Overview

OAuth 2.0 is an open authorization framework that lets a user grant a third-party application limited access to protected resources (such as an email address or profile data) without sharing their username and password. The flow typically involves four roles: the resource owner (the user), the client (Smart Wallet in our case), the authorization server (which authenticates the user and issues tokens), and the resource server (which hosts the protected data). After the user authenticates, the authorization server returns an access token to the client. The client then presents the access token to the resource server to obtain the requested data.

Google implements the OAuth 2.0 standard through its Google Identity Platform. When a user chooses “Sign in with Google,” the client redirects the user to Google’s authorization endpoint with parameters such as client_id, client_scret, redirect_uri -- all of these parameters are set up by the Smart Wallet. After the user consents, Google redirects back to the client with an authorization code. The client exchanges this code for an access token (and optionally an ID token, a signed JWT containing user claims) at Google’s token endpoint. The ID token can be locally verified using Google’s public keys, allowing the client to confirm the user’s identity without contacting Google again. This flow provides a secure, standards‑based way to authenticate users and obtain verified identity information—perfect for feeding into zero-knowledge proof circuits while keeping the raw JWT private.