Introducing SteemConnect by Busy : Identity, authentication, authorization for Steem blockchain’s apps

in #steemconnect8 years ago (edited)

Your main way to enter the Steem World ?

SteemConnect by @busy.org is a simple identity layer built on top of the Steem blockchain, that allows you to connect to authorized apps is a secure and convenient way.

https://steemconnect.com/

Why SteemConnect ?

It has been more than 6 months that Steem and Steemit have been launched and already a whole ecosystem of applications is being built around the Steem blockchain. Nevertheless this profusion of new projects that demonstrate the enthusiasm and dynamism of Steemians leads to the issue of Security for both users and developers of our ecosystem.

Security is key for thriving ecosystem like Steem

The Busy team seriously works on identifying the key challenges and core issues that need to be solved to make Steem successful. One of the first identified issues after Steemit.com was announced Open Source and our SteemJS release by @fabien (CTO & co-founder of Busy) few month ago, was Security for users and how to find solutions that would allow new projects to flourish.

  • For users: How to ensure the security of your private keys when you connect to the Steem blockchain through other apps and websites than Steemit? How can you possibly trust these domains with your credentials and putting your reputation and eventually money at risk ?
  • For developers: How to facilitate your workflow by helping you to focus on your applications development without having to manage the user authentication? How to solve user trust issue with a transparent, convenient solution ensuring complete safety for everyone ?

SteemConnect, a universal login interface for the Steem Apps Ecosystem

Our solution ? Build an open-source, collaborative, transparent, identity & login base layer for any Steem Apps who want to benefit from a convenient and secure solution. That’s what Busy brings with SteemConnect.
This simple identity layer built on top of the Steem blockchain allows every Steem users to connect to authorized apps is a secure and convenient way.

It’s an opensource project that can only be improved through a concentrated effort involving all important members/developers from the Steem community to make a trusted tool that everyone can use, encrypting with complete safety your keys & data..
Not only it will allow users to use several apps without fear but some Module/Widget like the Disqus comment built on Steem would definitely bring new users and allow tons of possibilities, 2017 will be crazy :)
said @ekitcho (CEO and co-founder of Busy)

SteemConnect can provides security, simplicity and trust for both users and developers

For developers, it allows you to develop applications based on the Steem protocol, without having to handle the authentication system. SteemConnect frees you from the burden of managing users private keys and encryption.
Indeed, by using SteemConnect, you won’t have to open-source your project to gain the trust of your users. The service is open-source and very simple to learn and integrate. We will provide few tutorials to help.

For Steem users, it allows you to connect in a convenient and secure way to other apps and websites built on Steem using the same account credentials you use for Steemit! Neither SteemConnect or the authorized apps store your key. Your posting key is encrypted on your cookie. (Check the Release note for more technical information)
You can login on many authorized Steem apps in complete safety.

SteemConnect can also be your “Steem App Store”

Imagine an App Store dedicated to all authorized Steem apps you can use... Well that’s what we are offering with SteemConnect!
Select among various websites and apps using SteemConnect where you can easily log in with confidence using your Steem account credentials


Early wireframe demo of SteemConnect

Light Wallet, Activity & Profile Manager

In addition to being completely open-source, this service will allow you to access and edit securely your personal information: edit your global Public Profile, manage your credentials, make a steem payment, review your activity, stats and browse and select among authorized websites and apps that use Steem Connect.


Last but not least, in addition to the API, we plan to build a desktop and mobile app!
You will also have access to many tutorials by the Busy Team written by our developers.

We are now in Beta with SteemConnect, all developers are welcome to join ! Check our Release note for more information.


How to support Busy & SteemConnect

We're hiring Experienced and talented Designer (Branding), UI/UX Designers, Marketers, Writers, as well as new businesses or apps that want to integrate the Busy Platform or use SteemConnect as a base layer for their project. Feel free to contact us.

