Add WDK Google ID token auth flow (#977)

* Add WDK Google ID token auth flow

* Unify Google WDK auth kinds

* Refine WDK Google id token flow

* Fix id-token auth key cleanup on signer mismatch

* Restore guard error logging

* Unify Google WDK signer kind

* Fix WDK auth flow cleanup and implicit session metadata

Author: tolgahan-arikan

packages/services/guard/src/sequence.ts

@@ -50,7 +50,7 @@ export class Guard implements Types.Guard {
         throw new Types.AuthRequiredError('PIN')
       }
       console.error(error)
-      throw new Error('Error signing with guard')
+      throw new Error('Error signing with guard', { cause: error })
     }
   }
 }

packages/services/guard/test/sequence.test.ts

@@ -116,6 +116,21 @@ describe('Sequence', () => {
         ).rejects.toThrow('Error signing with guard')
       })
 
+      it('Should preserve the original guard failure as cause', async () => {
+        mockFetch.mockRejectedValueOnce(new Error('Network error'))
+
+        try {
+          await guard.signPayload(testWallet, 42161, PayloadType.ConfigUpdate, testMessageDigest, testMessage)
+          throw new Error('Expected signPayload to throw')
+        } catch (error) {
+          expect(error).toBeInstanceOf(Error)
+          expect((error as Error).message).toBe('Error signing with guard')
+          expect((error as Error & { cause?: unknown }).cause).toBeInstanceOf(Error)
+          expect((error as Error & { cause?: Error }).cause?.name).toBe('WebrpcRequestFailed')
+          expect((error as Error & { cause?: Error }).cause?.message).toBe('request failed')
+        }
+      })
+
       it('Should include proper headers and signer address in request', async () => {
         const mockGuardAddress = '0x9876543210987654321098765432109876543210' as Address.Address
         const customGuard = new Guard('https://guard.sequence.app', mockGuardAddress, fetch)

packages/wallet/wdk/src/sequence/handlers/authcode.ts

@@ -6,6 +6,7 @@ import * as Identity from '@0xsequence/identity-instrument'
 import { SignerUnavailable, SignerReady, SignerActionable, BaseSignatureRequest } from '../types/signature-request.js'
 import { IdentitySigner } from '../../identity/signer.js'
 import { IdentityHandler } from './identity.js'
+import { Kinds } from '../types/signer.js'
 import type { NavigationLike, WdkEnv } from '../../env.js'
 
 export class AuthCodeHandler extends IdentityHandler implements Handler {
@@ -26,6 +27,11 @@ export class AuthCodeHandler extends IdentityHandler implements Handler {
   }
 
   public get kind() {
+    if (this.signupKind === 'google-pkce') {
+      // Keep Google PKCE on the canonical kind so Google signers created before
+      // canonicalization still resolve as `login-google`.
+      return Kinds.LoginGoogle
+    }
     return 'login-' + this.signupKind
   }
 

packages/wallet/wdk/src/sequence/handlers/identity.ts

@@ -81,6 +81,10 @@ export class IdentityHandler {
     return new IdentitySigner(this.nitro, authKey, this.env.crypto)
   }
 
+  protected async clearAuthKeySigner(address: string): Promise<void> {
+    await this.authKeys.delBySigner(address)
+  }
+
   private async getAuthKey(signer: string): Promise<Db.AuthKey | undefined> {
     let authKey = await this.authKeys.getBySigner(signer)
     if (!signer && !authKey) {

