feat: Remove frontend assets from the II backend canister and simplify canister initialization in testnets (#3693)

## Summary

Now that the frontend is served by the standalone
`internet_identity_frontend` canister, this PR removes the frontend
assets that were still bundled in the backend canister.

- **Backend no longer serves frontend assets** — removed `fixup_html`,
`ASSET_DIR`, `collect_assets`, and `/.well-known/webauthn` from the
backend; `get_static_assets` now only serves `/.config.did.bin`
(synchronized config) and `/.well-known/ic-domains` (custom domain
support for `backend.id.ai`)
- **Removed `fetch_root_key` from backend** — this config is now only on
the frontend canister
- **Frontend canister HTTP integration tests** — moved asset-serving,
certification, well-known endpoint, and caching tests from the backend
crate to `src/internet_identity_frontend/tests/integration/http.rs`;
backend HTTP tests now only cover `/.config.did.bin`,
`/.well-known/ic-domains`, and metrics
- **Build & CI updates** — build script split into separate
frontend/backend configs; CI downloads
`internet_identity_frontend.wasm.gz` for PocketIC tests; e2e matrix
simplified (removed `single`/`split` canister axis, frontend canister is
now always deployed)
- **Vite plugin cleanup** — removed utilities for the old bundled
approach; HTML body tags only inserted during dev builds
- **Test fixes** — removed `fetch_root_key` integration tests, defaulted
captcha config to `CaptchaDisabled`, frontend-specific security header
verification

## Test plan

- [x] Backend HTTP tests pass (`/.config.did.bin`,
`/.well-known/ic-domains`, metrics)
- [x] Frontend HTTP tests pass (asset serving, certification,
`/.well-known/webauthn`, `/.well-known/ic-domains`, caching)
- [x] E2E tests pass with standalone frontend canister
- [x] Clippy and formatting checks pass
- [x] TypeScript tests pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: sea-snake <sea-snake@outlook.com>
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

Author: 4 people

.github/workflows/canister-tests.yml

@@ -375,7 +375,7 @@ jobs:
 
   canister-tests-run:
     runs-on: ${{ matrix.os }}
-    needs: [canister-tests-build, cached-build, docker-build-archive]
+    needs: [canister-tests-build, cached-build, docker-build-archive, docker-build-internet_identity_frontend]
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest]
@@ -410,6 +410,12 @@ jobs:
           name: archive.wasm.gz
           path: .
 
+      - name: "Download II frontend wasm"
+        uses: actions/download-artifact@v4
+        with:
+          name: internet_identity_frontend.wasm.gz
+          path: .
+
       - name: Run PocketIc
         run: |
           "${POCKET_IC_BIN}" --port-file pocket-ic-port &
@@ -488,15 +494,14 @@ jobs:
     needs: [cached-build, test-app-build]
     strategy:
       matrix:
-        canister: ["single", "split"] # single = the regular setup with one canister, split = the setup with a separate frontend canister
         device: ["desktop", "mobile"]
         shard: ["1_6", "2_6", "3_6", "4_6", "5_6", "6_6"]
       # Make sure that one failing test does not cancel all other matrix jobs
       fail-fast: false
 
     env:
       # Suffix used for tagging artifacts
-      artifact_suffix: next-${{ matrix.canister }}-${{ matrix.device }}-${{ matrix.shard }}
+      artifact_suffix: next-${{ matrix.device }}-${{ matrix.shard }}
       # OpenID provider instance ports (see /src/test_openid_provider)
       openid_providers: "11105 11106"
     steps:
@@ -567,16 +572,14 @@ jobs:
         run: |
           # NOTE: dfx install will run the postinstall scripts from dfx.json
           dfx canister install internet_identity --wasm internet_identity_test.wasm.gz --argument "(opt record { captcha_config = opt record { max_unsolved_captchas= 50:nat64; captcha_trigger = variant {Static = variant { CaptchaDisabled }}}; related_origins = opt vec { \"https://id.ai\"; \"https://identity.ic0.app\"; \"https://identity.internetcomputer.org\" }; new_flow_origins = opt vec { \"https://id.ai\" }; dummy_auth = opt opt record { prompt_for_index = true }; openid_configs = opt vec { ${{ steps.openid-configs.outputs.OPENID_CONFIGS }} } })"
-          if [ "${{ matrix.canister == 'split' }}" = "true" ]; then
-            II_CANISTER_ID=$(dfx canister id internet_identity)
-            dfx canister install internet_identity_frontend --wasm internet_identity_frontend_test.wasm.gz --argument "(record { backend_canister_id = principal \"$II_CANISTER_ID\"; backend_origin = \"https://backend.id.ai\"; related_origins = opt vec { \"https://id.ai\"; \"https://identity.ic0.app\"; \"https://identity.internetcomputer.org\" }; dummy_auth = opt opt record { prompt_for_index = true } })"
-          fi
+          II_CANISTER_ID=$(dfx canister id internet_identity)
+          dfx canister install internet_identity_frontend --wasm internet_identity_frontend_test.wasm.gz --argument "(record { backend_canister_id = principal \"$II_CANISTER_ID\"; backend_origin = \"https://backend.id.ai\"; related_origins = opt vec { \"https://id.ai\"; \"https://identity.ic0.app\"; \"https://identity.internetcomputer.org\" }; dummy_auth = opt opt record { prompt_for_index = true }; fetch_root_key = opt true })"
           dfx canister install test_app --wasm demos/test-app/test_app.wasm
 
