I'm wondering how the frontend retrieves the second share from Web3Auth to reconstruct the private key

I’m very interested in using Web3Auth.io and am currently researching it.

As I understand, a user can log in using an OAuth provider (like Google), and this ID token can be the one of the shares (2 out of 3) needed to reconstruct their private key.

If I want the user to reconstruct their private key using only OAuth login to support multi-device access, it seems they would need to receive the second share from Web3Auth.

If this approach is possible, how could it be implemented securely? Is there something similar to PKCE in OAuth 2.1?

I ask because our backend will authorize the user by verifying the OAuth ID token, but I want to ensure that the user’s private key remains safe and isn’t compromised by our backend.

Hi LionK! It’s great to see your interest in using Web3Auth. You’re on the right track with your understanding of reconstructing the private key with multiple shares, and how OAuth can play a role in that process.

To clarify your approach: yes, when using Web3Auth, one share can indeed be generated from the OAuth provider (such as Google), and you can retrieve the second share from Web3Auth itself to allow the user to reconstruct their private key across multiple devices securely.

Regarding your implementation concerns, here are a few points to consider:

  1. Secure Retrieval of Shares: When implementing the retrieval of the second share from Web3Auth after the OAuth login, ensure to use secure channels (like HTTPS) and validate the user session correctly.

  2. Token Handling: To keep the user’s private key secure, make sure that your backend only verifies the ID token and never has access to the shares. You can achieve this through a design where your backend simply issues tokens and the Web3Auth SDK manages the keys and shares.

  3. PKCE (Proof Key for Code Exchange): PKCE is indeed a useful security enhancement for OAuth and can add another layer of protection to the authorization code exchange. It’s particularly helpful in public clients where storing secrets is not secure.

  4. Implementing OAuth with Web3Auth: You may want to explore the Web3Auth documentation for specific guidance on handling multiple shares and integrating OAuth securely.

While I don’t have specific SDK details or any code snippets from your message, if you need further assistance or have more technical questions, don’t hesitate to share any code snippets or additional context! Happy implementing!

Note: This response was generated by an AI bot and may require further verification. The Web3Auth support team has tracked this issue and will be responding as soon as possible.

Does this mean it’s possible for the backend to retrieve the second share if it uses the user’s ID token?

It is not possible with our Plug and Play SDKs. Can you share the use case you have in mind for this second share? We offer low-level infrastructure SDKs that could be helpful.

@shahbaz Hi, In this 1/1 key share setup. Single Factor Auth SDKs | Documentation | Web3Auth
How is the private key reconstructed?
Could you explain more about what is the auth provider credentials?
Is it IdToken of provider?