How should we handle login of deployed services?

[jonasstrehle]

Let's think about how a deployed service can authenticate in Supranet.
We're going to solve the issue of loosing keys due to unpersistent docker containers and in favour of portability by using the unyt Auth service to store our keys for deployed apps. If the app looses keys we need an option to login again by using password and 2FA.

• Is it fine to show a login dialog for our internal services by exposing some default route? https://docs.unyt.org/@auth
• Should UIX wait for manual login via URL before we launch the UIX app? (Report the URL to GitHub action log / discord?)
• Should we implement a GitHub Action to handle only 2FA (by creating login URL / saving password in repo secret)? Should GitHub Action also handle 2FA?

[jonasstrehle]

@benStre @asbng

[benStre]

I'm not sure if we want to use GitHub actions for this, it's just not a good enough general solution for UIX apps. We don't want to take care of GitHub account login and APIs.

I think the process should be something like that:

1. when a UIX app is started (we don't really need a distinction between local development and deployment), it checks if it already has cached private keys for the current app endpoint and if they are valid. If [they are not valid] or [there are no keys and the endpoint is already registered in the blockchain] (e.g. @+example or @example.app), then wen proceed with step 2b. Otherwise, we assume its a new endpoint or anonymous endpoint and create new keys locally and proceed with step 2a if it is a subendpoint.

• 2a) Registration: This only happens when a subendpoint with keys is created for the first time. We want to provide a functionality to immediately store the private keys for @+example.xy in unyt auth. Per default we should only allow storing keys with the @+example main endpoint (we could allow developer accounts that have a REPRESENTED_BY association or something like that in the future). Before the UIX app is actually launched, we provide a message + web page similar to 2b), with a registration link redirecting to unyt auth. When you are logged in as @example in unyt auth, the UIX app will send you the private keys for the newly created endpoint (e.g @+example.xy)
• 2b) Login: The UIX app does not yet launch, but a unyt auth login link with an explanation message is shown in the dev console. We start a web server listening to the app port that just provides a single page that also shows the explanation message and the auth login link. After a successful login, the unyt auth webpage sends the private keys back to the temporary UIX endpoint.

[benStre]

moved this discussion to https://github.com/unyt-org/uix, because it is mainly a UIX issue. unyt auth just implements the necessary interfaces.