Add support for custom auth providers (authcode & authcode-pkce only) (#894)

* Add support for custom auth providers (authcode & authcode-pkce only)

* fix authcode tests

Author: patrislav

packages/wallet/wdk/src/dbs/auth-commitments.ts

@@ -5,7 +5,7 @@ const TABLE_NAME = 'auth-commitments'
 
 export type AuthCommitment = {
   id: string
-  kind: 'google-pkce' | 'apple'
+  kind: 'google-pkce' | 'apple' | `custom-${string}`
   metadata: { [key: string]: string }
   verifier?: string
   challenge?: string

packages/wallet/wdk/src/sequence/handlers/authcode-pkce.ts

@@ -8,15 +8,16 @@ import { AuthCodeHandler } from './authcode.js'
 
 export class AuthCodePkceHandler extends AuthCodeHandler implements Handler {
   constructor(
-    signupKind: 'google-pkce',
+    signupKind: 'google-pkce' | `custom-${string}`,
     issuer: string,
+    oauthUrl: string,
     audience: string,
     nitro: Identity.IdentityInstrument,
     signatures: Signatures,
     commitments: Db.AuthCommitments,
     authKeys: Db.AuthKeys,
   ) {
-    super(signupKind, issuer, audience, nitro, signatures, commitments, authKeys)
+    super(signupKind, issuer, oauthUrl, audience, nitro, signatures, commitments, authKeys)
   }
 
   public async commitAuth(target: string, isSignUp: boolean, state?: string, signer?: string) {
@@ -50,8 +51,7 @@ export class AuthCodePkceHandler extends AuthCodeHandler implements Handler {
       state,
     })
 
-    const oauthUrl = this.oauthUrl()
-    return `${oauthUrl}?${searchParams.toString()}`
+    return `${this.oauthUrl}?${searchParams.toString()}`
   }
 
   public async completeAuth(

packages/wallet/wdk/src/sequence/handlers/authcode.ts

@@ -11,8 +11,9 @@ export class AuthCodeHandler extends IdentityHandler implements Handler {
   protected redirectUri: string = ''
 
   constructor(
-    public readonly signupKind: 'apple' | 'google-pkce',
+    public readonly signupKind: 'apple' | 'google-pkce' | `custom-${string}`,
     public readonly issuer: string,
+    protected readonly oauthUrl: string,
     public readonly audience: string,
     nitro: Identity.IdentityInstrument,
     signatures: Signatures,
@@ -48,12 +49,11 @@ export class AuthCodeHandler extends IdentityHandler implements Handler {
       client_id: this.audience,
       redirect_uri: this.redirectUri,
       response_type: 'code',
-      scope: 'openid',
+      scope: 'openid profile email',
       state,
     })
 
-    const oauthUrl = this.oauthUrl()
-    return `${oauthUrl}?${searchParams.toString()}`
+    return `${this.oauthUrl}?${searchParams.toString()}`
   }
 
   public async completeAuth(
@@ -100,15 +100,4 @@ export class AuthCodeHandler extends IdentityHandler implements Handler {
       },
     }
   }
-
-  protected oauthUrl() {
-    switch (this.issuer) {
-      case 'https://accounts.google.com':
-        return 'https://accounts.google.com/o/oauth2/v2/auth'
-      case 'https://appleid.apple.com':
-        return 'https://appleid.apple.com/auth/authorize'
-      default:
-        throw new Error('unsupported-issuer')
-    }
-  }
 }

packages/wallet/wdk/src/sequence/manager.ts

@@ -82,6 +82,13 @@ export type ManagerOptions = {
       enabled: boolean
       clientId: string
     }
+    customProviders?: {
+      kind: `custom-${string}`
+      authMethod: 'id-token' | 'authcode' | 'authcode-pkce'
+      issuer: string
+      oauthUrl: string
+      clientId: string
+    }[]
   }
 }
 
