Sign In With Ethereum
In addition to traditional login methods such as Google and Apple, DIMO allows users to sign in with their Ethereum wallets.
To verify that a user possesses the private key for a particular Ethereum address, the DIMO identity server sends the user a challenge message of the following form:
A challenge signature request in Metamask
The random string, or nonce, guards against replay attacks and expires after a short duration. "Signing" here means passing the message to
eth_sign, which adds a short prefix and calculates the ECDSA signature according to Appendix F of the yellow paper. The user completes this operation in their chosen wallet software and submits the signature to the identity server.
On the backend, the signature is combined with the hash of the original message to recover a public key and hence an address. If this address is the expected one then the server trusts that the submitter controls the corresponding Ethereum wallet.
Following this, the server issues a signed identity token, a JWT, to the user carrying some non-traditional fields:
// Usual fields like sub, iss, aud.
Various microservices accept this as a credential, verifying its authenticity using the advertised public key of the identity server. This part is not specific to Ethereum logins, and most of this functionality is inherited from Dex, an open-source identity provider common in the Kubernetes world. The DIMO Dex fork is similarly open-source and available for others to use. Relying on public key crytography allows most DIMO services to avoid calling out to a central authorization server upon every request.
One way in which Ethereum logins differ from other kinds is in the absence of refresh tokens: these are disabled for wallet log-ins since there is no way to revoke access to a basic Ethereum account, as one might do for a Google account by changing the password. A user simply must log in again to continue using the app once the token has expired.
We should also note the existence of the Sign-In With Ethereum specification, currently in review as EIP-4361, which attempts to standardize a set of fields for challenge messages such as the one above. We're interested in adopting the final standard, particularly if wallet support grows.