sui icon indicating copy to clipboard operation
sui copied to clipboard
verified publisher icon MystenLabs

I cannot find any example how to login with zklogin using Rust sdk

Open spielcrypto opened this issue 7 months ago • 8 comments

I'm using Rust SDK and I cannot find any example how to sign a transaction with Zklogin. I was able to create the SuiAddress but I don't know how to sign with it and I don't see any example how to do it

spielcrypto avatar May 31 '25 11:05 spielcrypto

Thank you for opening this issue, a team member will review it shortly. Until then, please do not interact with any users that claim to be from Sui support and do not click on any links!

github-actions[bot] avatar May 31 '25 11:05 github-actions[bot]

Try here:

https://mystenlabs.github.io/sui/sui_types/utils/fn.sign_zklogin_tx_with_default_proof.html

hyd628 avatar May 31 '25 13:05 hyd628

@hyd628 thanks for the answer. I tried but show me this error:

Required Signature from 0x36105e4f87c4f705253eab89df4f2a93ed85b58a2cb75dd627b8c69936f51195 is absent

this is my logic: https://github.com/Singularity-Shift/sui_squad/blob/feat/create-account/sui-squad-bot/src/onchain/account.rs#L71

spielcrypto avatar May 31 '25 13:05 spielcrypto

also I think theses methods are for testing purpose

spielcrypto avatar May 31 '25 14:05 spielcrypto

@amnn could please answer here? you developed this Rust SDK

spielcrypto avatar May 31 '25 18:05 spielcrypto

I think @joyqvq is probably the person best placed to answer this question.

amnn avatar May 31 '25 20:05 amnn

are you trying to use rust sdk as wasm from browser? if so you should just use the typescript sdk.

zklogin works with openID which is essentially a oauth flow that returns a JWT token to a browser frontend defined in your callback (this JWT is later used to generate a zk proof), we developed the typescript sdk for this since it works the best with browser. there is no out of the box rust sdk since it won't be secure (since you will need to take the JWT out of context).

joyqvq avatar May 31 '25 21:05 joyqvq

@joyqvq I'm developing a telegram bot, then I don't use rust sdk as wasm, and in this case the sdk should cover this. The last that I did is this however I get the same issue

Required Signature from 0x36105e4f87c4f705253eab89df4f2a93ed85b58a2cb75dd627b8c69936f51195 is absent...

Currently I can login with google account and create the SuiAddress with the ZKLoginInputs generated, but I get issues trying signing transactions

And please I don't want to change to typescript sdk as my project is advanced with Rust SDK. If it is not supported currently, you should provide a solution as soon as possible, thanks in advance

spielcrypto avatar May 31 '25 21:05 spielcrypto

Maybe answering this question can resolve my issue, how can I convert ZKLoginInputs in SuiKeyPair?

spielcrypto avatar Jun 01 '25 07:06 spielcrypto

@joyqvq also what I found is that passing the same JWT in https://api.enoki.mystenlabs.com/v1/zklogin/zkp and https://api.enoki.mystenlabs.com/v1/zklogin/addresses and setting the same parameters for zkp that what I retrieve from nonce endpoint I get different account address when I create the SuiAddress like this SuiAddress::try_from_unpadded(&zklogin).unwrap() Is anyone using this? does zklogin work for someone? Or what I'm doing wrong?

You can check my lib, how I handle all of ZkLogin stuff here

spielcrypto avatar Jun 01 '25 21:06 spielcrypto

I will short all these issues which I found:

  • The address that I get like this SuiAddress::try_from_padded(&zklogin).unwrap() or SuiAddress::try_from_unpadded(&zklogin).unwrap() is the same in both cases but different from what I get calling the endpoint https://docs.enoki.mystenlabs.com/http-api/openapi#get-address-for-zklogin-user that's why when I try to sign a transaction I get this error:
called `Result::unwrap()` on an `Err` value: RpcError(Call(ErrorObject { code: ServerError(-32002), message: "Invalid user signature: Required Si
 gnature from 0x36105e4f87c4f705253eab89df4f2a93ed85b58a2cb75dd627b8c69936f51195 is absent [\"0x980dbd9bb0889f93815e4801f73a6664de6ee96f473923734c
 b90586a947ca54\"]", data: None }))

the first address is what I get from calling the SuAddress method and the second is what I get from the Enoki endpoint.

  • If I transform the address that come from the endpoint to SuiAddress and I set as sender I get proof error, and I think because I generate different SuiKeyPair as we can see here https://github.com/Singularity-Shift/sui_squad/blob/feat/create-account/sui-squad-bot/src/onchain/account.rs#L35 but I don't know how can I generate it from ZkLooginInputs.

Then my conclusion is, that there is a bug using those methods SuiAddress::try_from_unpadded SuiAddress::try_from_padded and there is not support for Rust SDK to generate SuiKeyPair from ZkLoginInputs as I cannot see anything in the docs https://mystenlabs.github.io/sui/sui_sdk/ neither here https://docs.rs/fastcrypto-zkp/latest/fastcrypto_zkp/ which make not possible to implement zklogin with this SDK

spielcrypto avatar Jun 02 '25 09:06 spielcrypto

the address derivation from enoki and ts-sdk and rust implementation are always identical (otherwise, no zklogin transaction can ever happen on sui network) since every txn assembled by any sdk gets verified by a validator using the rust address derivation: https://github.com/MystenLabs/sui/blob/main/crates/sui-types/src/zk_login_authenticator.rs#L167

note that the salt impacts how an address is derived. if you use enoki to derive address, you need to also use enoki to get salt, then you can use it to derive zk_login_inputs, then derive to the same address. in short, the zklogin input depends on an address seed, the address depends on the salt. alternatively, you do not need enoki for anything, you can bring your own salt.

the closest rust implementation you can use as "rust sdk" is all in this CLI: https://github.com/MystenLabs/sui/blob/main/crates/sui/src/keytool.rs#L1195

in particular you are looking at these two lines:

    let address_seed = gen_address_seed(&user_salt, "sub", &sub, &aud)?;
    let zk_login_inputs = ZkLoginInputs::from_reader(reader, &address_seed)?;

to answer your question, a SuiKeyPair does not and should not work with zklogin because it cannot sign anything. You can use an ephemeral kp to sign for ephemeral sig and assemble it with the corresponding zklogin input, the useful code as part of the CLI impl:

            GenericSignature::from(ZkLoginAuthenticator::new(
                zk_login_inputs,
                max_epoch,
                signature, 
            ))

i want to iterate my previous point that a client sdk (doesn't matter what language) should generate an ephemeral key in the browser, then ask the user to log in, and the callback URL contains the JWT in browser, which is used to generate the zk proof. Then you use the ephemeral key to sign transaction, then submit zk proof + ephemeral sig to sui. everything should be done in the browser (in which case typescript sdk is your best option). if you take the jwt out of browser, where the ephemeral key is generated, its no longer secure.

joyqvq avatar Jun 02 '25 15:06 joyqvq

Yes I see, I understand about what you say about the browser, and hard to admit in this point but I wasn't implementing the best logic for my app and I shouldn't continue like this way using zklogin, even if I do like you said, it will be a really bad UX if I have to bring out the user from telegram to browser all the time that a transaction need to be signed. I think the best solution for my telegram bot is just an admin account that handle all the user transactions, it is not what really I wanted but is the only way I can think for my bot

spielcrypto avatar Jun 02 '25 19:06 spielcrypto