[Request]: OIDC recovery #252
Description
📝 Description
Feature Request
Description
Implement end-to-end OIDC (Google OAuth) recovery flow for account recovery in
the zksync-sso-4337 stack.
Currently, OIDC recovery functionality is fully commented out across the
codebase with numerous TODO comments indicating "OIDC is not yet available in
zksync-sso-4337". While the smart contracts (OidcRecoveryValidator) and UI
components exist, the integration layer between the auth-server and sdk-4337 is
missing, preventing users from recovering their accounts using Google OAuth.
Rationale
Current State:
The following components are commented out and non-functional:
-
useRecoveryOidc.ts- Recovery composable for OIDC flows- Location:
packages/auth-server/composables/useRecoveryOidc.ts - Contains logic for: building OIDC digests, getting OIDC accounts,
generating ZK proofs, and executing recovery
- Location:
-
useGoogleOauth.ts- Google OAuth authentication flow- Location:
packages/auth-server/composables/useGoogleOauth.ts - Contains logic for: JWT extraction, popup window management, Google login
integration
- Location:
-
useOidcConfig.ts- OIDC configuration management- Location:
packages/auth-server/composables/useOidcConfig.ts - Validates: Google public client, salt service URL, zkey URL, witness WASM
URL
- Location:
-
getOidcClient()in client.ts - OIDC client factory- Location:
packages/auth-server/stores/client.ts(lines 163-174) - Needs:
createZkSyncOidcClientfunction from sdk-4337
- Location:
-
Recovery page - Google recovery UI disabled
- Location:
packages/auth-server/pages/recovery/google/index.vue - Currently:
const enabled = falseforces redirect to home page - Components exist:
account-recovery-oidc-recovery-flow-rootis ready
- Location:
Why This Matters:
-
User Experience: Account recovery via Google OAuth is a critical feature
for users who lose access to their passkeys. Without it, users must rely
solely on guardian recovery or lose access to their accounts permanently. -
Feature Parity: The original zksync-sso SDK supported OIDC recovery. The
migration to ERC-4337 (sdk-4337) left this feature behind, creating a
regression in functionality. -
Existing Infrastructure: Smart contracts are deployed
(OidcRecoveryValidatorat0x6E4085794CaaEa6A24E1F9a1B9dAF155e57FD5bb), UI
components are built, and configuration exists. Only the integration layer is
missing. -
ZK Circuit Integration: The codebase includes ZK circuit integration
(jwt-tx-validation.zkey,jwt-tx-validation.wasm) for privacy-preserving
OIDC recovery, but it remains unused.
Missing Components in sdk-4337:
createZkSyncOidcClient()function to create OIDC-based smart account clients- OIDC account integration with ERC-4337 bundler flow
- OIDC signature validation and transaction signing
- Integration between JWT verification and account recovery contracts
Desired State:
Users should be able to:
- Navigate to
/recovery/google - Click "Sign in with Google" and authenticate via OAuth popup
- Receive JWT token from Google with account claims (iss, aud, sub)
- Generate ZK proof proving JWT ownership without revealing sensitive data
- Submit recovery request to
OidcRecoveryValidatorcontract - After delay period, execute recovery to add new passkey to their account
This would provide a complete, working flow:
// Enabled recovery page
const { enabled } = useOidcConfig(); // true when configured
// Working OIDC client creation
const client = getOidcClient({ chainId, address });
// Functional recovery composable
const { executeRecovery } = useRecoveryOidc();
const jwt = await useGoogleOauth().login();
const proof = await buildProof(jwt);
await executeRecovery({ jwt, proof, newPasskey });Additional Context
-
Commented Files:
packages/auth-server/composables/useRecoveryOidc.ts(166 lines commented)packages/auth-server/composables/useGoogleOauth.ts(92 lines commented)packages/auth-server/composables/useOidcConfig.ts(70 lines commented)packages/auth-server/stores/client.ts(getOidcClient function, lines
163-174)
-
Smart Contract Support:
- Contract:
OidcRecoveryValidatordeployed and initialized - ABI:
packages/sdk/src/abi/OidcRecoveryValidator.ts(ready to use) - Functions:
oidcDataForAddress,executeRecovery,startRecovery
- Contract:
-
UI Components (ready but disabled):
account-recovery-oidc-recovery-flow-root- Step components: Step1-4 for guided recovery flow
- Page:
/recovery/google/index.vue
-
Configuration (in nuxt.config.ts):
NUXT_PUBLIC_GOOGLE_CLIENT_ID- Google OAuth client IDNUXT_PUBLIC_OIDC_SALT_SERVICE_URL- Salt service for OIDC digestNUXT_PUBLIC_ZKEY_URL- ZK proof generation keyNUXT_PUBLIC_WITNESS_WASM_URL- WASM witness calculator
Implementation Requirements:
-
Add OIDC client to sdk-4337:
- Create
createZkSyncOidcClient()function similar to
createPasskeyClient() - Implement OIDC signature scheme for ERC-4337 UserOperations
- Add OIDC account support in bundler flow
- Create
-
Uncomment and update auth-server composables:
- Update imports to use sdk-4337 versions
- Update contract addresses to use
contractsByChain - Test with current smart contract deployments
-
Enable recovery page:
- Change
const enabled = falseto useuseOidcConfig().enabled - Ensure UI components work with updated composables
- Change
-
Testing:
- E2E test for full OIDC recovery flow
- Integration tests for ZK proof generation
- Contract interaction tests with
OidcRecoveryValidator
-
Documentation:
- Update README with OIDC recovery instructions
- Document required environment variables
- Add troubleshooting guide for Google OAuth setup
Related Work:
- Original implementation in
zksync-ssoSDK (pre-4337) - Guardian recovery flow (recently completed) can serve as reference for
recovery UX patterns - ZK circuits package (
zksync-sso-circuits) is ready with
JwtTxValidationInputsandOidcDigest
Impact: This is a high-priority feature that completes the account
recovery story. Without OIDC recovery, users who lose their passkeys and don't
have guardians configured permanently lose access to their accounts.
🤔 Rationale
No response
📋 Additional context
No response