Question: how can I verify that message of the eip4361 signature belongs to my domain to prevent replay attacks?

[klesun]

Hello. I'm trying to integrate a web3 authentication through your service on my website following the:
https://docs.unstoppabledomains.com/login-with-unstoppable/get-started-login/#step-3-display-the-users-domain

When I pass authentication result from frontend, I succeed in verifying that the signature matches the message, but I can't find any means in the documentation to prove that the message belongs to my Client ID/domain when I want to issue a session token for the user on my server. Without that proof any other web site could use their own message/signature to forge the identity of a user on my web site.

All eip4361 messages uauth requests user to sign seem to be completely same on any domains and with any client ID. They differ only in nonce.

identity.unstoppabledomains.com wants you to sign in with your Ethereum account:
0x722eFe9E540b75D3A7370E97601f9988eF0dce34

I consent to giving access to: openid wallet

URI: uns:klesun.blockchain
Version: 1
Chain ID: 1
Nonce: 0xc57993101528465ec40462273acc1c3f136a1b92b6a1853f01936c1554f640c9
Issued At: 2023-02-09T17:31:31.940Z

Is there a way, perhaps, to determine that authentication belongs to my client ID by this nonce? Or to somehow pass a custom nonce or an identifiable extra eip4361 field to the message before offering user to sign it? Or perhaps maybe there is a REST API that I could call from server to confirm that this signature was indeed issued for my web site, not for some other?

https://en.wikipedia.org/wiki/Replay_attack

[klesun]

We could use the https://auth.unstoppabledomains.com/userinfo API from server to validate the accessToken, but I don't see a way to confirm that this access token was issued for our client ID, so the owner of any other website using uauth would be able to impersonate a user on our website using an accessToken issued on their website.