After #3785 lands, a user who signs in via SSO gets an OpenID credential tied to a provider-issued `iss` claim. On a later visit (same browser, same tab lifetime, etc.), the frontend can enumerate their last-used identities but cannot render a "continue as " quick-shortcut for SSO identities because the `(issuer → discovery_domain)` mapping lives only in-memory and is lost on reload.
Reproducer
- Admin adds `dfinity.org` via `add_discoverable_oidc_config`.
- User visits II, clicks "Sign in with SSO", types `dfinity.org`, completes sign-in.
- User closes + reopens the browser.
- On the sign-in screen, the user is not offered a "Continue as " shortcut for their SSO identity — they must click "Sign in with SSO" again and re-enter `dfinity.org`.
Proposed fix
Persist the `discovery_domain` on the `LastUsedIdentity` entry (`authMethod.openid.discoveryDomain`, or similar). On reload:
- `lastUsedIdentitiesStore` yields an entry with `discoveryDomain: "dfinity.org"`.
- Rendering code calls `discoverSsoConfig(discoveryDomain)` to re-run the two-hop chain (cached after first call per the existing TTL).
- The "Continue as" button renders with the resolved provider name/logo.
Alternative: store the resolved `OpenIdConfig` itself on the last-used entry (avoids the network round-trip on reload at the cost of staleness).
Scope
This is out of scope for #3785, which only adds the initial sign-in path. The rendering refactor + store change belong in a follow-up.
Flagged by Copilot review on #3785 (thread).
After #3785 lands, a user who signs in via SSO gets an OpenID credential tied to a provider-issued `iss` claim. On a later visit (same browser, same tab lifetime, etc.), the frontend can enumerate their last-used identities but cannot render a "continue as " quick-shortcut for SSO identities because the `(issuer → discovery_domain)` mapping lives only in-memory and is lost on reload.
Reproducer
Proposed fix
Persist the `discovery_domain` on the `LastUsedIdentity` entry (`authMethod.openid.discoveryDomain`, or similar). On reload:
Alternative: store the resolved `OpenIdConfig` itself on the last-used entry (avoids the network round-trip on reload at the cost of staleness).
Scope
This is out of scope for #3785, which only adds the initial sign-in path. The rendering refactor + store change belong in a follow-up.
Flagged by Copilot review on #3785 (thread).