@@ -484,6 +491,7 @@ export class Manager {
         new AuthCodePkceHandler(
           'google-pkce',
           'https://accounts.google.com',
+          'https://accounts.google.com/o/oauth2/v2/auth',
           ops.identity.google.clientId,
           identityInstrument,
           modules.signatures,
@@ -498,6 +506,7 @@ export class Manager {
         new AuthCodeHandler(
           'apple',
           'https://appleid.apple.com',
+          'https://appleid.apple.com/auth/authorize',
           ops.identity.apple.clientId,
           identityInstrument,
           modules.signatures,
@@ -506,6 +515,46 @@ export class Manager {
         ),
       )
     }
+    if (ops.identity.customProviders?.length) {
+      for (const provider of ops.identity.customProviders) {
+        switch (provider.authMethod) {
+          case 'id-token':
+            throw new Error('id-token is not supported yet')
+          case 'authcode':
+            shared.handlers.set(
+              provider.kind,
+              new AuthCodeHandler(
+                provider.kind,
+                provider.issuer,
+                provider.oauthUrl,
+                provider.clientId,
+                identityInstrument,
+                modules.signatures,
+                shared.databases.authCommitments,
+                shared.databases.authKeys,
+              ),
+            )
+            break
+          case 'authcode-pkce':
+            shared.handlers.set(
+              provider.kind,
+              new AuthCodePkceHandler(
+                provider.kind,
+                provider.issuer,
+                provider.oauthUrl,
+                provider.clientId,
+                identityInstrument,
+                modules.signatures,
+                shared.databases.authCommitments,
+                shared.databases.authKeys,
+              ),
+            )
+            break
+          default:
+            throw new Error('unsupported auth method')
+        }
+      }
+    }
 
     shared.modules = modules
     this.shared = shared

packages/wallet/wdk/src/sequence/signers.ts

@@ -8,7 +8,11 @@ export function isWitnessExtraSignerKind(extra: any): extra is WitnessExtraSigne
 }
 
 function toKnownKind(kind: string): Kind {
-  if (Object.values(Kinds).includes(kind as Kind)) {
+  if (kind.startsWith('custom-')) {
+    return kind as Kind
+  }
+
+  if (Object.values(Kinds).includes(kind as (typeof Kinds)[keyof typeof Kinds])) {
     return kind as Kind
   }
 

packages/wallet/wdk/src/sequence/types/signer.ts

@@ -12,7 +12,7 @@ export const Kinds = {
   Unknown: 'unknown',
 } as const
 
-export type Kind = (typeof Kinds)[keyof typeof Kinds]
+export type Kind = (typeof Kinds)[keyof typeof Kinds] | `custom-${string}`
 
 export type WitnessExtraSignerKind = {
   signerKind: string

packages/wallet/wdk/src/sequence/wallets.ts

@@ -14,7 +14,7 @@ import { PasskeysHandler } from './handlers/passkeys.js'
 import { GuardRole } from './guards.js'
 
 export type StartSignUpWithRedirectArgs = {
-  kind: 'google-pkce' | 'apple'
+  kind: 'google-pkce' | 'apple' | `custom-${string}`
   target: string
   metadata: { [key: string]: string }
 }
@@ -55,7 +55,7 @@ export type CompleteRedirectArgs = CommonSignupArgs & {
 }
 
 export type AuthCodeSignupArgs = CommonSignupArgs & {
-  kind: 'google-pkce' | 'apple'
+  kind: 'google-pkce' | 'apple' | `custom-${string}`
   commitment: AuthCommitment
   code: string
   target: string
@@ -692,10 +692,30 @@ export class Wallets implements WalletsInterface {
         }
       }
     }
+
+    if (args.kind.startsWith('custom-')) {
+      // TODO: support other custom auth methods (e.g. id-token)
+      const handler = this.shared.handlers.get(args.kind) as AuthCodeHandler
+      if (!handler) {
+        throw new Error('handler-not-registered')
+      }
+
+      const [signer, metadata] = await handler.completeAuth(args.commitment, args.code)
+      return {
+        signer,
+        extra: {
+          signerKind: args.kind,
+        },
+        loginEmail: metadata.email,
+      }
+    }
+
+    throw new Error('invalid-signup-kind')
   }
 
