From 3a239d135787ab083598c82c62a67983ba07641e Mon Sep 17 00:00:00 2001 From: Sanzib Khaund Date: Fri, 30 Aug 2024 11:26:30 -0700 Subject: [PATCH 1/2] Credenza created initial sip-temporary_title.md --- sips/sip-temporary_title.md | 126 ++++++++++++++++++++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 sips/sip-temporary_title.md diff --git a/sips/sip-temporary_title.md b/sips/sip-temporary_title.md new file mode 100644 index 0000000..ec73902 --- /dev/null +++ b/sips/sip-temporary_title.md @@ -0,0 +1,126 @@ + +| SIP-Number | N/A | +| -----------: | :--------------------------------------------------- | +| Title | Credenza Pasport +| Description | OpenID provider enabled for zkLogin on Sui. +| Author | Credenza Inc. +| Editor | N/A +| Type | Standard +| Category | Core +| Created | 2024-08-22 +| Comments-URI | N/A +| Status | N/A +| Requires | N/A + + +## Abstract + +Credenza provides Passport as a simple authentication + wallets system to embed into existing accounts with access to domain-specific contracts to manage customer data, loyalty programs, digital rights management, and other critical use cases for sports & entertainment customers. + +## Motivation + +Credenza’s traction and ability to offer an extensible solution for sports teams allow for unique access to Credenza’s managed contracts and SaaS platform to open the door to common use cases in the sports & entertainment space and will allow Credenza to seamlessly migrate customers from Polygon. + +## Specification + +Credenza’s system is compatible with the current OAuth standards. + + +Item +Endpoint +Example Content +OIDC configuration +https://accounts.credenza3.com/openid-configuration +{ +"issuer": "string", +"authorization_endpoint": "string", +"token_endpoint": "string", +"userinfo_endpoint": "string", +"revocation_endpoint": "string", +"jwks_uri": "string", +"response_types_supported": [], +"subject_types_supported": [], +"id_token_signing_alg_values_supported": [], +"scopes_supported": [], +"token_endpoint_auth_methods_supported": [], +"claims_supported": [], +"code_challenge_methods_supported": [], +"grant_types_supported": [] +} +Visit the endpoint for original details +JWK endpoint +https://accounts.credenza3.com/jwks +{ +"keys": [ +{ +"kty": "string", +"kid": "string", +"use": "string", +"alg": "string", +"e": "string", +"n": "string" +}, +] +} +Visit the endpoint for original details +Issuer +https://accounts.credenza3.com +https://accounts.credenza3.com +Authorization link +https://accounts.credenza3.com/oauth2/authorize +https://accounts.credenza3.com/oauth2/authorize?client_id=65954ec5d03dba0198ac343a&response_type=token&scope=openid+profile+email+phone+blockchain.sui+blockchain.sui.write&state=state&redirect_uri=https%3A%2F%2Fwww.example.com%2Fcallback&nonce=hTPpgF7XAKbW37rEUS6pEVZqmoI +Allowed Client IDs +* +65954ec5d03dba0198ac343a + + + +## JWK rotation details + +Every 180 days. + + + + +## JWK endpoint availability + +https://status.credenza3.com When The app goes down Credenza get a slack notification so we can fix it ASAP +JWK is served through the accounts app + +## Signing key storage details + +Is stored in the DB additionally encrypted. + +## Rationale + +We do not have many users currently, so we decide we are good with a standard periodic rotation, with the dual key strategy. 180d overlap. + +## Backwards Compatibility + +ZkLogin wallets are domain separated by the OpenID issuer and its client ID. There is no backward compatibility issue with existing issuers. + +Once this SIP is finalized with the configurations defined above (issuer string, client ID etc), they will not change again. Otherwise, the wallet created based on this configuration will result in loss of funds. + +## Test Cases +Nonce: hTPpgF7XAKbW37rEUS6pEVZqmoI +eyJ0eXAiOiJqd3QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkpHNm9aa0lCcVFka3BuQ25ENDc5ekZYZ01BNV9JN2ktYUhBVjBNUnd2RHMifQ.eyJpYXQiOjE3MjQ0MTc5ODQsImV4cCI6MTc4NDQxNzkyNCwiYXVkIjoiNjU5NTRlYzVkMDNkYmEwMTk4YWMzNDNhIiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5jcmVkZW56YTMuY29tIiwic3ViIjoiNjViMGU5ZjViOWZmOWI1MjI1ZGMwYWJiIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCBwaG9uZSBibG9ja2NoYWluLmV2bSBibG9ja2NoYWluLmV2bS53cml0ZSBibG9ja2NoYWluLnN1aSBibG9ja2NoYWluLnN1aS53cml0ZSIsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJ0b2tlbl91c2UiOiJhY2Nlc3MiLCJub25jZSI6ImhUUHBnRjdYQUtiVzM3ckVVUzZwRVZacW1vSSJ9.CfnlaM77g2_stGQmCRTOPwNqK0aaDEWux_b36lwCt1Mq8G99GBazJ18WqK9472EKF89CMGHOoVpaYN9WNXOqUNEmvNY3mtW0UTH8MiSHRO5Hc1qGJo2Bun8Xjm84EMyUrm9-eh0yK33rQ8laKaXdzW-epWM4095U4gpH9n3xi749hh_ua_G-O16u-dW6-T2lubBibya_FTFPbLsqgGDJs7hIXk3AJGzUxDvN0ig5g89whyauuPZuvix3hSGuFxO-Gwk0eCQFSuF6YMSf7oOnMf0d8FYvHLsJD23QBsOlNBRY7S8ZwihbJztk7ipaTKqvB1R_eeF-q1vNkppo34rmkw + + +https://www.youtube.com/watch?v=thIFvCvzJbg +https://docs.google.com/presentation/d/1pOxMHs93EBADUX8l09etBqAzERvqFYCVbZAF8zwbpyc/edit#slide=id.g2f5894025e2_0_0 +## Reference Implementation + +N/A. To be implemented by the Mysten Labs team. + +## Security Considerations +The certificate signing key is stored in the DB aes-256-cbc encrypted. +OAUTH2/OIDC users CAN create no more then 2 clients(Public + Confidential) at https://developers.credenza3.com + + +If the JWK endpoint is unavailable, all zkLogin wallets associated with the provider will be locked out of their wallet since JWT cannot be generated. +If the signing key is compromised, all wallets associated with this provider will result in loss of funds since anyone can forfeit the JWT and ZK proof as a result. + + +## Copyright + +Copyright Credenza Inc., 2024 From 5d322fc1da21578314491ed84de49b89fa58794d Mon Sep 17 00:00:00 2001 From: Will Riches Date: Tue, 17 Dec 2024 02:18:12 +0000 Subject: [PATCH 2/2] Move SIP-41 to Fast Track --- sips/{sip-temporary_title.md => sip-41.md} | 130 ++++++++++----------- 1 file changed, 63 insertions(+), 67 deletions(-) rename sips/{sip-temporary_title.md => sip-41.md} (59%) diff --git a/sips/sip-temporary_title.md b/sips/sip-41.md similarity index 59% rename from sips/sip-temporary_title.md rename to sips/sip-41.md index ec73902..cbc9e74 100644 --- a/sips/sip-temporary_title.md +++ b/sips/sip-41.md @@ -1,16 +1,16 @@ -| SIP-Number | N/A | -| -----------: | :--------------------------------------------------- | -| Title | Credenza Pasport -| Description | OpenID provider enabled for zkLogin on Sui. -| Author | Credenza Inc. -| Editor | N/A -| Type | Standard -| Category | Core -| Created | 2024-08-22 -| Comments-URI | N/A -| Status | N/A -| Requires | N/A +| SIP-Number | 41 | +| ---: | :--- | +| Title | Add Credenza OpenID | +| Description | OpenID provider enabled for zkLogin on Sui. | +| Author | Credenza Inc. | +| Editor | Will Riches \ | +| Type | Standard | +| Category | Core | +| Created | 2024-08-22 | +| Comments-URI | https://sips.sui.io/comments-41 | +| Status | Fast Track | +| Requires | | ## Abstract @@ -25,67 +25,64 @@ Credenza’s traction and ability to offer an extensible solution for sports tea Credenza’s system is compatible with the current OAuth standards. +### OIDC configuration -Item -Endpoint -Example Content -OIDC configuration https://accounts.credenza3.com/openid-configuration -{ -"issuer": "string", -"authorization_endpoint": "string", -"token_endpoint": "string", -"userinfo_endpoint": "string", -"revocation_endpoint": "string", -"jwks_uri": "string", -"response_types_supported": [], -"subject_types_supported": [], -"id_token_signing_alg_values_supported": [], -"scopes_supported": [], -"token_endpoint_auth_methods_supported": [], -"claims_supported": [], -"code_challenge_methods_supported": [], -"grant_types_supported": [] -} -Visit the endpoint for original details -JWK endpoint + + { + "issuer": "string", + "authorization_endpoint": "string", + "token_endpoint": "string", + "userinfo_endpoint": "string", + "revocation_endpoint": "string", + "jwks_uri": "string", + "response_types_supported": [], + "subject_types_supported": [], + "id_token_signing_alg_values_supported": [], + "scopes_supported": [], + "token_endpoint_auth_methods_supported": [], + "claims_supported": [], + "code_challenge_methods_supported": [], + "grant_types_supported": [] + } + +### JWK endpoint + https://accounts.credenza3.com/jwks -{ -"keys": [ -{ -"kty": "string", -"kid": "string", -"use": "string", -"alg": "string", -"e": "string", -"n": "string" -}, -] -} -Visit