System and method for decentralized-identifier authentication

The invention claimed is: 1. A computer-implemented method for blockchain-based decentralized-identifier authentication, comprising: obtaining, by a server from a computing device, a request for authenticating a decentralized identifier (DID), wherein the request comprises the DID, a plaintext associated with a challenge for authenticating the DID, and a digital signature on the plaintext; generating, by the server, a blockchain transaction for retrieving a DID document corresponding to the DID from a blockchain, wherein the blockchain transaction invokes a blockchain contract for managing relationships between a plurality of DIDs and a plurality of corresponding DID documents; sending, by the server, the generated blockchain transaction to one or more blockchain nodes of the blockchain for adding to the blockchain, the one or more blockchain nodes being configured to, after the generated blockchain transaction is added to the blockchain, execute the blockchain contract based on the blockchain transaction to retrieve the DID document corresponding to the DID; receiving, by the server from at least one of the one or more blockchain nodes, the DID document corresponding to the DID, wherein the DID document comprises information associated with one or more authentication service endpoints associated with the DID, the information identifying the server as one of the one or more authentication service endpoints; retrieving, by the server, a public key associated with the DID from the received DID document; determining, by the server based on the obtained public key and the plaintext, that the digital signature on the plaintext is created based on a private key corresponding to the DID; generating, by the server based on the determination, a message confirming authentication of the DID; and sending, by the server to the computing device, the message confirming authentication of the DID. 2. The method of claim 1 , wherein the blockchain contract comprises an interface for retrieving information associated with one or more DID documents corresponding to one or more DIDs. 3. The method of claim 1 , further comprising: sending the message confirming authentication of the DID to a different computing device that is associated with a creator of the challenge for authenticating the DID. 4. The method of claim 1 , wherein the obtained request for authenticating the DID comprises: a response to the challenge for authenticating the DID, the response comprising the digital signature on the plaintext. 5. The method of claim 1 , further comprising, prior to obtaining the request for authenticating the DID: obtaining a request for creating the digital signature, wherein the request for creating the digital signature comprises the plaintext and information associated with the DID; and creating the digital signature on the plaintext based on the request for creating the digital signature. 6. The method of claim 5 , wherein the creating the digital signature on the plaintext comprises: obtaining one or more permissions associated with a sender of the request for creating the digital signature; determining, based on the obtained one or more permissions and the information associated with the DID, whether the sender of the request for creating the digital signature is authorized to control one or more operations associated with the DID; and in response to determining that the sender of the request for creating the digital signature is authorized to control the one or more operations associated with the DID, creating the digital signature on the plaintext. 7. The method of claim 6 , wherein the sender of the request for creating the digital signature comprises: an owner of the DID; or an entity authorized to control the one or more operations associated with the DID on behalf of the owner of the DID. 8. The method of claim 5 , wherein the creating the digital signature on the plaintext comprises: sending instructions to a key management system (KMS) for signing the plaintext using the private key associated with the DID; and obtaining the digital signature from the KMS. 9. The method of claim 8 , wherein the sending instructions to the KMS comprises: identifying a blockchain account associated with the DID; determining an identifier for the private key associated with the DID based on the identified blockchain account associated with the DID; and including the identifier for the private key associated with the DID in the instructions. 10. The method of claim 8 , wherein the private key is stored in a trusted execution environment (TEE) associated with the KMS and the digital signature obtained from the KMS is generated in the TEE. 11. A non-transitory computer-readable storage medium for blockchain-based decentralized-identifier authentication, configured with instructions executable by one or more processors to cause the one or more processors to perform operations comprising: obtaining, from a computing device, a request for authenticating a decentralized identifier (DID), wherein the request comprises the DID, a plaintext associated with a challenge for authenticating the DID, and a digital signature on the plaintext; generating a blockchain transaction for retrieving a DID document corresponding to the DID from a blockchain, wherein the blockchain transaction invokes a blockchain contract for managing relationships between a plurality of DIDs and a plurality of corresponding DID documents; sending the generated blockchain transaction to one or more blockchain nodes of the blockchain for adding to the blockchain, the one or more blockchain nodes being configured to, after the generated blockchain transaction is added to the blockchain, execute the blockchain contract based on the blockchain transaction to retrieve the DID document corresponding to the DID; receiving, from at least one of the one or more blockchain nodes, the DID document corresponding to the DID, wherein the DID document comprises information associated with one or more authentication service endpoints associated with the DID, the information identifying the server as one of the one or more authentication service endpoints; retrieving a public key associated with the DID from the received DID document; determining, based on the obtained public key and the plaintext, that the digital signature on the plaintext is created based on a private key corresponding to the DID; generating, based on the determination, a message confirming authentication of the DID; and sending, to the computing device, the message confirming authentication of the DID. 12. The non-transitory computer-readable storage medium of claim 11 , wherein the blockchain contract comprises an interface for retrieving information associated with one or more DID documents corresponding to one or more DIDs. 13. The non-transitory computer-readable storage medium of claim 11 , wherein the operations further comprise: sending the message confirming authentication of the DID to a different computing device that is associated with a creator of the challenge for authenticating the DID. 14. The non-transitory computer-readable storage medium of claim 11 , wherein the obtained request for authenticating the DID comprises: a response to the challenge for authenticating the DID, the response comprising the digital signature on the plaintext. 15. The non-transitory computer-readable storage medium of claim 11 , wherein the operations further comprise, prior to obtaining the request for authenticating the DID: obtaining a request for creating the digital signature, wherein the requ