Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 5 additions & 6 deletions docs/guides/security/identity-and-access-management.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -241,11 +241,10 @@ and [Android](https://developer.android.com/training/app-links/verify-android-ap

For more information, view an [example implementation in the form of a Unity app](https://github.com/dfinity/examples/tree/master/native-apps/unity_ii_deeplink). The following pieces of that codebase are most important:

* Generation of the intermediate session key [in index.js](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii_integration_dapp/src/greet_frontend/src/index.js#L25).
* [Authentication using the intermediate session key](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii_integration_dapp/src/greet_frontend/src/index.js#L26-L36) instead of the mobile app public key.
* [Generating the delegation chain](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii_integration_dapp/src/greet_frontend/src/index.js#L48-L57) by combining the delegation obtained from II with a delegation created by the frontend.
* [Returning the delegation chain using an applink/universal link](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii_integration_dapp/src/greet_frontend/src/index.js#L71).
* Returning the delegation chain [using a URI fragment](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii_integration_dapp/src/greet_frontend/src/index.js#L73).
* The example is currently being improved whereby the delegation chain will also be verified in the mobile app before using it.
* [Generating the intermediate (middle) key](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii-bridge/src/main.js#L84) (`ECDSAKeyIdentity.generate()`): the private key stays in the browser via the WebCrypto API and is never extractable.
* [Authenticating with the intermediate key](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii-bridge/src/main.js#L88-L89) (passing `middleKeyIdentity` to `AuthClient`) instead of the mobile app's public key, so II can never issue a delegation directly usable by the app.
* [Generating the delegation chain](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii-bridge/src/main.js#L102-L108) by combining the II-issued delegation with a second, short-lived delegation from the middle key to the app's Ed25519 session key.
* [Returning the delegation chain using a URI fragment](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii-bridge/src/main.js#L130-L133) (`#delegation=…`) so the chain is not included in any HTTP request if the deep link falls through to the browser. The example uses a custom URL scheme (`org.dfinity.unity-ii://`) by default; see the [README](https://github.com/dfinity/examples/tree/master/native-apps/unity_ii_deeplink#upgrading-to-https-deep-links-for-production) for upgrading to Android App Links or iOS Universal Links for production.
* [Verifying the delegation chain](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/unity_project/Assets/Scripts/DeepLinkPlugin.cs#L105-L111) in the mobile app before constructing the identity: the last delegation's `pubkey` is compared against the session key generated in step 2 to prevent a session-fixation attack where a delegation intended for a different session is replayed.

{/* Upstream: sync from dfinity/portal building-apps/security/iam.mdx */}
Loading