   async startSignUpWithRedirect(args: StartSignUpWithRedirectArgs) {
-    const handler = this.shared.handlers.get('login-' + args.kind) as AuthCodeHandler
+    const kind = args.kind.startsWith('custom-') ? args.kind : 'login-' + args.kind
+    const handler = this.shared.handlers.get(kind) as AuthCodeHandler
     if (!handler) {
       throw new Error('handler-not-registered')
     }
@@ -720,7 +740,8 @@ export class Wallets implements WalletsInterface {
         use4337: args.use4337,
       })
     } else {
-      const handler = this.shared.handlers.get('login-' + commitment.kind) as AuthCodeHandler
+      const kind = commitment.kind.startsWith('custom-') ? commitment.kind : 'login-' + commitment.kind
+      const handler = this.shared.handlers.get(kind) as AuthCodeHandler
       if (!handler) {
         throw new Error('handler-not-registered')
       }

packages/wallet/wdk/test/authcode-pkce.test.ts

@@ -56,6 +56,7 @@ describe('AuthCodePkceHandler', () => {
     handler = new AuthCodePkceHandler(
       'google-pkce',
       'https://accounts.google.com',
+      'https://accounts.google.com/o/oauth2/v2/auth',
       'test-google-client-id',
       mockNitroInstrument,
       mockSignatures,
@@ -81,8 +82,6 @@ describe('AuthCodePkceHandler', () => {
         email: '[email protected]',
       }
     })
-
-    vi.spyOn(handler as any, 'oauthUrl').mockReturnValue('https://accounts.google.com/oauth/authorize')
   })
 
   afterEach(() => {
@@ -116,7 +115,7 @@ describe('AuthCodePkceHandler', () => {
       })
 
       // Verify OAuth URL is constructed correctly
-      expect(result).toMatch(/^https:\/\/accounts\.google\.com\/oauth\/authorize\?/)
+      expect(result).toMatch(/^https:\/\/accounts\.google\.com\/o\/oauth2\/v2\/auth\?/)
       expect(result).toContain('code_challenge=mock-challenge-hash')
       expect(result).toContain('code_challenge_method=S256')
       expect(result).toContain('client_id=test-google-client-id')
@@ -335,19 +334,16 @@ describe('AuthCodePkceHandler', () => {
       const newRedirectUri = 'https://newdomain.com/callback'
       handler.setRedirectUri(newRedirectUri)
 
-      // Verify redirect URI is used in OAuth URL construction
-      const mockUrl = 'https://accounts.google.com/oauth/authorize'
-      vi.spyOn(handler as any, 'oauthUrl').mockReturnValue(mockUrl)
-
       return handler.commitAuth('https://example.com/success', true).then((result) => {
         expect(result).toContain(`redirect_uri=${encodeURIComponent(newRedirectUri)}`)
       })
     })
 
     it('Should work with different issuer and audience configurations', () => {
       const customHandler = new AuthCodePkceHandler(
-        'google-pkce',
+        'custom-provider',
         'https://custom-issuer.com',
+        'https://custom-issuer.com/o/oauth2/v2/auth',
         'custom-client-id',
         mockNitroInstrument,
         mockSignatures,
@@ -357,7 +353,7 @@ describe('AuthCodePkceHandler', () => {
 
       expect(customHandler['issuer']).toBe('https://custom-issuer.com')
       expect(customHandler['audience']).toBe('custom-client-id')
-      expect(customHandler.signupKind).toBe('google-pkce')
+      expect(customHandler.signupKind).toBe('custom-provider')
     })
   })
 })