Proposed solutions for desktop safari & firefox sign in


#1

We currently use blockstack: custom protocol handler to communicate between an app requesting user authentication and the authenticator tool that the user has selected. If you’ve installed Blockstack for macOS, Windows or Linux, the software installs the blockstack: handler and redirects requests to a locally served copy of the Blockstack Browser typically running on http://localhost:8888.

We attempt to detect if your computer supports the blockstack: protocol handler and if it does not, direct you to the copy of the Blockstack Browser that we host at https://browser.blockstack.org.

Web browsers do not generally have support for detecting whether or not a user’s computer supports a given custom protocol handler. On Chrome, we use a library that detects some side effects of support for the protocol handler while on Firefox and Safari, users who haven’t installed Blockstack simply see errors such as the following:

This problem also existed on mobile devices, however, we worked around it by always redirecting mobile browsers to https://browser.blockstack.org.

On desktop, we have existing users whose apps would stop working without identity migration if we took a similar approach on desktop. We also have apps with users that would be uncomfortable storing their private keys on an origin that Blockstack PBC controls instead of one that they control.

This thread is meant to be a discussion around potential solutions to this problem.

Idea 1: Redirect except for whitelisted legacy apps

Create a whitelist consisting of existing apps in blockstack.js that would continue to have the current behavior. All other apps would redirect to https://browser.blockstack.org.

If a user wants to override this behavior, they can create a browser extension or separate browser app that intercepts this call and redirects it to their own authenticator.

Idea 2: User decides on first sign in

Add functionality to blockstack.js that creates a modal or popup on affected browsers that asks users if they’ve installed the native browser. If they have, use the custom protocol handler, if not redirect to https://browser.blockstack.org. Remember their choice in localstorage of the app.

Idea 3: Install web extension to keep using native

Modify blockstack.js to redirect all users to https://browser.blockstack.org. Offer a simple web extension that intercepts this request and redirects it to the localhost hosted versions for users that prefer to use that.

Please post your ideas and thoughts below!


2018-11-12 Engineering Meeting
#2

I like this option best, because it doesn’t require any additional work from the user (option 3), and it doesn’t prohibit users from easily using the native/local browser (option 1).


#3

I like idea 2 as well. One thing that the protocol handler enables is community implementations of a Blockstack authenticator. So I’m in favour of keeping it.


#4

I am also for the second option as the custom protocol is exactly made for this.

For Firefox and Chrome web-based protocol handler browser APIs should be part of the solution? See caniuse for the current support.

If we assume the users are onboarding to blockstack through browser.blockstack.org then the user has already a custom protocol handler installed when visiting the first app. If the local browser is installed then the user usually gets a popup to choose from the web app or local apps.


#5

This might work as a specific solution for the desktop versions of those two browsers. We tried the web-based protocols last year and found that they didn’t work the same way in Chrome as they did in Firefox and instead decided to try to use something that would work the same on all browsers and most importantly would work on mobile.