6

Can we use fabric-ca to authenticate the user to web application i.e. while enrolling the user we send ID and password, can we use the same password to authenticate the user to web app.

If yes how can share few examples based on Node Js SDK

And also if we have multiple organization and private channels, how do we enroll certain users who can access both private channels.

Hafeez Khan
  • 427
  • 2
  • 6
  • 22

1 Answers1

10

The straight forward answer is no. The CA server is not meant for authentication. However it does check the password for the first enrollment, so if you never stored the crypto and set enrollment attempts to unlimited it would validate against the static (unchangeable) password set during registration. Probably not the best idea but might be fine for some use case.

I did an implementation storing users and passwords in the blockchain, checked on every web app login, with update rights only for the user. If you want passwords changeable, you have to store them somewhere the user can get to them. LDAP (recommended), database, file system, blockchain, somewhere.

Users belong to an Org. So if a peer and the user are in an Org that has access to multiple channels, all is well.

jworthington
  • 723
  • 1
  • 9
  • 17
  • So you implemented your webApp using the Fabric CA RestAPI's to authenticate successfully? [ Against the credentials provided at the time of registration ] – Ashishkel Jan 06 '18 at 05:39
  • 3
    The first enrollment for a user must submit the same password as created (or assigned) during registration. The user crypto is returned if a valid password. That uses the Fabric CA RestAPI. A long as you have access to the crypto then you can transact. There are a lot of options, but I wanted to store the crypto on the web server, but only allow access to it if the user had the correct password. So I stored the user/passwords in the blockchain, and wrote the chaincode to validate the password before it would allow transactions using that crypto. – jworthington Jan 07 '18 at 02:15
  • @jworthington : Did you create a separate channel for storing credentials in blockchain .. basically wanted to understand how was your design to handle authentication and user transaction. – Hafeez Khan Feb 23 '18 at 18:12
  • I did not. Easy enough to do if deemed appropriate. – jworthington Feb 24 '18 at 20:46
  • how can we configured LDAP with fabric ca server?? – Amil Sajeev Jun 22 '18 at 05:35
  • Isn't storing users and passwords in the blockchain quite risky? – Shweta Gupta Nov 05 '19 at 07:36
  • There are risks with every approach whether blockchain or not. Store only the password hash. And remember that Fabric is private and network topology is determined by the membership. That chaincode could be in a more private channel. And private data collections can be used. – jworthington Nov 06 '19 at 12:42