       - name: Run dev server
         id: dev-server-start
         run: |
-          SEPARATE_FRONTEND_CANISTER=${{ matrix.canister == 'split' && 1 || 0 }} TLS_DEV_SERVER=1 NO_HOT_RELOAD=1 npm run dev | tee -a > dev-server-logs.txt &
+          SEPARATE_FRONTEND_CANISTER=1 TLS_DEV_SERVER=1 NO_HOT_RELOAD=1 npm run dev | tee -a > dev-server-logs.txt &
           dev_server_pid=$!
           echo "dev_server_pid=$dev_server_pid" >> "$GITHUB_OUTPUT"
 

Cargo.lock

@@ -15,9 +15,11 @@
     "check": "tsc --project ./tsconfig.all.json --noEmit && svelte-check check",
     "watch": "npm run check -- --watch",
     "opts": "TS_NODE_PROJECT=tsconfig.base.json NODE_OPTIONS='--loader ts-node/esm --experimental-specifier-resolution=node' \"$@\"",
-    "generate": "npm run generate:types && npm run generate:js && npm run generate:types-issuer && npm run generate:js-issuer",
+    "generate": "npm run generate:types && npm run generate:js && npm run generate:types-frontend && npm run generate:js-frontend && npm run generate:types-issuer && npm run generate:js-issuer",
     "generate:types": "didc bind ./src/internet_identity/internet_identity.did -t ts | ./scripts/rewrite-dfinity-imports > src/frontend/src/lib/generated/internet_identity_types.d.ts",
     "generate:js": "didc bind ./src/internet_identity/internet_identity.did -t js | ./scripts/rewrite-dfinity-imports > src/frontend/src/lib/generated/internet_identity_idl.js",
+    "generate:types-frontend": "didc bind ./src/internet_identity_frontend/internet_identity_frontend.did -t ts | ./scripts/rewrite-dfinity-imports > src/frontend/src/lib/generated/internet_identity_frontend_types.d.ts",
+    "generate:js-frontend": "didc bind ./src/internet_identity_frontend/internet_identity_frontend.did -t js | ./scripts/rewrite-dfinity-imports > src/frontend/src/lib/generated/internet_identity_frontend_idl.js",
     "generate:types-issuer": "didc bind ./demos/vc_issuer/vc_demo_issuer.did -t ts | ./scripts/rewrite-dfinity-imports > src/vc-api/src/generated/vc_issuer_types.ts",
     "generate:js-issuer": "didc bind ./demos/vc_issuer/vc_demo_issuer.did -t js | ./scripts/rewrite-dfinity-imports > src/frontend/src/lib/generated/vc_issuer_idl.js",
     "screenshots": "npm run opts -- ./src/frontend/screenshots.ts",

package-lock.json

@@ -109,15 +109,6 @@ then
     echo; echo
 fi
 
-init_arg() {
-	local init_arg
-	init_arg=$(cat <<'EOF'
-(opt record { fetch_root_key = opt true; captcha_config = opt record { max_unsolved_captchas = 50:nat64; captcha_trigger = variant { Static = variant { CaptchaDisabled } } };})
-EOF
-)
-	printf '%s\n' "$init_arg"
-}
-
 frontend_init_arg() {
 	local init_arg
 	init_arg=$(cat <<'EOF'
@@ -177,7 +168,6 @@ function build_canister() {
           # indicate the II canister init argument type
           ic-wasm "$canister.wasm" -o "$canister.wasm" metadata candid:args -d "(opt InternetIdentityInit)" -v public
 