packages/wallet/wdk/src/sequence/handlers/idtoken.ts

@@ -0,0 +1,140 @@
+import { Address, Hex } from 'ox'
+import { Signers } from '@0xsequence/wallet-core'
+import { Handler } from './handler.js'
+import * as Identity from '@0xsequence/identity-instrument'
+import * as Db from '../../dbs/index.js'
+import { Signatures } from '../signatures.js'
+import { SignerActionable, SignerReady, SignerUnavailable, BaseSignatureRequest } from '../types/signature-request.js'
+import { IdentitySigner } from '../../identity/signer.js'
+import { IdentityHandler } from './identity.js'
+import { Kinds } from '../types/signer.js'
+import type { WdkEnv } from '../../env.js'
+
+type RespondFn = (idToken: string) => Promise<void>
+
+export type PromptIdTokenHandler = (kind: 'google-id-token' | `custom-${string}`, respond: RespondFn) => Promise<void>
+
+export class IdTokenHandler extends IdentityHandler implements Handler {
+  private onPromptIdToken: undefined | PromptIdTokenHandler
+
+  constructor(
+    public readonly signupKind: 'google-id-token' | `custom-${string}`,
+    public readonly issuer: string,
+    public readonly audience: string,
+    nitro: Identity.IdentityInstrument,
+    signatures: Signatures,
+    authKeys: Db.AuthKeys,
+    env?: WdkEnv,
+  ) {
+    super(nitro, authKeys, signatures, Identity.IdentityType.OIDC, env)
+  }
+
+  public get kind() {
+    if (this.signupKind === 'google-id-token') {
+      return Kinds.LoginGoogle
+    }
+    return 'login-' + this.signupKind
+  }
+
+  public registerUI(onPromptIdToken: PromptIdTokenHandler) {
+    this.onPromptIdToken = onPromptIdToken
+    return () => {
+      this.onPromptIdToken = undefined
+    }
+  }
+
+  public unregisterUI() {
+    this.onPromptIdToken = undefined
+  }
+
+  public async completeAuth(idToken: string): Promise<[IdentitySigner, { [key: string]: string }]> {
+    const challenge = new Identity.IdTokenChallenge(this.issuer, this.audience, idToken)
+    await this.nitroCommitVerifier(challenge)
+    const { signer: identitySigner, email } = await this.nitroCompleteAuth(challenge)
+
+    return [identitySigner, { email }]
+  }
+
+  public async getSigner(): Promise<{ signer: Signers.Signer & Signers.Witnessable; email: string }> {
+    const onPromptIdToken = this.onPromptIdToken
+    if (!onPromptIdToken) {
+      throw new Error('id-token-handler-ui-not-registered')
+    }
+
+    return await this.handleAuth(onPromptIdToken)
+  }
+
+  async status(
+    address: Address.Address,
+    _imageHash: Hex.Hex | undefined,
+    request: BaseSignatureRequest,
+  ): Promise<SignerUnavailable | SignerReady | SignerActionable> {
+    const signer = await this.getAuthKeySigner(address)
+    if (signer) {
+      return {
+        address,
+        handler: this,
+        status: 'ready',
+        handle: async () => {
+          await this.sign(signer, request)
+          return true
+        },
+      }
+    }
+
+    const onPromptIdToken = this.onPromptIdToken
+    if (!onPromptIdToken) {
+      return {
+        address,
+        handler: this,
+        reason: 'ui-not-registered',
+        status: 'unavailable',
+      }
+    }
+
+    return {
+      address,
+      handler: this,
+      status: 'actionable',
+      message: 'request-id-token',
+      handle: async () => {
+        try {
+          const { signer } = await this.handleAuth(onPromptIdToken)
+          const signerAddress = (await signer.address) as Address.Address
+          if (!Address.isEqual(signerAddress, address)) {
+            // ID-token auth prompts are keyed by provider kind, not the requested signer address.
+            // For example, a user can pick a different Google account in the account picker and
+            // return a token for a different identity than this request expects.
+            await this.clearAuthKeySigner(signerAddress)
+            throw new Error('id-token-signer-mismatch')
+          }
+          return true
+        } catch {
+          return false
+        }
+      },
+    }
+  }
+
+  private handleAuth(
+    onPromptIdToken: PromptIdTokenHandler,
+  ): Promise<{ signer: Signers.Signer & Signers.Witnessable; email: string }> {
+    // eslint-disable-next-line no-async-promise-executor
+    return new Promise(async (resolve, reject) => {
+      try {
+        const respond: RespondFn = async (idToken) => {
+          try {
+            const [signer, metadata] = await this.completeAuth(idToken)
+            resolve({ signer, email: metadata.email || '' })
+          } catch (error) {
+            reject(error)
+          }
+        }
+
+        await onPromptIdToken(this.signupKind, respond)
+      } catch (error) {
+        reject(error)
+      }
+    })
+  }
+}

packages/wallet/wdk/src/sequence/handlers/index.ts

@@ -3,4 +3,5 @@ export { DevicesHandler } from './devices.js'
 export { PasskeysHandler } from './passkeys.js'
 export { OtpHandler } from './otp.js'
 export { AuthCodePkceHandler } from './authcode-pkce.js'
+export { IdTokenHandler } from './idtoken.js'
 export { MnemonicHandler } from './mnemonic.js'

packages/wallet/wdk/src/sequence/manager.ts

@@ -14,6 +14,7 @@ import {
   AuthCodePkceHandler,
   DevicesHandler,
   Handler,
+  IdTokenHandler,
   MnemonicHandler,
   OtpHandler,
   PasskeysHandler,
@@ -31,9 +32,25 @@ import { Wallets, WalletsInterface } from './wallets.js'
 import { GuardHandler, PromptCodeHandler } from './handlers/guard.js'
 import { PasskeyCredential } from '../dbs/index.js'
 import { PromptMnemonicHandler } from './handlers/mnemonic.js'
+import { PromptIdTokenHandler } from './handlers/idtoken.js'
 import { PromptOtpHandler } from './handlers/otp.js'
 import { defaultPasskeyProvider, type PasskeyProvider } from './passkeys-provider.js'
 
