# Sign In With Gitcoin Unified place to authenticate customers and users with access roles across products (on-chain and off-chain). Similar to Sign In With Google where any site can implement it to get access to the resources in the Google products. When the user visit a product such as Checker, they can Sign In With Gitcoin. The user is redirected to a separate site where they enter their email or sign a message with their wallet, and then redirected back again with a token. This token contains information about what resources the user can access. These resources can be both on-chain data like admin/manager roles in rounds, or off-chain like inviting reviewers to Checker. ### Challenges - Updating roles for Rounds require an on-chain transaction. These have access to make changes to the round and are stored in the smart contract (with current protocol). - Apps like Checker can add external people as reviewers with limited. These permissions can't be stored on round contracts. - New Apps shouldn't have to write their own authentication - Is there existing solutions we can use? Clerk.dev or Auth0? Could SmartAccounts (AA + modules) be used for this use-case as a more web3 native way? ### Use-cases - A round manager logs into Checker via Gitcoin Auth and can see all their rounds they have access to. - A round admin can add team members as reviewers - Can also interact with Allo Protocol via AlloKit to add round managers ### Solution Proposal - **OpenIDConnect Provider** - Handle login flow - Store account details in PostgresDB with Prisma - Query Indexer + Postgres for resources and put in `claim` function - Federated auth can let users sign in to GitcoinAuth with Google/GitHub/... - **GitcoinOAuthProvider** - Connects products like Checker to GitcoinAuth. OAuth compatible and can be used in NextAuth. - Initiates the login flow and redirects back again with a jwt JWT example: ```ts { "sub": "user-id", "iat": "issued-at", "user": { "email: foo@gitcoin.co", "address": "0x...123" }, "permissions": [ { "resource": "round-id-1", "role": "admin", type: "contract" }, { "resource": "round-id-2", "role": "manager", type: "contract" }, { "resource": "round-id-3", "role": "reviewer", type: "checker" }, { "resource": "round-id-4", "role": "...", type: "report-cards" } ] } ``` This JWT is used in both Checker (and other Gitcoin products) backend and GitcoinAuth. - In Checker - verify this user can act on this round - In GitcoinAuth - verify this user can invite users to resources (and store in off-chain permissions db) ### Strategies for handling spam accounts - email required to create an account (this would be a good way to get the emails instead of the round creation and applications) - the user must have a created a round or application - require min tokens in address ### Resources - https://github.com/panva/node-oidc-provider - https://next-auth.js.org - https://thecopenhagenbook.com/ - https://www.prisma.io/dataguide/postgresql/authentication-and-authorization/role-management - https://zenstack.dev/blog/model-authz