Skip to content

Instantly share code, notes, and snippets.

@alanshaw

alanshaw/auth-flow.md

Last active March 20, 2025 17:37
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alanshaw/d67d030e6cbf1326fc7454ee2af9eac3 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alanshaw/d67d030e6cbf1326fc7454ee2af9eac3 to your computer and use it in GitHub Desktop.
Download ZIP
Notes for the w3up auth flow
Raw
auth-flow.md

To login...

Client issues:

iss: did:key:agent
aud: did:web:web3.storage
can: access/authorize
with: did:key:agent
nb:
  iss: did:mailto:alice
  att: ['*']

In access/authorize handler server issues:

iss: did:web:web3.storage
aud: did:web:web3.storage
can: access/confirm
with: did:web:web3.storage
nb:
  iss: did:mailto:alice
  att: ['*']
  aud: did:key:agent

And sends it in an EMAIL to alice.

The receipt contains a fork for ^^

User clicks on email and invokes access/confirm delegation.

The server issues:

iss: did:mailto:alice
aud: did:key:agent
can: *
with: ucan:*

This is an "absentee" signer.

The server issues:

iss: did:web:web3.storage
aud: did:key:agent
can: ucan/attest
with: did:web:web3.storage
nb:
  proof: <ucan-star-delegation.cid>

...and stores these delegations against did:key:agent

Back on the client:

iss: did:key:agent
aud: did:web:web3.storage
can: access/claim
with: did:key:agent

...and get back the two server issued delegations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment