[AIP-67][Discussion] Native Consensus for JSON Web Key (JWK)

[thepomeranian]

AIP Discussion

Summary

OpenID Connect (OIDC) orchestrates authentication by enabling a user to prove their identity to a client application, through the mediation of a trusted identity provider, leveraging the OAuth 2.0 framework for secure interactions.
Typically, this process involves verifying a signature of the provider with its cryptographic public keys, which are published in format of JSON Web Key (JWK). For security purpose, JWKs are rotated periodically, but providers may each have its own rotation schedule, and providers typically do not provide official documentation or notification: client apps are expected to fetch JWKs in an ad-hoc manner.

AIP-61: keyless accounts introduced a new type of Aptos accounts that are secured through the owner’s existing OIDC accounts (i.e., their Web2 account with an OIDC provider such as Google, GitHub or Apple), and verifying a transaction from such an OIDC account involves verifying a signature of the provider with its JWK. This requires that validators agree on the latest JWKs of every provider that needs to supported.

This AIP proposes a solution where validators:

• monitor the OIDC providers' JWKs by directly fetching them;
• once a JWK change is detected, collaborate with peers to form a quorum-certified JWK update;
• publish the update on-chain through a validator transaction.

Read more about it here: https://github.com/aptos-foundation/AIPs/blob/main/aips/aip-67.md