Sign in With Ethereum Community Call #10

# Sign in With Ethereum Community Call #10 ### Date: 2022/01/27 ### Agenda: - [General] Reader Notes & Updates - [General] Introductions - [Show & Tell] SIWE Updates (core library updates, OIDC updates, documentation updates, discourse updates) - [Q&A] ## Reader Notes and Updates - SIWE library is out and can be found [here](https://github.com/spruceid/siwe). - The [Discord](http://discord.gg/WjvuYqvm5Y) server is always open for questions and those that wish to participate. - We're working on support for different languages and plugins, please reach out if you're interested in a SIWE integration. - Documentation: if you're about to embark, let us know what you think would be best to include! All feedback is welcome. ## Introductions - [Jordan R] - community manager at 1inch exchange. Interested in the standard. - [Billy L] - worked with the Spruce guys before. Working on a new kind of identity protocol and wanted to get reconnected to you guys. - [Brantly] - Wanted to share what we're doing with ENS. We're redesigning the manager app and we have it working in three states: read only, connected wallet, and the third state is signing in. The core parts will work but you can additionally sign in for additional features that require our server. - We're going to add persistent favorites - saving any kind of settings like light mode, dark mode, also ENS.eth registration has a commit / reveal so the secret is browser side and now we can save it on our sever. You can use it by basic connection but this has additional features. ## SIWE Updates - [Wayne] - Dapps are going to have to provide better UX for users - as soon as dapps can upgrade with user state and provide a secure experience, it's a game changer. What if you can Sign-In with Ethereum to your DEX and get your token lists. Maybe you can also load your slippage tolerances and trading scripts? There's a lot that can be done. - [Wayne] - I want to do a quick runthrough of the quickstart tutorial that we're going to release soon. - (walkthrough of the quickstart and documentation) Just need to make sure people can have a great first experience as they run through it. - [Brantly] - Friends don't let friends roll their own signing message. Bespoke messages are missing critical things. If people want to do sign-in, point them to login.xyz. - [Wayne] - One update that we'd like to share, we're working through these problems integrating with web2 services that expect email. We are close to the end of the integration with Discourse, but it requires a new email for an account. We can link to existing accounts, but to make it fully SIWE, they require an email for this. When you make a username and password it's okay, but when you add a different authentication provider, they're expecting an email. - As we figure this out we're going to continue posting content, writing libraries and more. - Another update, Simon can share more about OIDC certification. - [Simon] - We have an OIDC provider that we've been working on for a while. It's a simple workflow: we can look up the person and use an address as the user ID and we'll have ENS resolution. Apart from that, we implemented our own IdP using OIDC libraries. so it's in rust. I've been making sure it's conformant to OIDC because OIDC is extensive. - (Wayne shares OIDC [certification requirements](https://openid.net/certification/)) - There are more tests than 30 - and mainly because we are restricted in the information that we have, we can't pass _all_ the tests, but mainly we pass everything just small details here and there. - [Wayne] - We are storing so little data about users that most of the tests don't apply to this. We shouldn't be storing data if it's not necessary to the core function of the service. It's easy for IT administrators to adopt it when it's in this format. - [Rocco] - (highlights of recent integrations) - and friends don't let friends roll their own SIWE. - [Wayne] - There isn't a single owner of Sign-In with Ethereum. If we can give wallet providers a predictable way to see that message format, there's so much more we can unlock. We can even do domain binding - so when it's 'example.org wants you to sign in' - the wallet can check that the message is actually coming from that site rather than a MiTM attack.