Additionnal Links


All rewards from the @busy.org account will be used to fund our projects


Sort:  

My dream finally comes true. Awesome, thanks @fabien and @ekitcho

please follow my account and help by resteeming and upvoting comments! I will be able to make great quality posts in the near upcoming future!
cheers and saludos!
Follow and upvote and resteem me!

This is really cool. Security is a big concern of mine as well as many other members of the community. I wrote a post a few months back talking about some of the challenges that third party apps present from a security perspective.

I hope you won't mind if I ask a couple of "tough questions" since obviously the security of everyone's keys who use your service is at stake :)

  • Is the cookie that is stored in the client's machine something that can be decrypted by the client, or can only the SteemConnect server do that?
  • Is the data that is passed between the client's machine and the server encrypted before sending?
  • Is it still theoretically possible for the user's key information to get stolen if the SteemConnect service itself is comprised? Basically could a malicious actor deploy an alternate version of the code on your end that steals the user's keys between the point that they are decrypted server-side and sent to the blockchain, or before it is encrypted and sent back to the client?

Some of the security experts in the community might have more.

Hey Tim, ofc i dont mind, i'm sure many people would like to know too, here my answers:

Is the cookie that is stored in the client's machine something that can be decrypted by the client, or can only the SteemConnect server do that?

Only SteemConnect server can do that.

Is the data that is passed between the client's machine and the server encrypted before sending?

Yes, it's encrypted using CSRF token on client browser before being sent to server.

Is it still theoretically possible for the user's key information to get stolen if the SteemConnect service itself is comprised? Basically could a malicious actor deploy an alternate version of the code on your end that steals the user's keys between the point that they are decrypted server-side and sent to the blockchain, or before it is encrypted and sent back to the client?

It's theoretical possible, SteemConnect decode the posting wif to create a signature then broadcast it to the blockchain. The hacker would need to access the server, change the code then user would need to send request to SteemConnect before we got noticed about that and before the user reset the posting wif.

Thanks for your reply. Users should be aware that at the end of the day, they are still placing their trust in your team to handle their private keys. Most of us already do that with Steemit, Inc. - so I'm not saying it is a huge problem; just something to be aware of.

Personally I would at least rather only have to trust my keys to one or two companies - rather than every single developer that builds a third party app - so at the very least it is a huge step in the right direction.

Out of curiosity, have you thought about or discussed the possibility of having Steemit host this part of the service?

I think the broader ecosystem would be better served by having more well-trusted services and providers (also designs that reduce this reliance altogether) rather than solving every problem by further centralizing on trust of Steemit itself. Perhaps these can be backed up by independent security audits and performance bonds of some sort.

That's a good point / suggestion.

Thank you for your feedback. About Steemit hosting the service we've been thinking about this and it's exactly what we want. IMO this would give a same level of trust than Steemit.com for Steem apps using SteemConnect, so its a big yes for us, but we still didn't discussed much about it with Steemit yet.

please follow my account and help by resteeming and upvoting posts!

I will be able to make great quality posts in the near upcoming future!

cheers and saludos!

Dont hesitate to comment to my posts, i hope you get more followers yourself and I will surely follow you all!
Follow and upvote and resteem me!
Thanks everyone. I hope we can win together here with Steem! A big happy well fed family!

Don’t spam

This is great stuff. Identity and authorisation are vital facilities. We don't want to have a fresh identity for every service we use

Thanks for the information. This is in deed a great addition to our communities and the Steemit environment in general. All for one and one for all! Namaste :)

Hey,

I’ve been using Steemconnect on Musing and dLike... however today upon trying to login, it doesn’t offer the option to click my usual account, but it starting from scratch asking for my username and key - which has never happened since I first input it months ago...

Explanation?

Wondering if this is anything to be concerned about, if there has been an app-wise reset, this is normal, etc...

Please advise, thanks!

I'm also wondering what's up as the domain name won't even show up on my end...

That's weird. Shows up fine for me. (Although still cautious about the logout thing, just in case there may have been any sort of hack and redirect, etc)...

Congrats, it looks like a very nice addition to the Steem ecosystem. Is this something that can be used in a mobile app as well? Is there an API that can be used?

