feat(fe): SSO sign-in via two-hop OIDC discovery

II admins can register an organization by `discovery_domain` via
`add_discoverable_oidc_config` (backend, already shipped in dfinity#3778). This
PR adds the matching frontend: a user clicks "Sign in with SSO", types
their organization domain, and the frontend performs a two-hop discovery
chain to resolve the provider's OAuth endpoint before redirecting them
to sign in.

Discovery is lazy and user-initiated — the picker doesn't render one
button per organization, just a single "Sign in with SSO" entry that
leads to the domain input screen.

# Changes

**Type alignment with backend.** The frontend `DiscoverableOidcConfig`
now matches main's Candid type exactly:
`{ discovery_domain: string }`. Everything else (`client_id`, `logo`,
`name`, etc.) is resolved on demand during discovery — the backend
only stores the domain.

**Two-hop discovery (`ssoDiscovery.ts`, new).**
1. `GET https://{domain}/.well-known/ii-openid-configuration` returns
   `{ client_id, openid_configuration }`. The domain owner is
   responsible for publishing this at their DNS-backed origin.
2. `GET {openid_configuration}` is the provider's standard OIDC
   discovery, yielding `authorization_endpoint` and `scopes_supported`.

Both hops run entirely from the browser. (The backend does its own
two-hop discovery via HTTPS outcalls in `src/internet_identity/src/
openid/generic.rs`; keeping the two implementations separate for now
simplifies BE↔FE synchronization.)

**SSO flow UI.**
- `SignInWithSso.svelte` (new): domain input screen. On submit it
  validates DNS format, checks the domain is in the backend's
  `oidc_configs`, runs `discoverSsoConfig`, then calls
  `continueWithSso` to redirect. If the domain isn't registered, shows
  "This domain is not registered as an OIDC provider." inline.
- `SsoIcon.svelte` (new): key icon for the SSO button.
- `PickAuthenticationMethod.svelte`: renders the SSO button whenever
  `oidc_configs` is non-empty. Does not render per-provider buttons —
  users don't know which IdP their org uses, they just type their
  domain.
- `authFlow.svelte.ts`: new `signInWithSso` view + `continueWithSso()`
  method that synthesizes an `OpenIdConfig` from discovery results and
  hands off to the existing `continueWithOpenId` flow.

**Security.**
- Domain input is DNS-format validated (length, label length, no
  special characters).
- `oidc_configs` from the backend is the sole allowlist of which
  organizations can initiate SSO. No hardcoded domain allowlist in
  frontend code.
- All three URLs (the .well-known, the discovery, the auth endpoint)
  must be HTTPS.
- The `openid_configuration` URL from hop 1 must be on a trusted OIDC
  provider domain (Google, Apple, Microsoft, Okta, login.dfinity.org).
- Issuer hostname in the provider discovery must match the
  `openid_configuration` hostname *exactly* or as a true subdomain —
  using `endsWith` alone would accept look-alikes like
  `evildfinity.okta.com`.
- Authorization endpoint hostname is constrained to the same, not just
  HTTPS-validated, so a tampered discovery response can't redirect the
  auth step off-host.
- Per-domain rate limit (1 attempt per 10 min), max 2 concurrent
  discoveries, 4-hour cache per hop, exponential backoff, timeouts
  (5s for hop 1, 10s for hop 2) with `clearTimeout` in `finally` so a
  failed fetch can't leak an armed abort timer.

**Cleanup of stale assumptions.**
- Removed the earlier draft's eager per-provider button rendering in
  `PickAuthenticationMethod` — those were based on a richer
  `DiscoverableOidcConfig` shape that didn't survive into main.
- Removed `authFlow.continueWithOidc` and `openID.findConfig`'s
  `oidc_configs` extension for the same reason; they assumed the
  config contained a pre-supplied `client_id`, which it no longer
  does.

