SEP-10 v3.0 Changes (from the SDF)

[JakeUrban]

SEP-10 3.0

TL;DR

Implement the changes described in the SEP-10 v3.0 PR by November 13th. It adds a check for the correct homeDomain value in the SEP-10 challenge transaction. homeDomain is the domain hosting the SEP-1 stellar.toml containing a WEB_AUTH_ENDPOINT and SIGNING_KEY.

The SEP-10 v3.0 PR is not merged, but the only changes still in discussion relate to phrasing. No more functional changes will be introduced.

Background & Description

Thank you for implementing SEP-10 v2.1, this removed the possibility of unexpected SEP-10 client-anchor incompatibility. Now that Anchors have been given time to update, Wallets can soon expect the Anchors they interact with to have a v2.1 challenge. This means their challenge transactions include the home domain that hosts the SEP-1 stellar.toml that has the WEB_AUTH_ENDPOINT used to obtain the JWT.

The next step is for SDK's to release changes supporting SEP-10 v3.0, which adds the check for the expected homeDomain back to SEP-10. Wallets should upgrade only when their partner anchors have upgraded to v2.1. This should be the case for all anchors by the time your v3.0 change is released.

Deadline

The SDF asks all SDK's to release new versions including SEP-10 v3.0 support by November 13th. On Monday November 16th the SDF will announce to the ecosystem SDK support for SEP-10 v3.0.

[JakeUrban]

@JakeUrban @rice2000 @leighmcculloch

[Synesso]

As Scala is not a language used on client devices, the implementation of SEP0010 is limited to server-side functions. Specifically:

• Generating a challenge
• Verifying a signed challenge
  It does not provide a function for client devices to validate the authenticity of challenges prior to signing.
  Because of this, this issue has no impact on this project.
  Please advise if you have any concerns.

[leighmcculloch]

Makes sense. Thanks @Synesso!!