Orbit uPort integration
Closed this issue · 27 comments
Orbit uPort integration
This post describes a way to relatively quickly integrate uPort with Orbit. The user will be able to use their uPort name and profile picture in Orbit as well as provision a signing key that will sign Orbit messages. It will not require any changes to the uPort mobile app.
User Flow (connecting uPort):
Orbit shows a QR code, the user scans it with her uPort app, this connects your uPort and provides Orbit with the address/identifier of your uPort (See web.whatsapp.com for the general idea). A random private signing key is generated in Orbit. Orbit displays another QR code, when scanning this the public key is added to the attributes of your uPort, stored in IPFS. (Two QR codes is not ideal UX-wise, but works without changes to the mobile app). This in effect “provisions” the Orbit key since it would be indirectly signed by your main uPort device key when data is added to the Ethereum registry. QR code scanning and related stuff is in the main uport-lib repository.
Orbit can pull the users attributes (name, photo) from the IPFS hash stored in the uPort registry, using the uport-persona library. When sending a message the Orbit user can have their uPort address in the “from” field, and they can sign the payload of their message as a JSON web token using something like this.
When another user fetches the message they can query Ethereum for the IPFS hash of attributes belonging to that identity, as well as their Orbit public signing key. They can then save these attributes locally. The public signing key is used to verify the signed messages.
Bonus
If there is interest we can also provision an encryption key in a similar way. This would allow for encrypted direct messages and group messages for predefined groups. We would need to clean up some of the encryption libraries for this.
Action items
- Make sure @haadcode and @jbenet has access to the uPort iOS app through TestFlight (@christianlundkvist will need their iCloud email addresses for this, does @haadcode have an iPhone?)
- Make sure @haadcode and @jbenet can access the uport github repos to see how to integrate
- @christianlundkvist can help with more detailed descriptions of the steps to integrate.
This is fantastic Christian! Pretty much how I imagined it to work, and how Orbit used to work. I don't have an iPhone but we'll arrange one.
There's some work I need to in both in Orbit and orbit-db to support signed messages.
Not sure yet if we should try to support encrypted messages, it's fairly large amount of work and there's quite a few unknowns. But what you described will get us started and towards a great demo!
I'll get back to you with more questions as soon as I start working on this (couple of weeks ish)
Cool, sounds good! Agreed that encryption support is a big task to do correctly. Let me know if there is anything you need further.
@christianlundkvist I can haz uPort iOS app?
I can haz uPort iOS app?
Of course! I just need the email you use for iCloud so we can add you to TestFlight. Install TestFlight and you should be able to install uPort once we add you. You can send it via Signal or something if you like
-----BEGIN PGP MESSAGE-----
Version: Keybase OpenPGP v2.0.55
Comment: https://keybase.io/crypto
wcBMAwmqT7D1KI2uAQf+NJQTkuZuKYh794kWI8OZk7ZuBf+S0zpBquoh0kY2ojjO
fqhafX5wE0Ie0f5SueR11sdwgfU5eAgVQp2mgXVyqYPZyp1pbCogBTb5myT2vLdv
pFCOni3KP1R4sVsY4lnS4TUU0OX2YtP6SUGJAmNJptUk1nPpPoV9r1bhi5cMnQbV
ockFnsHuNX5dx22NpG4bPZmNqWF/FuefyD5+CcyghCt7uwTgbcodCCZbYw13an0O
kiId+CuagvC6mv9O1LqD0SVu3IMNjggWKnpmWtYyYhkqJ9O/nkK2QdHTL46AEGdp
E3SX0EDs1tYilPqsf8VWMH2m4RpuVM1+XuZGTgOROtJJAQOA++lLjTCT2d/Jsqub
usJrpLK0tj7LKaLl1tAOyJC4uot7TkMLW0//y4nOFRoVa5q88d12t/zHWsKtZj2q
uNvcSaS3u0cmlQ==
=Sv6w
-----END PGP MESSAGE-----
wow PGP is ugly.