# Tests

- 23 tests in `ssoDiscovery.test.ts`: domain validation,
  allowlist-at-caller discipline, two-hop happy path, cache, retry,
  trusted-provider check, HTTPS enforcement, issuer/auth-endpoint
  hostname exact-match (including an `evildfinity.okta.com`
  regression case), off-host auth-endpoint rejection, non-object
  responses.
- 22 tests in `openID.test.ts` preserved, including 4 for
  `selectAuthScopes` (the shared defaults-fallback helper used by
  `continueWithSso`).
- `npm run lint` and `svelte-check` on touched files: clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Author: aterga

src/frontend/src/lib/components/icons/SsoIcon.svelte

@@ -0,0 +1,12 @@
+<script lang="ts">
+  import type { SVGAttributes } from "svelte/elements";
+
+  const { class: className, ...props }: SVGAttributes<SVGSVGElement> = $props();
+</script>
+
+<svg viewBox="0 0 20 20" {...props} class={["size-5", className]}>
+  <path
+    d="M10 1a4.5 4.5 0 0 0-4.5 4.5c0 1.56.8 2.93 2 3.74V18a1 1 0 0 0 1.7.7L11 16.92l1.3 1.3a1 1 0 0 0 1.42 0l1.3-1.3a1 1 0 0 0 0-1.42l-1.3-1.3 1-1a1 1 0 0 0 0-1.42L13.5 10.6V9.24a4.5 4.5 0 0 0 1-7.74A4.5 4.5 0 0 0 10 1Zm0 2.5a2 2 0 1 1 0 4 2 2 0 0 1 0-4Z"
+    class="fill-current"
+  />
+</svg>

src/frontend/src/lib/components/wizards/auth/AuthWizard.svelte

@@ -13,6 +13,8 @@
   import { isOpenIdCancelError } from "$lib/utils/openID";
   import type { OpenIdConfig } from "$lib/generated/internet_identity_types";
   import CreateIdentity from "$lib/components/wizards/auth/views/CreateIdentity.svelte";
+  import SignInWithSso from "$lib/components/wizards/auth/views/SignInWithSso.svelte";
+  import type { SsoDiscoveryResult } from "$lib/utils/ssoDiscovery";
 
   interface Props {
     onSignIn: (identityNumber: bigint) => Promise<void>;
@@ -93,6 +95,29 @@
     }
   };
 
+  const handleContinueWithSso = async (
+    result: SsoDiscoveryResult,
+  ): Promise<void | "cancelled"> => {
+    try {
+      isAuthenticating = true;
+      const authResult = await authFlow.continueWithSso(result);
+      if (authResult.type === "signIn") {
+        await onSignIn(authResult.identityNumber);
+      } else if (authResult.name !== undefined) {
+        await onSignUp(
+          await authFlow.completeOpenIdRegistration(authResult.name),
+        );
+      }
+    } catch (error) {
+      if (isOpenIdCancelError(error)) {
+        return "cancelled";
+      }
+      onError(error);
+    } finally {
+      isAuthenticating = false;
+    }
+  };
+
   const handleCompleteOpenIdRegistration = async (
     name: string,
   ): Promise<void> => {
@@ -122,6 +147,11 @@
     <CreatePasskey create={handleCreatePasskey} />
   {:else if authFlow.view === "setupNewIdentity"}
     <CreateIdentity create={handleCompleteOpenIdRegistration} />
+  {:else if authFlow.view === "signInWithSso"}
+    <SignInWithSso
+      continueWithSso={handleContinueWithSso}
+      goBack={authFlow.chooseMethod}
+    />
   {/if}
 {/snippet}
 
@@ -149,6 +179,7 @@
     <PickAuthenticationMethod
       setupOrUseExistingPasskey={authFlow.setupOrUseExistingPasskey}
       continueWithOpenId={handleContinueWithOpenId}
+      signInWithSso={authFlow.signInWithSso}
     />
   {/if}
   {#if authFlow.view !== "chooseMethod"}

src/frontend/src/lib/components/wizards/auth/views/PickAuthenticationMethod.svelte

@@ -1,6 +1,7 @@
 <script lang="ts">
   import Button from "$lib/components/ui/Button.svelte";
   import PasskeyIcon from "$lib/components/icons/PasskeyIcon.svelte";
+  import SsoIcon from "$lib/components/icons/SsoIcon.svelte";
   import Alert from "$lib/components/ui/Alert.svelte";
   import ProgressRing from "$lib/components/ui/ProgressRing.svelte";
   import { backendCanisterConfig } from "$lib/globals";
@@ -12,9 +13,14 @@
   interface Props {
     setupOrUseExistingPasskey: () => void;
     continueWithOpenId: (config: OpenIdConfig) => Promise<void | "cancelled">;
+    signInWithSso: () => void;
   }
 
