Implement EIP 4361

[holiman]

We should look into implementing EIP 4361 in Clef:

Sign-In with Ethereum describes how Ethereum accounts authenticate with off-chain services by signing a standard message format parameterized by scope, session details, and security mechanisms (e.g., a nonce).

The goals of this specification are to provide a self-custodied alternative to centralized identity providers, improve interoperability across off-chain services for Ethereum-based authentication, and provide wallet vendors a consistent machine-readable message format to achieve improved user experiences and consent management.

This should already work out of the box (since it's just signing a text message), however:

• The full message MUST be checked for conformance to the ABNF above.
• Wallet implementers SHOULD warn users if the substring "wants you to sign in with your Ethereum account" appears anywhere in an EIP-191 message signing request unless the message fully conforms to the format defined in EIP-4361.
• Wallet implementers MUST prevent phishing attacks by matching on the domain term when processing a signing request. For example, when processing the message beginning with "service.org wants you to sign in...", the wallet checks that the request actually originated from service.org.
• The domain SHOULD be read from a trusted data source such as the browser window or over WalletConnect (EIP-1328) sessions for comparison against the signing message contents.
• Wallet implementers MAY construct a custom Sign-In With Ethereum user interface by parsing the ABNF terms into data elements for use in the interface. The display rules above still apply to custom interfaces.

Reference implementation + testcases here: https://github.com/spruceid/siwe

[bharath-123]

Hey @holiman @MariusVanDerWijden i m interested in contributing to geth! I want to take this issue up to implement this EIP!

[bharath-123]

please feel free to assign to me. I ll keep communication on my status in this thread

[adust09]

I am interested too.

[adust09]

The main task is to rewrite siwe code written in TS into Go and make it work in geth?

[holiman]

I started implementing it, found some spec issues.
spruceid/siwe#30

https://ethereum-magicians.org/t/eip-4361-sign-in-with-ethereum/7263/9?u=holiman

[nickpismenkov]

@holiman Hi. I'm interested to take this issue. Is it still relevant? And what about the issue that you mentioned above. Does it still exist?

[nickpismenkov]

@holiman

[usmanovbf]

Hi there! is it still actual?

[mahmudsudo]

hi , can i take on this issue ?

[usmanovbf]

@holiman does it worth to take it?

[k66inthesky]

@holiman Hi, I noticed this issue regarding EIP-4361 doesn't have an implementation yet.
Could I take on this issue?

[MariusVanDerWijden]

Please don't ask if you can implement something, just send a PR!

[k66inthesky]

Hi @holiman,

I am an Ethereum newcomer and have submitted a PR that implements the SIWE (Sign-In With Ethereum) validator discussed here: #31722.

The validator provides lightweight internal parsing and verification of EIP-4361 fields, without relying on external libraries, following the design philosophy discussed in this issue.

This PR is now ready for review. Thank you very much for your guidance and support!