The aim of this project is to offer NEAR users the opportunity to create and restore their accounts by utilizing OIDC protocol. By linking their NEAR account to Pagoda, Gmail, Github, or other authentication provider, they can then add a new Full Access key, which will be managed by the trusted network of servers. Should they lose all the keys they possess, they can reauthorize themselves, create a new key, and add it into their NEAR account using a transaction that will be signed by MPC servers through their recovery key. All the transaction cost will be covered by a relayer server and metatransactions.
- The system consists of N (4+) trusted nodes
- Each node holds a unique secret key
- Each action must be signed by N-1 node
Currently everything is signed by a single node with a single private key.
The recovery service is currently hosted at https://mpc-recovery-7tk2cmmtcq-ue.a.run.app.
URL: /new_account
Request parameters: {
near_account_id: String,
oidc_token: String,
public_key: String
}
Response:
Ok {
user_public_key: String,
user_recovery_public_key: String,
near_account_id: String,
} /
Err {
msg: String
}
This creates an account with the name in near_account_id
. If this name is already taken then this operation will fail with no action having been taken.
This service will send a create_account
message to the relayer from tmp_acount_creator.serhii.testnet
creating from the request field near_account_id
. If this operation is successful the near.org relayer will make an allowance for the created account.
Newly created NEAR account will have two full access keys. One that was provided by the user, and the recovery one that is controlled by the MPC system.
URL: /add_key
Request parameters: {
// in case NEAR AccointId is not provided,
// it will be determined using recovery PK and NEAR Wallet APIs
near_account_id: Option(String),
public_key: String,
oidc_token: String
}
Response:
Ok {
user_public_key: String,
near_account_id: String,
} /
Err{
msg: String
}
We are using OpenID Connect (OIDC) standard to authenticate users (built on top of OAuth 2.0). Check OIDC standard docs here and Google OIDC docs here
There are several ways to get and use the ID token. The flow that we are using is called the "server" flow, you can find more info here. The system will be able to process any token that is following the core OpenID Connect standard. In order to receive the ID token from OpenID provider you will need to include the openid
scope value to the Authorization Request.
Internally, we are identifying users by their issuer id (iss) and their unique ID (sub) retrieved form the ID token and separated by a colon: <issuer_iss>:<user_sub>
. It means that each recovery method (like GitHub and Google) is separated from one another even if they have the same email.
In order to build the project, you will need to have protoc
and gmp
installed. Refer to your system's package manager on how to do this.
If you have nix and direnv installed, you can set up a development environment by running:
direnv allow
Run unit tests with:
cargo test -p mpc-recovery
Running integration tests requires you to have relayer docker image present on your machine:
# TODO: upstream these changes
git clone -b mpc/entrypoint git@github.com:near/pagoda-relayer-rs-fastauth.git
docker build pagoda-relayer-rs-fastauth -t pagoda-relayer-rs-fastauth
Now, build mpc-recovery from this repository:
docker build . -t near/mpc-recovery
Note. You will need to re-build the Docker image each time you make a code change and want to run the integration tests.
Finally, run the integration tests:
cargo test -p mpc-recovery-integration-tests