+type CustomIdentityProvider =
+  | {
+      kind: `custom-${string}`
+      authMethod: 'id-token'
+      issuer: string
+      clientId: string
+    }
+  | {
+      kind: `custom-${string}`
+      authMethod: 'authcode' | 'authcode-pkce'
+      issuer: string
+      oauthUrl: string
+      clientId: string
+    }
+
 export type ManagerOptions = {
   verbose?: boolean
 
@@ -85,18 +102,13 @@ export type ManagerOptions = {
     google?: {
       enabled: boolean
       clientId: string
+      authMethod?: 'authcode-pkce' | 'id-token'
     }
     apple?: {
       enabled: boolean
       clientId: string
     }
-    customProviders?: {
-      kind: `custom-${string}`
-      authMethod: 'id-token' | 'authcode' | 'authcode-pkce'
-      issuer: string
-      oauthUrl: string
-      clientId: string
-    }[]
+    customProviders?: CustomIdentityProvider[]
   }
 }
 
@@ -112,18 +124,13 @@ export type ResolvedIdentityOptions = {
   google: {
     enabled: boolean
     clientId: string
+    authMethod: 'authcode-pkce' | 'id-token'
   }
   apple: {
     enabled: boolean
     clientId: string
   }
-  customProviders?: {
-    kind: `custom-${string}`
-    authMethod: 'id-token' | 'authcode' | 'authcode-pkce'
-    issuer: string
-    oauthUrl: string
-    clientId: string
-  }[]
+  customProviders?: CustomIdentityProvider[]
 }
 
 export type ResolvedManagerOptions = {
@@ -248,6 +255,7 @@ export const ManagerOptionsDefaults = {
     google: {
       enabled: false,
       clientId: '',
+      authMethod: 'authcode-pkce' as const,
     },
     apple: {
       enabled: false,
@@ -677,20 +685,35 @@ export class Manager {
       shared.handlers.set(Kinds.LoginEmailOtp, this.otpHandler)
     }
     if (ops.identity.google?.enabled) {
-      shared.handlers.set(
-        Kinds.LoginGooglePkce,
-        new AuthCodePkceHandler(
-          'google-pkce',
-          'https://accounts.google.com',
-          'https://accounts.google.com/o/oauth2/v2/auth',
-          ops.identity.google.clientId,
-          identityInstrument,
-          modules.signatures,
-          shared.databases.authCommitments,
-          shared.databases.authKeys,
-          shared.env,
-        ),
-      )
+      if (ops.identity.google.authMethod === 'id-token') {
+        shared.handlers.set(
+          Kinds.LoginGoogle,
+          new IdTokenHandler(
+            'google-id-token',
+            'https://accounts.google.com',
+            ops.identity.google.clientId,
+            identityInstrument,
+            modules.signatures,
+            shared.databases.authKeys,
+            shared.env,
+          ),
+        )
+      } else {
+        shared.handlers.set(
+          Kinds.LoginGoogle,
+          new AuthCodePkceHandler(
+            'google-pkce',
+            'https://accounts.google.com',
+            'https://accounts.google.com/o/oauth2/v2/auth',
+            ops.identity.google.clientId,
+            identityInstrument,
+            modules.signatures,
+            shared.databases.authCommitments,
+            shared.databases.authKeys,
+            shared.env,
+          ),
+        )
+      }
     }
     if (ops.identity.apple?.enabled) {
       shared.handlers.set(
@@ -712,7 +735,19 @@ export class Manager {
       for (const provider of ops.identity.customProviders) {
         switch (provider.authMethod) {
           case 'id-token':
-            throw new Error('id-token is not supported yet')
+            shared.handlers.set(
+              provider.kind,
+              new IdTokenHandler(
+                provider.kind,
+                provider.issuer,
+                provider.clientId,
+                identityInstrument,
+                modules.signatures,
+                shared.databases.authKeys,
+                shared.env,
+              ),
+            )
+            break
           case 'authcode':
             shared.handlers.set(
               provider.kind,
@@ -770,6 +805,20 @@ export class Manager {
     return this.otpHandler?.registerUI(onPromptOtp) || (() => {})
   }
 
+  public registerIdTokenUI(onPromptIdToken: PromptIdTokenHandler) {
+    const unregisters: (() => void)[] = []
+
+    this.shared.handlers.forEach((handler) => {
+      if (handler instanceof IdTokenHandler) {
+        unregisters.push(handler.registerUI(onPromptIdToken))
+      }
+    })
+
+    return () => {
+      unregisters.forEach((unregister) => unregister())
+    }
+  }
+
   public registerGuardUI(onPromptCode: PromptCodeHandler) {
     return this.guardHandler?.registerUI(onPromptCode) || (() => {})
   }