Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
SEP-0010: Add web auth domain manage data operation (v3.1.0) (#767)
### What Add a new manage data operation containing the server domain of the SEP-10 server that the server includes in the challenge transaction. ### Why The challenge transaction includes the home domain in the challenge transaction which provides some certainty to the client that the challenge transaction they are signing is for the home domain they intend to sign for. In some situations where a home domain is not involved in the SEP-10 process it would be useful to have an explicit field containing the domain of the issuer so there is something the client can verify to ensure it is signing a change that was generated by the issuer and not just for the home domain. In some cases the server domain and home domain are the same and this is somewhat redundant. However, the server domain are not always the same domain as the home domain because it is common to deploy SEP-10 as a separate service, and deploying separate services is usually easier implemented on different subdomains or entirely separate domains. This is reasonably common. One example of this is [this](https://stablecoin.anchorusd.com/.well-known/stellar.toml): - Home domain is `stablecoin.anchorusd.com` - SEP-10 domain is `api.anchorusd.com` This change is not breaking for any server and client pair who are using [SEP-10 v2.1] or greater. SEP-10 v2.1 changes clients to allow there to be additional manage data operations as long as they followed some basic rules. It is not breaking because if servers include the new operation and clients have not upgraded, clients will ignore it. If clients upgrade and servers do not, clients will continue to verify challenge transactions because the new operation is only verified if the server includes it. Servers and clients opt-in to the benefit of an improved challenge-response handshake. SDKs that implement this should probably make the new field mandatory in their APIs, but the optionality supports this change being backwards compatible and allows us to roll it out with zero coordination between clients and servers. [SEP-10 v2.1]: 5acf11b
- Loading branch information