[pull] main from dfinity:main#546
Merged
pull[bot] merged 3 commits intomikeyhodl:mainfrom Apr 21, 2026
Merged
Conversation
…#3778) ## Summary - Introduces `DiscoverableOidcConfig` type and `oidc_configs` init field (mutually exclusive with existing `openid_configs`) that relies on OIDC discovery (`.well-known/openid-configuration`) instead of requiring all provider details in the static config - Adds `DiscoverableProvider` that periodically fetches discovery metadata to obtain `issuer` and `jwks_uri` for JWT verification - Adds `discovered_oidc_configs` query endpoint returning `OidcConfig` with resolved provider state - Validates that discovered `issuer` domain matches the `discovery_url` domain (prevents impersonation) - When both `openid_configs` and `oidc_configs` are provided, falls back to `openid_configs` as the proven path ## Test plan - [x] 7 new integration tests in `config/oidc_configs.rs` (init, upgrade, retain, XOR, query) - [x] Existing `openid_configs` tests pass unchanged (backward compat) - [ ] Manual E2E with deployed canister using `oidc_configs` 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- [Next PR >](#3784) --------- Co-authored-by: Arshavir Ter-Gabrielyan <arshavir.ter.gabrielyan@dfinity.org> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: timothyaterton <timothyaterton@users.noreply.github.com>
Apps using the new `AuthClient.requestAttributes()` method send an
`ii-icrc3-attributes` JSON-RPC request with a different message format
than the existing `ii_attributes` method. Internet Identity needs to
handle this new method while still supporting the legacy flow.
# Changes
**Frontend**
- Added `Icrc3AttributesParamsSchema` for validating the new `{ keys,
nonce }` params format.
- Added `handleIcrc3Attributes` handler that calls the ICRC-3 canister
methods and responds with `{ data, signature }` as base64.
- Regenerated candid bindings to include `prepare_icrc3_attributes` and
`get_icrc3_attributes`.
**Test app**
- Added ICRC-3 attribute request support with a "Use ICRC-3 attributes"
checkbox toggle.
# Tests
- Split OpenID e2e tests into `openid.spec.ts` (ICRC-3) and
`openid-legacy.spec.ts` (legacy `ii_attributes`).
- ICRC-3 spec covers: authenticate-only, name+email, unavailable
attributes, and verified_email.
---
<div align="right">Next: #3770 →</div>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ecurity (#3784) ## Summary Add the `aud` (audience / client_id) field to `OpenIdCredentialKey`, changing it from `(iss, sub)` to `(iss, sub, aud)`. This is a security prerequisite for SSO: since SSO allows anyone to provide a `client_id` via their `ii-openid-configuration` endpoint, without `aud` in the key two different OIDC clients at the same provider with the same user `sub` would collide, enabling impersonation. ## Changes - **Type update**: `OpenIdCredentialKey` type alias changed from `(Iss, Sub)` to `(Iss, Sub, Aud)` in both `internet_identity_interface` and the `openid` module - **CBOR encoding**: `StorableOpenIdCredentialKey` rewritten with manual `Encode`/`Decode` impls — new entries use CBOR map format `{0:iss, 1:sub, 2:aud}`; the decoder also handles legacy CBOR array format `[iss, sub]` for backward compatibility - **Migration**: `post_upgrade` drains the credential key index via `pop_first`, resolves `aud` from each anchor's `StorableOpenIdCredential` (which already stores `aud` at CBOR index `#[n(2)]`), and re-inserts with the complete `(iss, sub, aud)` key. Unresolvable entries are preserved with empty `aud` for retry on next upgrade. - **Key construction**: Updated `OpenIdCredential::key()`, `StorableOpenIdCredential::key()`, `calculate_delegation_seed()`, and all call sites - **Candid interface**: Updated `.did` file and generated JS/TS declarations - **Frontend**: Updated credential removal call to pass `aud` - **Tests**: Added unit tests for new CBOR map encoding, legacy array decoding, and round-trip serialization. Updated existing test assertions to use 3-tuple keys. ## Delegation seed backward compatibility The `calculate_delegation_seed` function already receives `client_id` (which equals `aud`) as a separate parameter. The seed calculation is unchanged — `aud` from the key tuple is ignored (`_aud`) in the destructuring, preserving identical `Principal` derivation for existing credentials. ## Migration safety - Uses `pop_first()` to drain the BTreeMap, avoiding byte-level encoding mismatches between legacy array-encoded keys and new map-encoded keys - Resolves `aud` from the anchor's stored `StorableOpenIdCredential` which already has `aud` at CBOR index 2 - Falls back to re-inserting with empty `aud` if resolution fails, with a logged warning — the entry is preserved for retry on next upgrade - Idempotent: safe to run on every upgrade; entries already in the new format are preserved unchanged ## Test plan - [x] All 209 unit tests pass (including Candid interface compatibility) - [ ] Integration tests (require canister WASM build — pass in CI) - [ ] Deploy to testnet and verify migration of existing credentials - [ ] Verify credential lookup works after migration - [ ] Verify new credential registration includes `aud` in key --- [< Previous PR](#3778) | [Next PR >](#3785) --------- Co-authored-by: Claude Agent <noreply@anthropic.com> Co-authored-by: Arshavir Ter-Gabrielyan <arshavir.ter.gabrielyan@dfinity.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )