Skip to content

Instantly share code, notes, and snippets.

@xeroc

xeroc/0010-sso-onboarding.md

Created March 1, 2021 12:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save xeroc/169822a8ba5640d7a9dc038a650713ae to your computer and use it in GitHub Desktop.
Save xeroc/169822a8ba5640d7a9dc038a650713ae to your computer and use it in GitHub Desktop.
Download ZIP
Raw
0010-sso-onboarding.md 
Spec: 0010
Title: Single-SignOn Onboarding
Authors: Fabian Schuh <fabian@blockops.de>
Status: Draft
Type: off-chain
Created: 2021-03-01

Abstract

In these days, internet users have a number of accounts they have to manage login credentials for. To simplyify access to services such that ones login at a big company can be used to login at another companies site, single-sign-on technics have been developed. Most prominent examples are OAuth(2) and OpenID which enable secure user authentication as well as sharing services of different companies.

Motivation

Shareberry would like to enable users to use their Telegram account for onboarding into the blockchain based Shareberry ecosystem. The Telegram account is supposed to replaced the users phone number verification step and improve user experience during onboarding.

Additionally, having a users telegram account comes in handy for later services that might want to mirror posts on Telegram accouncement channels as well as for a notification system for events taking place on the blockchain.

This document describes the process which facilitates the onboarding of a user through his telegram account.

Specifications

It follows the detailed technical specification of the onboarding feature specifically for Telegram.

User Data

During the onboarding process, the user is requested to provide certain information:

  1. username
  2. passphrase (to be used to compute secret keys)
  3. email address
  4. mobile phone number

The latter (4.) shall now be extended to allow a Telegram account instead of the phone number and thus makes 4. an or between either mobile phone number or a telegram account.

Authentication of Telegram Account

Obviously, the provided Telegram account name has to be valid and authentic. For this reason, we do not let the user provide his telegram handle directly, but instead make use of the Telegram Login Widget which authenticated the user for us. Hence, after the onboarding, we know for sure that the user has had access to a particular Telegram account during onboarding.

Implementation Details

Telegram Bot

Telegram requires to operated a Telegram Bot which can be obtain through @BotFather. From there, a Bot token (secret) has to be obtained. With this token, messages from Telegram will be validated when users try to authenticate.

Widget and Authentication Flow

Telegram offers to setup a widget for authentication through Telegram. This widget comes with a Javascript Component that takes care of authentication with Telegram and forwards the user to a specified callback URL. The callback URL will be used by the widget to forward a user request upon authentication and comes with sufficient data in its payload to verify authenticity of the message by means of HMAC with the secret token (read more) as well as:

  • id
  • first_name
  • last_name
  • username
  • photo_url
  • auth_date
  • hash (HMAC with secret token)

Onboarding API

The existing onboarding API must be extended to allow a Telegram login (e.g. callback) alternatively to mobile phone numbers and must ensure that the provided telegram handle is authentic in a secure way.

In case the user authenticates via Telegram, the users' username as well as full name must be stored. The photo provided in the photo URL can be stored in the account's meta data when creating a new account (might require some work in the python library).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment