JWT Issuer Proof of Concept
Overview
Simple PoC to issue JSON Web Tokens (JWTs) with a canister on the Internet Computer. It allows the issuance of two types of JWTs:
- Symmetric (kind:
mac
, algo:HS256
) uses a secret stored in the canister (not secure against a single malicious node provider). - Asymmetric (kind:
tecdsa
, algoES256k
) uses Threshold ECDSA (tECDSA) and kindiccsa
uses canister signatures.
The JWT's sub
(subject) field will be set to the principal of the caller. In tECDSA
mode the iss
(issuer) field will be set to the did:key
representation of the tECDSA public key.
The canister signature (ICCSA) implementation is based on the Internet Identity implementation. The iss
is set to the principal of the canister and the signature field of the JWT is set to the base64url encoded ICCSA certificate. Obviously no JWT library will be available to verify a JWT with algo: ICCSA
and there might be better encodings. This is just meant as a PoC.
Quickstart
If you want to test your project locally, you can use the following commands:
# Starts the replica, running in the background
dfx start --background
# Deploys your canisters to the replica and generates your candid interface
dfx deploy
Interacting with the minimal web UI
Once the job completes, your application will be available at http://localhost:8000?canisterId={frontend_canister_id}
.
Interacting wth dfx
Coming soon :)