Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Embed: Proof of Concept for Web2 OAuth Flows #3040

Open
3 tasks
erichfi opened this issue Nov 8, 2024 · 0 comments
Open
3 tasks

Embed: Proof of Concept for Web2 OAuth Flows #3040

erichfi opened this issue Nov 8, 2024 · 0 comments

Comments

@erichfi
Copy link
Contributor

erichfi commented Nov 8, 2024
edited by nutrina
Loading

User Story:

As a user of the Embed solution,
I want Web2 OAuth flows to be integrated,
So that I can authenticate using popular services via a popup flow.

Acceptance Criteria

GIVEN the Embed solution is deployed,
WHEN a user opts to claim a Web2 stamp for which OAuth is required,
THEN a popup flow facilitates the authentication and verification process.

Product & Design Links:

N/A

Tech Details:

  • the first step should probably require the user creating a signature (so that we can prevent abuses like users claiming web2 stamps on other users addresses)
  • similar to how we currently open the pages of the web2 providers to authenticate and grant access in order to claim the web2 stamps, when a user tries to claim a web2 stamp from an embed component, then:
    • open a popup window, initially loading a page from passport.xyz domain
    • that page should automatically trigger the verification process for the web2 stamps (the user should actually not even get to see any passport content at this step, but instead see directly the oauth providers login page)
    • the user authenticates & grants passport access to the required data
    • upon completion of the verification, regardless if sucesfull or not, the popup should be close
    • the status of the operation should be indicated in the embed component
    • Please note that:
      • the verification (including oauth authentication) is triggered from a page on passport.xyz domain, and then redirects to the same domain when done
  • Support services like Google, LinkedIn, Github and Coinbase.
  • ask the user for a signature before triggering the flow, in order to ensure he is indeed the owner of the wallet

Open Questions:

  • How do we handle OAuth tokens and session management?
    • we don't need to manage session & tokens, we shall treat the tokens as burner tokens, just as we do with the IAM, and we only use them once for the purpose of verifying the users stamp
  • How do we handle deduplication of web2 stamps claimed in the Embed flow?
    • this is similar to the stamps claimed in the passport app, there is no distinction
  • how do we prevent users claiming a stamp on another users address?
    • we'll probably need to add a signature step to the flow

Notes/Assumptions:

OAuth providers are configured and operational.
@erichfi erichfi moved this to Prioritized in Passport New Nov 8, 2024
@erichfi erichfi mentioned this issue Nov 8, 2024
Open
@Jkd-eth Jkd-eth changed the title Proof of Concept for Web2 OAuth Flows Embed: Proof of Concept for Web2 OAuth Flows Nov 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Passport New
Status: Prioritized
Milestone
No milestone
Development

No branches or pull requests
1 participant
@erichfi