Sign-In with Ethereum (SIWE) Authentication

Overview

The Sign-In with Ethereum (SIWE) feature in Rave enables a decentralized and secure authentication mechanism, leveraging the power of blockchain technology and public-private key cryptography. SIWE allows users to authenticate by signing a unique, nonce-based message using their Ethereum wallet, removing the need for traditional passwords or centralized identity stores.

By linking Ethereum wallet addresses to user accounts, this feature ensures a secure and user-centric authentication experience across supported platforms.

How It Works

Registration

When a user opts to use SIWE for authentication, they first link their Ethereum wallet to their account. This is achieved by generating and signing a unique message using the private key of their wallet, securely associating the wallet address with their Rave user account.

Steps:

1. The server generates a SIWE message using the following structure:

   • domain: The domain requesting authentication, ensuring the message is bound to a specific context (e.g., example.com).

   • address: The user’s Ethereum wallet address, serving as their unique identifier.

   • statement: A human-readable message explaining the purpose of signing, such as “Sign in to Example App.”

   • uri: The URI of the application or service requesting authentication.

   • version: The SIWE protocol version used (e.g., “1”).

   • chain_id: The blockchain network ID where the Ethereum address resides (e.g., 1 for Ethereum Mainnet).

   • nonce: A unique random value to prevent replay attacks.

   • issued_at: The timestamp indicating when the message was created in ISO 8601 format.

2. The server sends the generated message to the client.

3. The user signs the message using their Ethereum wallet (e.g., MetaMask or WalletConnect).

4. The server verifies the signature and links the wallet address to the user account upon successful validation.

Authentication

After registration, users can authenticate by signing a new nonce-based message with their Ethereum wallet. This process verifies the ownership of the linked wallet and grants access to their account.

Steps:

1. The server generates a new SIWE message, including a fresh nonce and the required parameters (see the Registration section for structure details).

2. The user signs the message with their wallet and sends it back to the server.

3. The server verifies the signature using the linked wallet address and the SIWE message structure.

4. If the signature is valid, the user is successfully authenticated.

Credential Management

SIWE credentials (Ethereum wallet addresses) can be managed programmatically via the Rave API. Available operations include:

• Adding a new wallet: Link additional Ethereum wallets to the user account by signing and verifying a SIWE message.

• Viewing linked wallets: Retrieve a list of all wallet addresses associated with the account.

• Removing a wallet: Unlink an Ethereum wallet that is no longer in use.

SIWE Settings

The SIWE feature includes several configuration options managed by Rave. While these settings are not user-configurable at the moment, Rave support can assist in customizing them for your application as needed.

Available settings:

• Domain: The domain associated with the authentication flow. Used to verify the authenticity of requests.

• URI: The URI of the server handling the SIWE authentication process.

• Version: The version of the SIWE protocol being used.

• Chain ID: The Ethereum network chain ID for the authentication flow (e.g., 1 for Mainnet).

• Authentication Timeout: The duration (in milliseconds) within which the signed message must be verified to prevent replay attacks.

For adjustments to these settings, please contact Rave support. These configurations ensure that the SIWE implementation is tailored to your application’s security and operational requirements.

Considerations

• Decentralized Security: Authentication relies on the user’s wallet and private key, reducing the risk of centralized data breaches.

• Browser and Wallet Compatibility: Ensure that users are using supported Ethereum wallets (e.g., MetaMask, Trust Wallet) and browsers with Web3 capabilities.

• Nonce Validity: Signed nonces must be time-sensitive to prevent replay attacks.