Hi. Yes it can be used on mobile app, we have an API, request must be sent front-end by the user on your app. We have a JavaScript SDK here https://github.com/adcpm/steemconnect for make it easy to use the API.

Thanks, I'll have a look :)

How does it make money?

It does not have any business model, as non-profit, open source, we work on a collaborative, contributive, transparent approach and offering this to the community. It's self-financed but also funded by Donations.
@busy.org is non-profit with a model to cover our expenses but SteemConnect, SteemJS, and other services we provide for Steem are free and non-profit without any business model. It's pure contribution to the community and our ecosystem ;)

Which one is it "It does not have any business model," or a " non-profit with a model to cover our expenses".

I get it - Non profits don't take a profit - but they still need money in order to operate. I dont see the incentive as a developer to spend hundred of hours writing code for free - this isnt a United Nations project - nobody is splitting the atom, feeding children, or ending poverty.. Authors post to make money.. people vote -to make money. So what is the upside to me using my time to develop tools that make Steem Inc. more money? Wouldnt I be better off writing code for UNICEF or a meaningful charity?

Your project has a ton of merit to it - but look at other projects like Steemvoter - code gets written, people join, one guy pays the bills. Then comes the sale or the crowdsourcing emails. There is nothing bad about a company developing software for Steem to make money .

I was hoping you guys had figured something out on the revenue side.. Very disappointing.

Busy will have a business model (potentially with the blockchain). SteemConnect will not, because it doesn't need in our point of view. But both are non-profit.
I get your point, but as said, this will work on donation for now simply because a tool like SteemConnect can allow others to make money, if they want to, and totally frees them from the burden of managing users private keys and encryption, while bringing user with trust.. we believe that Busy organization can cover SteemConnect service as an umbrella, busy.org being the first app that will use the service, and we can still figure out a more viable model later if needed. But i think we can have a pretty stable version very soon, and it won't require much work or fund to upgrade. If you bring value to the ecosystem, you'll get your value back.. Thats something i do believe, and work to make this happen.
Also If Steem grows, we all grow ;) so i guess it's not for "free"

If you have some suggestion for revenue side, feel free to suggest, but this is something we decided with some serious reflection in our team :) We actually had figured out something, but it seems that you don't like it :p

Thanks - I think what you are doing is very cool - dont get me wrong! I was hoping you had some more knowledge in regard to revenue programs /models for Apps or UI's in general - since you are mentioned a lot. I thought maybe you guys had some "special knowledge". I believe I heard @ned talk about the potential for app/ui developers to get a portion of curation rewards (he called it a tax for lack of a better word). I am operating on hope as well.. I have a post scheduler that I would love to expand on by putting some of my "real world" developer hours toward .

For me at this point risk tolerance is influencing development - we are dealing in the currency of hopes and dreams I think. If this was addressed sooner rather than later - I'm sure we would see a lot small dev houses providing Steem users with better, faster,smarter, prettier and more engaging experience. I would have people designing Steem Apps full-time if I had a concrete path to monetizing them!

Thanks
when you re reffering to "get a portion of rewards", it certainly refer to this proposal https://steemit.com/steem/@steemitblog/proposed-upgrade-for-blockchain-incentives
which i just mentioned in my reply at the beginning :Busy will have a business model (potentially with the blockchain). ;)

Yes - that was the vagary that got me.. I knew you had an ace up your sleeve ;)

Thanks for the article exactly what I was looking for!

SteemConnect Github Repo Error 404

Hello, I am trying to register for several tools that interact with steemit - Minnowbooster, Bot Tracker, etc.. when I try and log in via steemconnect to take my steemit account information and pass it through for account registration, I receive an error saying my account user name is not valid. No idea why it would say that since it is the username I am using on steemit. Would love any thoughts to help with this. Thanks @busy.org

please follow my account and help by resteeming and upvoting comments! I will be able to make great quality posts in the near upcoming future!
cheers and saludos!
Follow and upvote and resteem me!