Abstract

This document describes the design of Nostr-OIDC, an adaptation of the Solid-OIDC authentication protocol for use within the Nostr protocol. Nostr-OIDC aims to provide secure and decentralized authentication and authorization for Nostr-based services and applications.

Introduction

Nostr is a decentralized messaging and social networking protocol. Solid-OIDC (OpenID Connect for Solid) provides a framework for secure authentication in decentralized environments. This document outlines how to adapt Solid-OIDC to integrate with the Nostr protocol, enhancing decentralized authentication and authorization for Nostr-based services and applications.

Authentication Flow Adaptation

Initiating Authentication

• User requests access to a Nostr-based service or application.
• The service generates an authentication request and redirects the user to an OIDC provider compatible with Nostr.
• The OIDC provider presents a login page and issues an ID token and access token upon successful login.

OIDC Provider Interaction

• ID token contains claims about the user, including Nostr public key and other relevant information.
• Access token grants the client access to user resources on the Nostr network.

Nostr Protocol Integration

Broadcasting the Tokens

• Client sends the ID token and access token to the Nostr service via a secure channel.
• Service verifies the tokens using the OIDC provider's public key.

Claim Verification

• Nostr service checks claims in the ID token to verify user identity and authorization.
• Nonce and other token attributes are verified to prevent misuse.

User Session Management

Session Establishment

• Upon verification, Nostr service establishes a user session and issues a session token.
• Session token is stored securely on the client side and linked to the user's authenticated session on the server side.

Session Persistence

• Session state maintained on the server side, associated with the user’s public key and session token.

Resource Access and API Calls

Authenticated API Calls

• Client includes the session token in API request headers for authentication.
• Nostr service validates the session token before processing requests.

Access Control

• Service checks user permissions and access rights based on token claims.
• User can only access authorized resources.

Token Revocation and Logout

Revoking Tokens

• Users can revoke tokens by logging out or through a token revocation endpoint.
• Nostr service invalidates the session token upon revocation request.

Logout Process

• Client clears the session token from local storage on logout.
• Nostr service terminates the user session and removes the session state.

Technical Details

OIDC Provider Requirements

• Supports generating and verifying ID tokens with Nostr public keys.
• Has an endpoint for token introspection and revocation.

Nostr Service Requirements

• Implements token verification logic using the OIDC provider’s public key.
• Supports secure communication channels for transmitting tokens and API calls.
• Manages user sessions and enforces access controls based on token claims.

Example Implementation

1. OIDC Provider Setup: Configure an OIDC provider to issue tokens with custom claims for Nostr integration.
2. Nostr Service Configuration: Implement middleware for token verification. Set up session management and access control logic.
3. Client Application: Integrate OIDC client library to handle authentication flow. Store session tokens securely and include them in API requests.