Ontology Developer Center
DISCOVERCOMMUNITYSUPPORT
  • Introduction
  • Discover Ontology
  • Getting Started
  • Glossary
  • Decentralized Identity and Data
    • ONT ID
      • Decentralized Identifiers
        • Method Specification for Ontology
        • Method Specification for Ethereum
        • Method Specification for BSC
      • Verifiable Credentials
        • Anonymous Credentials
      • ONT Login
        • Scenarios
        • Protocol Specification
        • Front-end JavaScript SDK
          • Integration and Usage
          • API Reference
        • Front-end UI SDK
          • Integration and Usage
          • API Reference
        • Back-end Go SDK
          • Integration and Usage
          • API Reference
        • Back-end Java SDK
          • Integration and Usage
          • API Reference
      • ONT TAG
        • Workflow
        • API Reference
      • Mercury
      • OScore
    • DDXF
      • Components and Interfaces
      • GREP
      • Overall Scheme
      • Solutions
        • Marketplace
          • Deployment
          • Scenarios
          • SaaS Tenant
          • Java SDK
        • Data Storage
          • Deployment
          • Java SDK
        • Resource Auditor
        • Offline Judge
      • Use Cases
        • E-Shops
  • ONTOLOGY ELEMENTS
    • Smart Contracts
      • Types of smart contracts
    • Token Protocols
    • Consensus Mechanism
    • Ontology Oracle
      • Oracle Process Flow
  • GUIDES & TUTORIALS
    • Development Guides
      • dApp Development
        • Using the dAPI
        • Data Synchronization
      • Smart Contract Development
        • EVM Contract
          • Development Environment and Tools
          • Wallet Setup
          • Contract Development
          • How to Deploy a Smart Contract with GetBlock
        • NeoVM Contract
          • Development tools and environment
          • Launching the IDE
          • Writing and editing program logic
          • Deploying and testing on private net
        • WASM Contract
          • Development Environment
          • Project Initiation - Hello World
          • Creating your own project
          • Development using SmartX
          • Runtime API
          • Contract Fundamentals
          • Inter-contract Interaction
          • Developing Contracts in C++
        • Publish Contract Source Code
    • Integration Guides
      • dApp Integration
        • dAPI Integration
          • Chrome Plugin
          • Mobile wallet dApp
          • QR code mechanism
          • Wake call mechanism
        • Cocos 2D-x
        • Unity 3D applications
      • Mobile Wallet Integration
        • SDK integration
        • dAPI Integration
          • In-wallet applications
          • QR code mechanism
          • Wake call mechanism
        • Stake
      • Using ONT ID
      • Exchange Integration
        • Exchange Docking Guide
        • Exchange API
      • Ontology for dApp Stores
    • EVM & Token Decimals Upgrade
  • ONTOLOGY NODE
    • Abstract
    • Node Deployment
      • Standard Node
      • Rosetta Node
    • Interacting with a Public Node
  • DEVELOPER TOOLS
    • dApp Development Framework
      • Punica CLI
      • Punica boxes
      • Solo Chain
    • IDE
    • APIs
      • HTTP API
        • Restful
        • WebSocket
        • Remote Procedure Call (RPC)
      • Explorer v2 API
        • Block
        • Address
        • Contract
        • Token
        • Transactions
        • ONT ID
        • Summary
        • Node
      • Native Token API
        • ONT Contract API
        • ONG Contract API
      • ONT ID Contract API
      • Web3 API
      • OScore Open API
      • Rosetta Node API
        • Data API
        • Construction API
      • DToken Contract API
      • DDXF
        • Marketplace Contract API
        • Storage API
      • Governance API
    • Digital Wallet
      • Chrome Plugin provider
      • Chrome Plugin dAPI
      • Mobile version provider
      • Mobile version dAPI
    • SDKs
    • Signing Server
      • Installation
      • API reference
  • COMMUNITY
    • Ecosystem Programs
    • Community Libraries
    • Community Events
    • Community Channels
    • Core Contributors
  • SUPPORT
    • FAQ
      • Basic blockchain concepts
      • Ontology Nodes
      • Ontology token protocols
      • Smart contracts
      • SDKs and APIs
    • Contact Us
Powered by GitBook
On this page
  • Authentication Request
  • Authentication Challenge
  • Signature (and Authorization)
  • Authentication Response
  • Verification

Was this helpful?

  1. Decentralized Identity and Data
  2. ONT ID
  3. ONT Login

Protocol Specification

PreviousScenariosNextFront-end JavaScript SDK

Last updated 2 years ago

Was this helpful?

The following parties are involved in the authentication process:

  • Server: The service relying party that provides services to the user.

  • Client: A website or app with which the user sends authentication request to the server.

  • Decentralized Identity Management Wallet ("Wallet"): A tool for the user to manage their decentralized identities and verifiable credentials.

The whole process can be divided in the following 5 steps. We will go through each step in detail in later sections.