-
           # Write metadata for dfx.
           # The metadata includes a link to the release, which only exists if this is a release build.
           # In case of a release build, the version looks like this: <commit>,<release>,<dirty>
@@ -192,14 +182,13 @@ function build_canister() {
               wasm_url="https://github.com/dfinity/internet-identity/releases/download/$release/$asset_name"
               wasm_hash_url="https://github.com/dfinity/internet-identity/releases/download/$release/$asset_name.sha256"
 
-              init_arg=$(init_arg)
               init_guide="Use '(null)' for sensible defaults. See the candid interface for more details."
               metadata_json=$(echo '{}' | jq -cMr \
                   --arg wasm_url "$wasm_url" \
                   --arg wasm_hash_url "$wasm_hash_url" \
-                  --arg init_arg "$init_arg" \
+                  --arg init_arg "(null)" \
                   --arg init_guide "$init_guide" \
-                  '. | .pullable = { wasm_url: $wasm_url, wasm_hash_url: $wasm_hash_url, dependencies: [], init_arg: $init_arg, init_guide: $init_guide} ')
+                  '. | .pullable = { wasm_url: $wasm_url, wasm_hash_url: $wasm_hash_url, dependencies: [], init_arg: "(null)", init_guide: $init_guide} ')
               ic-wasm "$canister.wasm" -o "$canister.wasm" metadata dfx -d "$metadata_json" -v public
           fi
 

package.json

@@ -84,6 +84,20 @@ lazy_static! {
         get_wasm_path("ARCHIVE_WASM_PREVIOUS".to_string(), &def_path).expect(&err)
     };
 
+    /** The gzipped Wasm module for the current II frontend build, i.e. the one we're testing */
+    pub static ref II_FRONTEND_WASM: Vec<u8> = {
+        let def_path = path::PathBuf::from("..").join("..").join("internet_identity_frontend.wasm.gz");
+        let err = format!("
+        Could not find Internet Identity Frontend Wasm module for current build.
+
+        I will look for it at {:?}, and you can specify another path with the environment variable II_FRONTEND_WASM (note that I run from {:?}).
+
+        In order to build the Wasm module, please run the following command:
+            ./scripts/build --frontend
+        ", &def_path, &std::env::current_dir().map(|x| x.display().to_string()).unwrap_or_else(|_| "an unknown directory".to_string()));
+        get_wasm_path("II_FRONTEND_WASM".to_string(), &def_path).expect(&err)
+    };
+
     /** Empty WASM module (without any pre- and post-upgrade hooks. Useful to initialize a canister before loading a stable memory backup. */
     pub static ref EMPTY_WASM: Vec<u8> = vec![0, 0x61, 0x73, 0x6D, 1, 0, 0, 0];
 }
@@ -177,6 +191,18 @@ pub fn install_ii_canister_with_arg_and_cycles(
     canister_id
 }
 
+pub fn install_ii_frontend_canister(
+    env: &PocketIc,
+    wasm: Vec<u8>,
+    arg: InternetIdentityFrontendArgs,
+) -> CanisterId {
+    let bytes =
+        candid::encode_one(arg).expect("error encoding II frontend installation arg as candid");
+    let canister_id = env.create_canister();
+    env.install_canister(canister_id, wasm, bytes, None);
+    canister_id
+}
+
 pub fn arg_with_wasm_hash(wasm: Vec<u8>) -> Option<InternetIdentityInit> {
     Some(InternetIdentityInit {
         archive_config: Some(ArchiveConfig {
@@ -186,6 +212,10 @@ pub fn arg_with_wasm_hash(wasm: Vec<u8>) -> Option<InternetIdentityInit> {
             entries_fetch_limit: 10,
         }),
         canister_creation_cycles_cost: Some(0),
+        captcha_config: Some(CaptchaConfig {
+            max_unsolved_captchas: 500,
+            captcha_trigger: CaptchaTrigger::Static(StaticCaptchaTrigger::CaptchaEnabled),
+        }),
         ..InternetIdentityInit::default()
     })
 }