the endpoint for original details + + { + "keys": [ + { + "kty": "string", + "kid": "string", + "use": "string", + "alg": "string", + "e": "string", + "n": "string" + }, + ] + } + Issuer -https://accounts.credenza3.com -https://accounts.credenza3.com +- `https://accounts.credenza3.com` + Authorization link -https://accounts.credenza3.com/oauth2/authorize -https://accounts.credenza3.com/oauth2/authorize?client_id=65954ec5d03dba0198ac343a&response_type=token&scope=openid+profile+email+phone+blockchain.sui+blockchain.sui.write&state=state&redirect_uri=https%3A%2F%2Fwww.example.com%2Fcallback&nonce=hTPpgF7XAKbW37rEUS6pEVZqmoI -Allowed Client IDs -* -65954ec5d03dba0198ac343a +- `https://accounts.credenza3.com/oauth2/authorize` +- `https://accounts.credenza3.com/oauth2/authorize?client_id=65954ec5d03dba0198ac343a&response_type=token&scope=openid+profile+email+phone+blockchain.sui+blockchain.sui.write&state=state&redirect_uri=https%3A%2F%2Fwww.example.com%2Fcallback&nonce=hTPpgF7XAKbW37rEUS6pEVZqmoI` +Allowed Client IDs +- `*` +- `65954ec5d03dba0198ac343a` ## JWK rotation details Every 180 days. - - - ## JWK endpoint availability -https://status.credenza3.com When The app goes down Credenza get a slack notification so we can fix it ASAP -JWK is served through the accounts app +https://status.credenza3.com When the app goes down, Credenza get a slack notification so we can fix it ASAP +JWK is served through the accounts app. ## Signing key storage details @@ -97,30 +94,29 @@ We do not have many users currently, so we decide we are good with a standard pe ## Backwards Compatibility -ZkLogin wallets are domain separated by the OpenID issuer and its client ID. There is no backward compatibility issue with existing issuers. +zkLogin wallets are domain separated by the OpenID issuer and its client ID. There is no backward compatibility issue with existing issuers. Once this SIP is finalized with the configurations defined above (issuer string, client ID etc), they will not change again. Otherwise, the wallet created based on this configuration will result in loss of funds. ## Test Cases + +``` Nonce: hTPpgF7XAKbW37rEUS6pEVZqmoI eyJ0eXAiOiJqd3QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkpHNm9aa0lCcVFka3BuQ25ENDc5ekZYZ01BNV9JN2ktYUhBVjBNUnd2RHMifQ.eyJpYXQiOjE3MjQ0MTc5ODQsImV4cCI6MTc4NDQxNzkyNCwiYXVkIjoiNjU5NTRlYzVkMDNkYmEwMTk4YWMzNDNhIiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5jcmVkZW56YTMuY29tIiwic3ViIjoiNjViMGU5ZjViOWZmOWI1MjI1ZGMwYWJiIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCBwaG9uZSBibG9ja2NoYWluLmV2bSBibG9ja2NoYWluLmV2bS53cml0ZSBibG9ja2NoYWluLnN1aSBibG9ja2NoYWluLnN1aS53cml0ZSIsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJ0b2tlbl91c2UiOiJhY2Nlc3MiLCJub25jZSI6ImhUUHBnRjdYQUtiVzM3ckVVUzZwRVZacW1vSSJ9.CfnlaM77g2_stGQmCRTOPwNqK0aaDEWux_b36lwCt1Mq8G99GBazJ18WqK9472EKF89CMGHOoVpaYN9WNXOqUNEmvNY3mtW0UTH8MiSHRO5Hc1qGJo2Bun8Xjm84EMyUrm9-eh0yK33rQ8laKaXdzW-epWM4095U4gpH9n3xi749hh_ua_G-O16u-dW6-T2lubBibya_FTFPbLsqgGDJs7hIXk3AJGzUxDvN0ig5g89whyauuPZuvix3hSGuFxO-Gwk0eCQFSuF6YMSf7oOnMf0d8FYvHLsJD23QBsOlNBRY7S8ZwihbJztk7ipaTKqvB1R_eeF-q1vNkppo34rmkw +``` - -https://www.youtube.com/watch?v=thIFvCvzJbg -https://docs.google.com/presentation/d/1pOxMHs93EBADUX8l09etBqAzERvqFYCVbZAF8zwbpyc/edit#slide=id.g2f5894025e2_0_0 ## Reference Implementation N/A. To be implemented by the Mysten Labs team. ## Security Considerations -The certificate signing key is stored in the DB aes-256-cbc encrypted. -OAUTH2/OIDC users CAN create no more then 2 clients(Public + Confidential) at https://developers.credenza3.com +The certificate signing key is stored in the DB aes-256-cbc encrypted. +OAUTH2/OIDC users CAN create no more then 2 clients (Public + Confidential) at https://developers.credenza3.com If the JWK endpoint is unavailable, all zkLogin wallets associated with the provider will be locked out of their wallet since JWT cannot be generated. If the signing key is compromised, all wallets associated with this provider will result in loss of funds since anyone can forfeit the JWT and ZK proof as a result. - ## Copyright -Copyright Credenza Inc., 2024 +Copyright Credenza Inc., 2024 \ No newline at end of file