid_uri.I think we've all followed a kind of implicit norm by reusing the same "/callback" uri but the protocol does not state any such rule.
EDIT: Here is an example of a different callback uri used in my 2FA demo (uses a "/tfa_activation_callback" uri)
Quote
Parameters:
uri : string - required - bitid uri used as the challenge
signature : string - required - signature of the bitid uri
address : string - required - address used for authentication
uri : string - required - bitid uri used as the challenge
signature : string - required - signature of the bitid uri
address : string - required - address used for authentication
Can we lock down that the parameters come IN THIS ORDER? That's not explicitly written, and some implementations (like C# which I'm using) are or can be order-sensitive, even with parameter names supplied.
On its side, BitID protocol does not state any specific order for the parameters.
Main problem is that such a rule would have a direct impact for wallets developers.
Thus, I think it's better if Eric answers this point.
I may be wrong but to my knowledge, there's no notion of order in json. A lib forcing an order for json content seems to me like a bad implementation of json.
Here's my notes, written while working on the python library. Hope it helps.
Thanks, it does! I found at least one reason my server doesn't pick up the response.
Quote
/callback
Does it have to be this (partial) URI, or is it just a header describing this section? That's unclear. I have been using a different URI, as I'm using the [WebMethod] feature of Asp.Net that lets you embed a Json-callable function on any page.
Quote
Parameters:
uri : string - required - bitid uri used as the challenge
signature : string - required - signature of the bitid uri
address : string - required - address used for authentication
uri : string - required - bitid uri used as the challenge
signature : string - required - signature of the bitid uri
address : string - required - address used for authentication
Can we lock down that the parameters come IN THIS ORDER? That's not explicitly written, and some implementations (like C# which I'm using) are or can be order-sensitive, even with parameter names supplied.
Testing again now.
Cheers,
Rick
Here's my notes, written while working on the python library. Hope it helps.
Quote
/callback
Request sent by the browser or the wallet as a response to a challenge Request can be sent in two formats: json or html form
Request
Http method: POST
Parameters:
uri : string - required - bitid uri used as the challenge
signature : string - required - signature of the bitid uri
address : string - required - address used for authentication
Headers:
Content-Type : string - required = "application/json" if request sent by a wallet, otherwise server should assume a manual signing submitted via an html form (see demo)
Response
Process completed
Response format:
address : string - required - address used for authentication
nonce : string - required - session id associated to the authentication
Http code: 200
Process failed
Response format:
message : string - required(?) - message describing the error
Http codes / messages:
Invalid adress
Http code : 401
message : Address is invalid or not legal
Address is valid but not associated to an existing account
Http code : 401
message : Address is invalid or not legal
Invalid BitId uri
Http code : 401
message : BitID URI is invalid or not legal
Invalid signature
Http code : 401
message : Signature is incorrect
Illegal nonce
Http code : 401
message : NONCE is illegal
Expired nonce
Http code : 401
message : NONCE has expired
Server error (pb with db, ...)
Http code : 500
message :
Misc error (specific to implementations by websites)
Http code : 401
message : [...]
/auth
Request sent by the browser to check if authentication has succeeded
Request
Http method: GET
Parameters: None
Headers Cookie: stores the session id
Response
Process completed
Response format:
auth : int - required - 1 if authentication successfully completed, otherwise 0
Http code: 200
Request sent by the browser or the wallet as a response to a challenge Request can be sent in two formats: json or html form
Request
Http method: POST
Parameters:
uri : string - required - bitid uri used as the challenge
signature : string - required - signature of the bitid uri
address : string - required - address used for authentication
Headers:
Content-Type : string - required = "application/json" if request sent by a wallet, otherwise server should assume a manual signing submitted via an html form (see demo)
Response
Process completed
Response format:
address : string - required - address used for authentication
nonce : string - required - session id associated to the authentication
Http code: 200
Process failed
Response format:
message : string - required(?) - message describing the error
Http codes / messages:
Invalid adress
Http code : 401
message : Address is invalid or not legal
Address is valid but not associated to an existing account
Http code : 401
message : Address is invalid or not legal
Invalid BitId uri
Http code : 401
message : BitID URI is invalid or not legal
Invalid signature
Http code : 401
message : Signature is incorrect
Illegal nonce
Http code : 401
message : NONCE is illegal
Expired nonce
Http code : 401
message : NONCE has expired
Server error (pb with db, ...)
Http code : 500
message :
Misc error (specific to implementations by websites)
Http code : 401
message : [...]
/auth
Request sent by the browser to check if authentication has succeeded
Request
Http method: GET
Parameters: None
Headers Cookie: stores the session id
Response
Process completed
Response format:
auth : int - required - 1 if authentication successfully completed, otherwise 0
Http code: 200
http://bitid.bitcoin.blue/login
And click on "manual", you'll get a curl example showing exactly how to POST on the demo server implementation.
And click on "manual", you'll get a curl example showing exactly how to POST on the demo server implementation.
Thanks, but that's not what I need. I'm trying to write a server-side implementation. I need to know what the client is sending to me, and to be honest, that's not specified. I'm in the blind. I'm trying to use a BitID client and just see whatever it is sending by pushing debug code out to production (accessible) servers. That's not how any development should be done but I'm given no choice right now.
In a spec, I'm expecting, and asking for something like this:
SAMPLE CLIENT LOGIN REQUEST
Quote
POST /Security/BitId HTTP/1.1
Host: bitid.example.com
Content-Type: application/json
{ "addr":"1dsfagahigaeguropiaasdazd","sign":"ÖIUYFQ(Et5yn9se8hgs8f9dghjf","callback_uri":"https://bitid.example.com","bitid_uri":"https://login.example.com" }
Host: bitid.example.com
Content-Type: application/json
{ "addr":"1dsfagahigaeguropiaasdazd","sign":"ÖIUYFQ(Et5yn9se8hgs8f9dghjf","callback_uri":"https://bitid.example.com","bitid_uri":"https://login.example.com" }
SAMPLE SERVER RESPONSE
Quote
200 OK
(a HTTP response)
(a HTTP response)
Do you see where I'm coming from? It just says that four specific parameters are submitted as part of an HTTP POST. It doesn't say anywhere how those four parameters are encapsulated and encoded. I need to know that in order to implement this. (In this example, I wrote the spec part as if they were submitted using Json, which I don't think they are, but you get the point.)
Cheers,
Rick
Jump to: