-
Notifications
You must be signed in to change notification settings - Fork 43
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
# What 💻 Adding ZKsync SSO docs # Why ✋ Getting ready to launch this product # Evidence 📷 <img width="1046" alt="image" src="https://github.com/user-attachments/assets/71ea10cc-952d-46d4-915c-1f2d1c7e378e"> <!-- Thank you for contributing to the ZKsync Docs! Before submitting the PR, please make sure you do the following: - Update your PR title to follow [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) - Read the [Contributing Guide](https://github.com/matter-labs/zksync-docs/blob/main/CONTRIBUTING.md). - Understand our [Code of Conduct](https://github.com/matter-labs/zksync-docs/blob/main/CODE_OF_CONDUCT.md) - Please delete any unused parts of the template when submitting your PR --> --------- Co-authored-by: Jack Hamer <[email protected]> Co-authored-by: Sabrina <[email protected]> Co-authored-by: Dustin Brickwood <[email protected]> Co-authored-by: Colin <[email protected]> Co-authored-by: Nicolas Villanueva <[email protected]>
- Loading branch information
6 people
authored
Nov 16, 2024
1 parent
d3eed2b
commit c7ad824
Showing
16 changed files
with
671 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| --- | ||
| title: Intro | ||
| description: Learn about ZKsync Smart Sign-on. | ||
| --- | ||
|
|
||
| A user & developer friendly modular smart account implementation on ZKsync; | ||
| simplifying user authentication, session management, and transaction processing. | ||
|
|
||
| Try our [demo app](https://nft.zksync.dev) to see the great user experience you can offer to your users. | ||
|
|
||
| ## Features and Goals | ||
|
|
||
| ::callout{icon="i-heroicons-exclamation-triangle" color="amber"} | ||
| ZKsync SSO is under active development and is not yet feature complete. | ||
| Use it to improve your development applications and tooling. | ||
| Please do not use it in production environments. | ||
| :: | ||
|
|
||
| - 🧩 Modular smart accounts based on | ||
| [ERC-7579](https://eips.ethereum.org/EIPS/eip-7579#modules) | ||
| - 🔑 Passkey authentication (no seed phrases) | ||
| - ⏰ Sessions w/ easy configuration and management | ||
| - 💰 Integrated paymaster support | ||
| - ❤️🩹 Account recovery _(Coming Soon)_ | ||
| - 💻 Simple SDKs : JavaScript, iOS/Android _(Coming Soon)_ | ||
| - 🤝 Open-source authentication server | ||
| - 🎓 Examples to get started quickly | ||
|
|
||
| ## Integrate ZKsync SSO to your app | ||
|
|
||
| See [Getting Started](/build/zksync-sso/getting-started) to learn how easy it is to integrate ZKsync SSO into your application. | ||
|
|
||
| ## Further Assistance | ||
|
|
||
| Need help? Join our [GitHub Discussions](%%zk_git_repo_zksync-developers%%/discussions/) | ||
| to ask questions, share your experiences, and connect with the ZKsync community. | ||
|
|
||
| <!--- | ||
| ## Source Code | ||
| The [ZKsync SSO Project](https://github.com/matter-labs/zksync-sso) | ||
| is open-source and available on GitHub under the MIT License. | ||
| Feel free to contribute, report issues, or suggest new features to help us improve the tool for everyone.---> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| --- | ||
| title: Architecture | ||
| description: Learn about architectural components of ZKsync SSO and how they work together. | ||
| --- | ||
|
|
||
| The ZKsync SSO consists of three components that work together to offer a seamless experience for both developers and users. | ||
|
|
||
| ## ZKsync SSO Developer SDK | ||
|
|
||
| The **Developer SDK** is a client-side library that developers can integrate into their applications with minimal effort. | ||
| It handles authentication and session management with the spend limit controls, | ||
| allowing developers to enhance security and streamline the user experience, without dealing with complex wallet and key management infrastructure. | ||
|
|
||
| **Features:** | ||
|
|
||
| - **Authentication:** Enables users to authenticate using passkeys, supporting PIN or biometric methods like Face ID and fingerprint recognition. | ||
| - **Session and Spend Limit Management:** Allows applications to manage user sessions with specific spend limits, | ||
| enhancing security by restricting the scope and usage of session keys. | ||
|
|
||
| **Platforms:** | ||
|
|
||
| - **Web SDK:** Available now, implemented in JavaScript for web applications. | ||
| - **Swift SDK:** For iOS applications (*coming soon*). | ||
| - **Kotlin SDK:** For Android applications (*coming soon*). | ||
|
|
||
| ### ZKsync SSO Auth Server | ||
|
|
||
| The **Auth Server** is a single-page-application | ||
| (provided by ZKsync as a public good) | ||
| that facilitates key aspects of the authentication process. | ||
| It acts as a non-custodial intermediary between the client application and the ZKsync chain, handling: | ||
|
|
||
| - **Passkey Creation:** Assists in generating and managing user passkeys for secure authentication. | ||
| - **Session Settings:** Manages user sessions, including session keys with their associated permissions/spend limits. | ||
| - **Transaction Signatures:** Facilitates the signing of transactions. | ||
|
|
||
| This component ensures that sensitive operations are handled securely and efficiently without exposing | ||
| private keys or requiring users to manage complex cryptographic details. | ||
| Hosting this on a trusted domain allows for multiple applications to easily interoperate, while storing data | ||
| on-chain for the full benefits of decentralization. | ||
|
|
||
| ## Smart Contracts | ||
|
|
||
| A set of smart contracts deployed on the ZKsync chain manage accounts, passkeys, and sessions. | ||
| These contracts form the on-chain backbone of the ZKsync SSO system. | ||
|
|
||
| - **ERC7579Account.** Implements the ZKSync modular account standard, allowing for extensible smart account functionalities. | ||
| - **AAFactory.** A factory contract used to deploy new user accounts on the chain efficiently. | ||
| - **SessionKeyValidator.** Manages session keys with specific spend limits, enhancing security by restricting their scope and usage. | ||
| - **WebAuthnModule.** Handles authentication using WebAuthn standards, enabling passkey-based authentication methods. | ||
| - **Account Proxies.** Each user account is an upgradable proxy contract for the ZKsync smart-sign-on implemention. | ||
|
|
||
| ## Diagram | ||
|
|
||
|  |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| --- | ||
| title: FAQs | ||
| description: Frequently asked questions about ZKsync SSO. | ||
| --- | ||
|
|
||
| ## What login options are supported? | ||
|
|
||
| Currently, only login with passkeys is supported in ZKsync SSO. | ||
| We are working on adding support for logging in with an Externally Owned Account (EOA) in the future. | ||
|
|
||
| ## What are passkeys? | ||
|
|
||
| Passkeys are digital credentials that eliminate the need for traditional passwords by using asymmetric cryptography for authentication. | ||
| They consist of a key pair: | ||
|
|
||
| - **Private Key**: Stored securely on the user's device (e.g., in a secure enclave or Trusted Platform Module) and never leaves the device. | ||
| - **Public Key**: Shared with the relying party (ZKsync SSO Auth Server and associated smart contracts) during registration. | ||
|
|
||
| Passkeys are based on the [WebAuthn](https://www.w3.org/TR/webauthn-2/) API and the FIDO2 standards, | ||
| which support various authenticators like built-in device biometrics (fingerprint sensors, facial recognition) | ||
| or external hardware security keys (YubiKey, SoloKeys). This ensures a high level of security and a seamless user experience. | ||
|
|
||
| ## What recovery options are available if I lose my passkey? | ||
|
|
||
| In case you lose your passkeys, ZKsync SSO provides several methods to recover your account: | ||
|
|
||
| ### Multiple Devices with Passkey Synchronization | ||
|
|
||
| You can synchronize your passkeys across multiple devices using services like iCloud Keychain for Apple devices or similar services on other platforms. | ||
| This means if one device is lost, your passkeys are still accessible on other synchronized devices. | ||
|
|
||
| <!-- | ||
| ### Adding Another Passkey (*coming soon*) | ||
| You will be able to register a new device by adding a new passkey to your account. This typically involves verifying your identity on the new device, | ||
| after which the new passkey is securely associated with your account. | ||
| ### Recovery via Externally Owned Account (EOA) (*coming soon*) | ||
| You will soon be able to link an Externally Owned Account (EOA) to your ZKsync SSO account. If passkeys are lost, | ||
| you can recover access by authenticating with your EOA, providing an additional layer of security and recovery options. | ||
| ### Recovery via OAuth (*coming soon*) | ||
| The OAuth Recovery ERC-7579 module enables you to set up account recovery through OAuth tokens associated with your existing Web2 logins like | ||
| Gmail, Facebook, or X (formerly Twitter). This allows you to regain access by logging in with your familiar social media or email accounts. | ||
| --> | ||
| ## How secure is ZKsync SSO? | ||
|
|
||
| ZKsync SSO uses passkey authentication method to ensure that your account remains secure. | ||
| Private keys never leave your device, and biometric authentication adds an extra layer of security. | ||
|
|
||
| ## Is ZKsync SSO free to integrate? | ||
|
|
||
| Yes, developers can integrate it into their applications without any licensing fees. | ||
|
|
||
| ## How do I integrate ZKsync SSO into my application? | ||
|
|
||
