The front-end depends on WalletConnect, meaning you will need to create a project with them and have the environment variable
PROJECT_IDset when you build the front-end.
**WARNING - ** Due to the reliance on WalletConnect, and the project ID being loaded at compile-time, the current version of the Docker image won't have a working web app.
Redis, or a Redis compatible database (e.g. MemoryDB in AWS), is required.
The Docker image is available at ghcr.io/spruceid/siwe_oidc:0.1.0. Here is an
example usage:
docker run -p 8000:8000 -e SIWEOIDC_REDIS_URL="redis://redis" ghcr.io/spruceid/siwe_oidc:latestIt can be configured either with the siwe-oidc.toml configuration file, or
through environment variables:
SIWEOIDC_ADDRESSis the IP address to bind to.SIWEOIDC_REDIS_URLis the URL to the Redis instance.SIWEOIDC_BASE_URLis the URL you want to advertise in the OIDC configuration (e.g.https://oidc.example.com).SIWEOIDC_SIGNING_KEY_PEMis the signing key (PKCS#8 PEM, ES256/P-256 ECDSA). One will be generated if none is provided.
The current flow is very basic -- after the user is authenticated you will receive:
- an Ethereum address as the subject (
subfield); and - an ENS domain as the
preferred_username(with a fallback to the address).
For the core OIDC information, it is available under
/.well-known/openid-configuration.
OIDC Conformance Suite:
- 🟨 (25/29, and 10 skipped) basic (
emailscope skipped,profilescope partially supported, ACR,prompt=noneand request URIs yet to be supported); - 🟩 config;
- 🟧 dynamic code.
- Additional information, from native projects (e.g. ENS domains profile pictures), to more traditional ones (e.g. email).
A Docker Compose is available to test the IdP locally with Keycloak.
- You will first need to run:
docker-compose -f test/docker-compose.yml up -d-
And then edit your
/etc/hoststo havesiwe-oidcpoint to127.0.0.1. This is so both your browser, and Keycloak, can access the IdP. -
In Keycloak, you will need to create a new IdP. You can use
http://siwe-oidc:8000/.well-known/openid-configurationto fill the settings automatically. As for the client ID/secret, you can usesdf/sdf.
Our identity provider for Sign-In with Ethereum has not yet undergone a formal security audit. We welcome continued feedback on the usability, architecture, and security of this implementation.