This bounty is no longer available
Web3 DAO | Ethereum Foundation Logo

Implement EIP 4361

Organization

Ethereum Foundation

Deadline

N/A

Status

ENDED


INSTRUCTIONS

We should look into implementing EIP 4361 in Clef:

Sign-In with Ethereum describes how Ethereum accounts authenticate with off-chain services by signing a standard message format parameterized by scope, session details, and security mechanisms (e.g., a nonce).

The goals of this specification are to provide a self-custodied alternative to centralized identity providers, improve interoperability across off-chain services for Ethereum-based authentication, and provide wallet vendors a consistent machine-readable message format to achieve improved user experiences and consent management.

This should already work out of the box (since it's just signing a text message), however:

  • The full message MUST be checked for conformance to the ABNF above.
  • Wallet implementers SHOULD warn users if the substring "wants you to sign in with your Ethereum account" appears anywhere in an EIP-191 message signing request unless the message fully conforms to the format defined in EIP-4361.
  • Wallet implementers MUST prevent phishing attacks by matching on the domain term when processing a signing request. For example, when processing the message beginning with "service.org wants you to sign in...", the wallet checks that the request actually originated from service.org.
  • The domain SHOULD be read from a trusted data source such as the browser window or over WalletConnect (EIP-1328) sessions for comparison against the signing message contents.
  • Wallet implementers MAY construct a custom Sign-In With Ethereum user interface by parsing the ABNF terms into data elements for use in the interface. The display rules above still apply to custom interfaces.

Reference implementation + testcases here: https://github.com/spruceid/siwe