Authentication Request

The client sends the authentication request to the server as the example below:

{
 "ver": "1.0",
 "type": "ClientHello",
 "action": "1",
 "ClientChanllege": {},
}

Property

Type

Description

ver

1.0

Protocol version, current version is 1.0.

type

ClinetHello

Message type, the type of an authentication request is ClinetHello.

action

integer

"0" = authentication; "1" = authentication and authorization. You can define other actions based on the business logic.

ClientChanllege

ClientChanllege

Optional, challenge sent from the the client, required for mutual authentication.

Authentication Challenge

Upon receiving the request from the client, the server generates and a nonce and stores it.

The server returns the following message to the client:

{
"ver": "1.0",
 "type": "ServerHello",
 "nonce": "128-uuid",
 "server": {
   "name": "",
   "icon": "",
   "url": "",
   "did": "",
   "verificationMethod": "",
 },
 "chain": ["ONT","BSC"],
 "alg": ["ES256","Ed25519"],
 "VCFilters": [
   {"type": "DegreeCredential", "trustRoot":["did:ont:bob",""], "required": true},
   {"type": "IdentityCredential", "trustRoot":["did:ont:bob",""], "express":["",""], "required": false},
 ],
 "serverProof":{},
}
```

Property

Type

Description

ver

1.0

Protocol version, current version is 1.0.

type

ServerHello

Message type, the type of an authentication challenge is ServerHello.

nonce

string

A one-time random number or 128-digit UUID generated by the server used as a challenge. It's necessary to ensure it's randomly and recently generated.

server

A message from the server including strings:

- name: string, name of the server, required.

- icon: string, image URL of the server's icon or the serialized icon, optional.

- url: string, server URL, required.

- did: string, server DID, required for mutual authentication.

- verificationMethod: string, serial number of the verification method in the server DID Document, required for mutual authentication.

VCFilters

Types of VC required from the server, including at least 3 fields below:

- type: string, type of VC

- trustRoot: VC issuer

- required: boolean, if the VC is required

The express string is used to specify requirements in a zero knowledge proof, e.g. age 18 and above.

chain

string[]

Denoting chains supported by the server with native token symbols, e.g. “ONT” represents Ontology chain.

alg

string[]

Signature schemes supported by the server.

serverProof

object

Optional, server's response to the challenge sent from the client for mutual authentication.

Signature (and Authorization)

When the client receives the authentication challenge , a message is generated accordingly for the wallet to sign. The wallet signs the message containing the challenge, and generates the VP for VC required by the server.

An example of message to be signed:

{
  "type": "ClientResponse",
  "server": {
    "name":,
    "url":, 
    "did":
  },
  "nonce": "128-uuid",
  "did": "did:ont:alice",
  "created":1630425600,
}

Property

Type

Description

type

ClientResponse

Message type, the type of a message to be signed is ClientResponse.

server

object

Server details including 3 strings:

- name: string, server name

- url: string, server URL

- did: string, server DID, optional

nonce

string

The nonce included in the challenge.

did

string

User DID.

created

number

UNIX timestamp in seconds of signature creation time.

Authentication Response

After the signature and VP are received, the client sends the response to the challenge to the server.

{
 "ver": "1.0",
 "type": "ClientResponse",
 "nonce": "uuid-128",
 "did": "did:ont:alice",
 "proof": {
   "type":"Ed25519",
   "verificationMethod": "did:ont:alice#key-1",
   "created":"2010-01-0119:23:24Z",
   "value":"xx",
 },
 "VPs": ["",""],
}

Property

Type

Description

ver

1.0

Protocol version, current version is 1.0.

type

ClientResponse

Message type, the type of the challenge response is ClientResponse.

nonce

string

Nonce included in the challenge.

did

string

User DID.

proof

Signed challenge including the following 4 fields:

- type: signature scheme used for the signature

- verificationMethod: serial number of the verification method in the user DID Document

- created: UNIX timestamp in seconds of signature creation time

- value: signature

VPs

string[]

Encoded VC.

Verification

The server verifies data contained in the challenge response:

  1. Verify the validity of parameters

  2. Verify if the nonce is the same as the one generated by the server

  3. verify the signature

  4. Verify the validity of VP and VC

  5. Check if the provided VC meets the requirement

ONT Login requires end users to have an ONT ID. Please refer to this on how to generate ONT IDs for your users.

: The user starts the login process. The client sends the authentication request to the server.

: Received the request, the server generates and sends a challenge to the client, which can specify the required VC if needed.

: The client receives the challenge, then requests signature and VP from the wallet with the challenge.

: The client receives the signature and VP from the wallet, and send the response message to the server.

: The server verifies if the response is correct. If yes, the server parses the VP to obtain the information authorized by the user.

[]

doc
Authentication Request
Authentication Challenge
Signature (and Authorization)
Authentication Response
Verification
server
VCFilter
proof