ORE ID Developer and Architecture Overview

ORE ID is a single sign-on authentication platform that works cross-chain. Used by both businesses and consumers, ORE ID allows users to manage their own keys — and ultimately their identity — on any blockchain.

Overview

ORE ID is a single sign-on authentication platform that works cross-chain. Used by both businesses and consumers, ORE ID allows users to manage their own keys — and ultimately their identity — on any blockchain. 

• ORE ID connects users’ identities from popular logins like Google, Facebook, Twitch, Github and more to blockchain accounts and applications. 
• ORE ID supports multiple blockchains, enabling accounts and keys to be automatically created for one or more chains when a user logs in for the first time.
• ORE ID provides APIs that makes it easy for developers to allow blockchain transactions — such as transfer tokens or sell NFTs — into their products.
• With ORE ID, end users simply enter their wallet password — there’s no need for wallet plugins or installing apps
• Blockchain accounts created for users via ORE ID are their own. Users can export or backup those keys into their wallet apps or import keys into ORE ID

Primary User Flows

 

User Authentication Flows

Option 1 | Single Sign-On With ORE ID

Typical Developer Experience 

1. Register ORE ID app at oreid.io 
2. Choose from a list of sign-on options: Google, Facebook, Twitch, etc.
3. Add ORE ID library to application
4. Call oreid.auth(‘google’) to secure user OAuth access token
1. An end user is redirected to OAuth login flow, then returns to callback with tokens
2. During a users’ first time logging in, the user is prompted to enter a wallet password
3. One or more blockchain accounts are automatically created and funded

 

Typical User Experience 

1. Click ‘Login with Google’ button
2. User is redirected to Google login flow
3. During a users’ first time logging in, the user is prompted to enter a wallet password
1. This can be configured for PIN or password
4. User returns to app

 

Option 2 | Bring Your Own Auth0

Developer Experience | React App Example

1. Setting-up Auth0 domain — and optionally a custom domain url — enables login types
2. Register ORE ID app at oreid.io 
   1. Provide Auth0 domain and custom domain
   2. If you are using Firebase Auth, use the OAuth IdToken from Firebase
3. Add ORE ID library to application
4. Add ORE ID React Web Widget to application for sign transaction flows, etc.
5. Call auth0.auth(‘google’) to secure user OAuth access token
   1. An end user is redirected to OAuth login flow, then returns to callback with tokens
6. Calls oreid.auth(‘google’, auth0_Id_token)
   1. During a users’ first time logging in, the user is prompted to enter a wallet password
   2. One or more blockchain accounts are automatically created and funded
   3. User returns to ORE ID OAuth tokens

User Experience

1. Click ‘Login with Google’ button
2. User is redirected to Google login flow
3. During a users’ first time logging in, the user is prompted to enter a wallet password
   1. This can be configured for PIN or password
4. User returns to app

Option 3 | Bring Your Own OAuth Apps

Developer Experience | React App Example

1. Set-up OAuth clients with one or more providers: e.g. Google, Facebook, etc.
2. Register ORE ID app at oreid.io
   1. Provides list of OAuth providers and clientIds
3. Add ORE ID library to application
4. Add ORE ID React Web Widget to application for sign transaction flows, etc.
5. Calls OAuth provider to get user OAuth access token
   1. An end user is redirected to OAuth login flow, then returns to callback with tokens
6. Calls oreid.auth(google_Id_token)
   1. An end user is redirected to OAuth login flow, then returns to callback with tokens
   2. During a users’ first time logging in, the user is prompted to enter a wallet password
   3. User returns to ORE ID OAuth tokens

User Experience

1. Click ‘Login with Google’ button
2. User is redirected to Google login flow
3. During a users’ first time logging in, the user is prompted to enter a wallet password
1. This can be configured for PIN or password
4. User returns to app

Option 4 | Enterprise Custodial Accounts

Developer Experience | Example

1. Custom login experience — OAuth, username/password, or other custom flow
2. Register ORE ID app at oreid.io 
   1. Generates serviceKey
3. Add ORE ID library to application
4. Calls oreid.newUser() — includes email, walletPassword, and other user information or a valid signed OAuth id_token - return new user accountName
5. Saves new user’s ORE ID accountName and generated walletPassword

User Experience

1. Click any login button option
2. User is ready to use the app (no UX)

User Sign Transaction Flows

ORE ID Simple Sign-On Flow

Developer Experience | React App example

1. Add ORE ID React Web Widget to application
2. Compose a simple blockchain transaction  — e.g. to send a token
3. Calls oreId.sign(transaction)
   1. Web widget appears 
   2. User enters their wallet password
4. Signed transaction are either sent to blockchain (optional) or returned to caller

User Experience

1. User clicks ‘Send Tokens’ button
2. Pop-up appears and prompts user to enters their wallet password
3. User returns to app 
   1. Confirmed UX may be displayed

Enterprise | Custodial Accounts

Developer Experience (example)

1. Add ORE ID library to application
2. Calls oreid.sign() —includes user transaction to sign, userAccount, userWalletPassword
3. Receives transaction ID, signature, and/or signed transaction

User Experience

1. User clicks ‘send tokens’ button — OR — no user UX required
2. Confirmed UX may be displayed
3. Note: No user interaction is required to sign a transaction for an enterprise account

Technical Architecture

ORE ID Services Architecture

ORE ID runs in a fault-tolerant environment that is globally distributed in Google Cloud regions that are connected by a virtual, private (cloud) network. 

It is actively monitored for performance and uptime and scales instances automatically — as needed — when load increases. 

 

Security General Approach and Goals

• User keys are generated and unwrapped for signing, only in the cryptography service — a separate stateless service running in a Google confidential compute environment
• Access to production services via private VPN and IP whitelisting
• All secrets stored only in a password manager and are never transmitted in the raw
• Access to third party services via Google domain account authentication
• Never persist unencrypted blockchain keys
• Log and actively monitor all access

On-chain Accounts and Keys

• Every account is created and stored on-chain 
  • Permissions to call specific on-chain smart contract actions are stored in the on-chain account data structure
• Every account has its own set of keys
  • Owner |  Can replace any keys for the on-chain user account
  • Active | Not used by ORE ID
  • App-specific | Used when OREID requests that the user sign a transaction for an app 
    • An app can only request that the user sign with its app-specific permission — not the user’s owner or active keys
• Account private keys are stored encrypted 
  • Encryption library is Stanford Crypto Library — a blockchain ‘standard’
  • Keys are encrypted using AES-128-GCM (≅ 2128) with 1,000,000 iterations
  • Keys are encrypted using the following entropy:
    • The user’s password — password rules configurable
    • A salt that is different for every app and environment — ie: prod, staging, etc. — and can be rotated
• Encrypted account private keys are stored in a separate store from the rest of the ORE ID data
• Salts used for encryption are stored separately from source code and database

ORE ID Security Deep Dive

A comprehensive overview of ORE ID security can be found in this document

• OREID Security Overview

References

• ORE ID API Docs: https://oreid.io/docs (Not required when using oreid-js library)
• Chain-js
  • Simplifies writing blockchain transactions - supports multiple chains
  • Github repo - https://github.com/Open-Rights-Exchange/chain-js