Got it and have it running with a profile. Will start working on this tomorrow.
Progress:
On the internet, nobody knew you were really a cat. Until uPort!
😹 😹 😹
Haha awesome job! Glad you managed to push through despite the issues! 😃 @haadcode are you adding an orbit signing key to the uPort profile? Or is that the uPort signing key you're displaying?
Would be good to derive one for orbit.
@christianlundkvist do you have some standard / recommended way to derive keys?
@christianlundkvist atm neither. there's still an issue in the uPort app re. getting the pub signing key from Persona and I was thinking using that. I'll do a test to add the Orbit signing key to the profile and use it (right now I'm using Orbit signing key, it's just not added to the profile).
We will actually need to derive various keys over time, so we'll need 1 key to be Orbit root key, and then derive keys (HD? or something else?) because we'll be signing a ton. (the more you sign with a key, the easier it is to attack. you dont want to use the same key for signing millions of things)
@jbenet @haadcode I think here we don't need to strictly derive a key from the master key here, we can just generate an orbit key randomly and add the public key to the profile. If you look at the attestation-demo repo we are adding profile data.
The master pubkey is not supposed to leave the device so it would be cumbersome to sign each message with that key, so we do want a specific key for orbit
@christianlundkvist sounds good 👍
Sounds good! I'll work on this further tomorrow and will keep you posted.
@jbenet if we want to avoid having long-lived orbit keys we could rotate the orbit key at regular intervals and update the uPort registry accordingly. We will have to think about revocation etc later on but for now it might be enough to have an expiry date for the keys.
Status update:
(see screenshots below)
I've gotten it all working now with Orbit signing key as an attribute in the uPort profile. That is to say: it works now :) The keys generated are stored locally (in Orbit's data directory), so when you sign in, Orbit will use your existing key (as opposed to generating a new one every time). Upon first login, uPort will ask you to sign the attribute (orbitKey) with another QR code. It was quite a bit of work to make it all work nicely, and this included to implementing the whole concept of "Identities" in Orbit as we didn't have that before. Now you can login with uPort or with a username+key combination (automatically handled by Orbit). Should be easy to add more/different providers in the future. I also made sure that if you change your name in uPort, all messages sent with the old name now display the new name.
The work happens here: https://github.com/haadcode/orbit/tree/uport. However, it's not quite working out of the box yet, I need to do some cleanups/documentation. If you do want to give it a try, see below (run the following commands in order).
You need to have access to the private uport- repos in order for this to work!*
On that note, @christianlundkvist, what's your plan on releasing the uport modules to the public? Without them being public, I can't put the integration to the master branch in Orbit as people won't be able to pull the uport-* repos/modules. So it'd be great to make them public sometime soon...
git clone -b uport https://github.com/haadcode/orbit.git
npm install
cd client/
npm install
npm run build
cd ..
npm run electron
You might have to run IPFS daemon locally before starting Orbit with API_ORIGIN=* ipfs daemon
Let me know if you have any troubles! It's still a little rough and sometimes things break but it's mostly usable.
Next week: fixing last issues (CORS stuff), cleanups, make sure other people can clone and run (or provide a build), making sure everything works in non-optimal environments (such as conferences), etc.
@christianlundkvist @jbenet anything you would like to see (in terms of uPort integration) in addition what's there now?
@haadcode Wow, awesome! That is so cool! 😃
what's your plan on releasing the uport modules to the public?
These modules will definitely be public at least by Devcon, but we could also make them available sooner. We want to improve some of the flows, like for instance it's nicer if when signing an attribute only the attributes gets sent to the phone (via QR) and you assemble the complete JSON on the phone instead of just signing the transaction on the phone as is done now.
Planning to merge all of this to master sometime this week.
Awesome! We're also improving the attestations flow, so you'll soon be able to easily scan your Orbit key, sign it with your uport key and add that to your uport profile.