| Developers can integrate ZKsync SSO by using the available SDKs for web applications. Mobile SDKs for iOS and Android are coming soon. | ||
| Refer to the [Getting Started Guide](/build/zksync-sso/getting-started) for detailed instructions. | ||
|
|
||
| ## Have more questions? | ||
|
|
||
| Join our [GitHub Discussions](%%zk_git_repo_zksync-developers%%/discussions/) | ||
| to ask questions, share your experiences, and connect with the ZKsync community. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| --- | ||
| title: Features | ||
| description: Learn about the features of ZKsync SSO. | ||
| --- | ||
|
|
||
| ## Passkey Authentication | ||
|
|
||
| Passkeys are a core feature supported by ZKsync SSO that enable secure, | ||
| passwordless authentication for users interacting with applications on the ZK Chain. | ||
| Stored on users' devices, these passkeys make for a self-custodial and secure solution to private key management. | ||
| This standard also supports biometric authentication methods like Face ID and fingerprint recognition, | ||
| utilizing the secp256r1 elliptic curve via native precompile in ZKsync. | ||
|
|
||
| ## Sessions | ||
|
|
||
| A session is a temporary key that grants limited permissions to an account, | ||
| governed by a configurable policy set by the developer based on the needs of their application. | ||
| These sessions require explicit approval from the account owners and can be revoked or removed at any time after creation. | ||
| A session key holder can execute a restricted set of transactions from the account without needing the account owner’s signature for each action. | ||
|
|
||
| When an application requests a session, it specifies the desired policies that limit what that session key can do, which the account owner can approve. | ||
| This ensures that even if the session key is compromised, the potential loss is capped. | ||
|
|
||
| ## Account Recovery | ||
|
|
||
| <!-- There are several methods available to users to recover their account: --> | ||
|
|
||
| **Multiple Devices with Passkey Synchronization** | ||
|
|
||
| Users can synchronize their passkeys across multiple devices using services like iCloud Keychain for Apple devices or similar services on other platforms. | ||
| This means if one device is lost, the passkeys are still accessible on other synchronized devices. | ||
|
|
||
| *More account recovery options are coming soon* | ||
|
|
||
| <!-- | ||
| **Adding another auth page — *coming soon**?* | ||
| To avoid the reliance on a single trusted domain, | ||
| users can create or connect to a ZKsync SSO auth page hosted on a different domain! | ||
| By providing their account address, the alternate page can provide a great back-up location for passkeys. | ||
| These passkeys could be stored via FIDO device or a different online passkey provider than the primary key. | ||
| **Adding another passkey — *coming soon*** | ||
| Users can register a new device by adding a new passkey to their account. | ||
| This typically involves verifying their identity on the new device, after which the new passkey is securely associated with their account. | ||
| **Recovery via Externally Owned Account (EOA) — *coming soon*** | ||
| Users will soon be able to link an EOA to their ZKsync SSO. | ||
| If passkeys are lost, they can recover access by authenticating with their EOA, providing an additional layer of security and recovery option. | ||
| **Recovery via OAuth 2.0 — *coming soon*** | ||
| OAuth Recovery ERC-7579 module enables users to set up an account recovery through OAuth tokens associated with their existing Web2 logins like | ||
| Gmail, Facebook, or X (formerly Twitter). This allows users to regain access by logging in with their familiar social media or email accounts. | ||
| ## User Dashboard | ||
| ZKsync SSO provides a dashboard where users can conveniently manage their accounts through a web interface. This dashboard offers several key features: | ||
| - View their asset balances across all the ZK Chains. | ||
| - Add or remove passkeys or devices. | ||
| - Configure account recovery options. | ||
| - View all active sessions connected to their account and terminate unwanted sessions. | ||
| - View their transaction history. | ||
| --> | ||
|
|
||
| ## Modular | ||
|
|
||
| Developers can enhance the functionality of ZKsync SSO accounts by implementing compatible modules via smart contracts. | ||
| The module interface is based on [ERC-7579](https://eips.ethereum.org/EIPS/eip-7579#modules) | ||
| to allow maximum flexibility while using ZKsync's powerful native account abstraction to developer overhead. | ||
|
|
||
| The existing passkey and session features are already implemented as modules, | ||
| and installed by default for every new account deployment. | ||
| Modules can be added or removed from the account, without having to migrate or upgrade the whole account! |
Oops, something went wrong.