Architecture
The ZKsync SSO consists of three components that work together to offer a seamless experience for both developers and users.
ZKsync SSO Developer SDK
The Developer SDK is a client-side library that developers can integrate into their applications with minimal effort. It handles authentication and session management with the spend limit controls, allowing developers to enhance security and streamline the user experience, without dealing with complex wallet and key management infrastructure.
Features:
- Authentication: Enables users to authenticate using passkeys, supporting PIN or biometric methods like Face ID and fingerprint recognition.
- Session and Spend Limit Management: Allows applications to manage user sessions with specific spend limits, enhancing security by restricting the scope and usage of session keys.
Platforms:
- Web SDK: Available now, implemented in JavaScript for web applications.
- Swift SDK: For iOS applications (coming soon).
- Kotlin SDK: For Android applications (coming soon).
ZKsync SSO Auth Server
The Auth Server is a single-page-application (provided by ZKsync as a public good) that facilitates key aspects of the authentication process. It acts as a non-custodial intermediary between the client application and the ZKsync chain, handling:
- Passkey Creation: Assists in generating and managing user passkeys for secure authentication.
- Session Settings: Manages user sessions, including session keys with their associated permissions/spend limits.
- Transaction Signatures: Facilitates the signing of transactions.
This component ensures that sensitive operations are handled securely and efficiently without exposing private keys or requiring users to manage complex cryptographic details. Hosting this on a trusted domain allows for multiple applications to easily interoperate, while storing data on-chain for the full benefits of decentralization.
Smart Contracts
A set of smart contracts deployed on the ZKsync chain manage accounts, passkeys, and sessions. These contracts form the on-chain backbone of the ZKsync SSO system.
- SsoAccount. Implements the ZKSync modular account standard, allowing for extensible smart account functionalities.
- AAFactory. A factory contract used to deploy new user accounts on the chain efficiently.
- SessionKeyValidator. Manages session keys with specific spend limits, enhancing security by restricting their scope and usage.
- WebAuthnModule. Handles authentication using WebAuthn standards, enabling passkey-based authentication methods.
- Account Proxies. Each user account is an upgradable proxy contract for the ZKsync smart-sign-on implemention.