scripts/build

@@ -1,22 +1,34 @@
-import { injectCanisterIdAndConfigPlugin } from "@dfinity/internet-identity-vite-plugins";
 import type { Handle, ServerInit } from "@sveltejs/kit";
+import { building } from "$app/environment";
 import { localeStore } from "$lib/stores/locale.store";
-
-const transformHtml =
-  process.env.NODE_ENV === "development"
-    ? (injectCanisterIdAndConfigPlugin({ canisterName: "internet_identity" })
-        ?.transformIndexHtml as (html: string) => string)
-    : undefined;
+import { execSync } from "child_process";
 
 export const handle: Handle = async ({ event, resolve }) => {
   const response = await resolve(event);
   if (
-    transformHtml !== undefined &&
+    !building &&
     response.headers.get("Content-Type") === "text/html" &&
     response.ok
   ) {
+    // Get frontend canister id and then fetch it's HTML
+    const canisterId = execSync("dfx canister id internet_identity_frontend")
+      .toString()
+      .trim();
+    const port = execSync("dfx info webserver-port").toString().trim();
+    const canisterResponse = await fetch(
+      `http://${canisterId}.localhost:${port}`,
+    );
+    const canisterHtml = await canisterResponse.text();
+
+    // Replace the body tag in the dev server HTML with the one from the canister HTML
+    const bodyTagMatch = canisterHtml.match(/<body [^>]*>/);
     const html = await response.text();
-    return new Response(transformHtml(html), {
+    if (bodyTagMatch == null) {
+      throw new Error(
+        "Could not find body tag in the frontend canister HTML, cannot inject canister ID and config",
+      );
+    }
+    return new Response(html.replace(/<body [^>]*>/, bodyTagMatch[0]), {
       ...response,
       headers: {
         ...response.headers,

src/canister_tests/src/framework.rs

@@ -6,7 +6,7 @@
   import Button from "$lib/components/ui/Button.svelte";
   import Tooltip from "$lib/components/ui/Tooltip.svelte";
   import { issuerMatches } from "$lib/utils/openID";
-  import { canisterConfig } from "$lib/globals";
+  import { backendCanisterConfig } from "$lib/globals";
   import type {
     OpenIdConfig,
     OpenIdCredential,
@@ -46,7 +46,7 @@
     }
   };
 
-  const openIdProviders = canisterConfig.openid_configs?.[0] ?? [];
+  const openIdProviders = backendCanisterConfig.openid_configs?.[0] ?? [];
 
   const hasCredential = (configIssuer: string): boolean =>
     openIdCredentials.some((cred) =>

src/frontend/src/hooks.server.ts

@@ -3,7 +3,7 @@
   import PasskeyIcon from "$lib/components/icons/PasskeyIcon.svelte";
   import Alert from "$lib/components/ui/Alert.svelte";
   import ProgressRing from "$lib/components/ui/ProgressRing.svelte";
-  import { canisterConfig } from "$lib/globals";
+  import { backendCanisterConfig } from "$lib/globals";
   import { waitFor } from "$lib/utils/utils";
   import Tooltip from "$lib/components/ui/Tooltip.svelte";
   import type { OpenIdConfig } from "$lib/generated/internet_identity_types";
@@ -32,7 +32,7 @@
   };
 
   const supportsPasskeys = window.PublicKeyCredential !== undefined;
-  const openIdProviders = canisterConfig.openid_configs?.[0] ?? [];
+  const openIdProviders = backendCanisterConfig.openid_configs?.[0] ?? [];
 </script>
 
 <div class="flex flex-col items-stretch gap-5">

src/frontend/src/lib/components/wizards/addAccessMethod/views/AddAccessMethod.svelte

@@ -8,7 +8,7 @@
   import Tooltip from "$lib/components/ui/Tooltip.svelte";
   import { t } from "$lib/stores/locale.store";
   import { Trans } from "$lib/components/locale";
-  import { getPrimaryOrigin, parentIFrameOrigin } from "$lib/globals";
+  import { getPrimaryOrigin } from "$lib/globals";
 
   interface Props {
     onSubmit: (
@@ -19,11 +19,9 @@
 
   const primaryOrigin = getPrimaryOrigin();
   const selfServiceOrigin =
-    parentIFrameOrigin !== undefined
-      ? parentIFrameOrigin
-      : window.location.origin !== primaryOrigin
-        ? window.location.origin
-        : "https://identity.ic0.app";
+    window.location.origin !== primaryOrigin
+      ? window.location.origin
+      : "https://identity.ic0.app";
 
   let { onSubmit }: Props = $props();