-  const { setupOrUseExistingPasskey, continueWithOpenId }: Props = $props();
+  const {
+    setupOrUseExistingPasskey,
+    continueWithOpenId,
+    signInWithSso,
+  }: Props = $props();
 
   let authenticatingProviderId = $state<string>();
   let cancelledProviderId = $state<string>();
@@ -33,6 +39,11 @@
 
   const supportsPasskeys = window.PublicKeyCredential !== undefined;
   const openIdProviders = backendCanisterConfig.openid_configs?.[0] ?? [];
+  // SSO entry is shown whenever any organization domain is registered in
+  // `oidc_configs`. We do not render a button per organization — the user
+  // discovers their provider by entering their domain on the SSO screen.
+  const hasSsoProviders =
+    (backendCanisterConfig.oidc_configs?.[0] ?? []).length > 0;
 </script>
 
 <div class="flex flex-col items-stretch gap-5">
@@ -79,6 +90,17 @@
       <PasskeyIcon />
       {$t`Continue with passkey`}
     </Button>
+    {#if hasSsoProviders}
+      <Button
+        onclick={signInWithSso}
+        disabled={authenticatingProviderId !== undefined}
+        size="xl"
+        variant={"secondary"}
+      >
+        <SsoIcon />
+        {$t`Sign in with SSO`}
+      </Button>
+    {/if}
   </div>
   <div class="border-border-tertiary border-t"></div>
   <div class="flex flex-row items-center justify-between gap-4">

src/frontend/src/lib/components/wizards/auth/views/SignInWithSso.svelte

@@ -0,0 +1,138 @@
+<script lang="ts">
+  import { onMount } from "svelte";
+  import Button from "$lib/components/ui/Button.svelte";
+  import Input from "$lib/components/ui/Input.svelte";
+  import ProgressRing from "$lib/components/ui/ProgressRing.svelte";
+  import SsoIcon from "$lib/components/icons/SsoIcon.svelte";
+  import { backendCanisterConfig } from "$lib/globals";
+  import { validateDomain, discoverSsoConfig } from "$lib/utils/ssoDiscovery";
+  import type { SsoDiscoveryResult } from "$lib/utils/ssoDiscovery";
+  import { t } from "$lib/stores/locale.store";
+
+  interface Props {
+    continueWithSso: (
+      result: SsoDiscoveryResult,
+    ) => Promise<void | "cancelled">;
+    goBack: () => void;
+  }
+
+  const { continueWithSso, goBack }: Props = $props();
+
+  // The set of domains registered with II as SSO providers. A domain the user
+  // types must be in this set for us to attempt discovery — the backend
+  // config is the source of truth for "which organizations are allowed".
+  const registeredDomains = new Set(
+    (backendCanisterConfig.oidc_configs?.[0] ?? []).map(
+      (c) => c.discovery_domain,
+    ),
+  );
+
+  let inputRef = $state<HTMLInputElement>();
+  let domain = $state("");
+  let error = $state<string>();
+  let isSubmitting = $state(false);
+
+  const handleSubmit = async () => {
+    error = undefined;
+    const trimmed = domain.trim().toLowerCase();
+    if (trimmed.length === 0) {
+      return;
+    }
+
+    try {
+      validateDomain(trimmed);
+    } catch (e) {
+      error = e instanceof Error ? e.message : $t`Invalid domain`;
+      return;
+    }
+
+    if (!registeredDomains.has(trimmed)) {
+      error = $t`This domain is not registered as an OIDC provider.`;
+      return;
+    }
+
+    isSubmitting = true;
+    try {
+      const result = await discoverSsoConfig(trimmed);
+      await continueWithSso(result);
+    } catch (e) {
+      error =
+        e instanceof Error
+          ? e.message
+          : $t`SSO sign-in failed. Please try again.`;
+    } finally {
+      isSubmitting = false;
+    }
+  };
+
+  onMount(() => {
+    inputRef?.focus();
+  });
+</script>
+
+<div class="flex flex-1 flex-col">
+  <div
+    class="text-text-primary mb-8 flex w-full flex-col items-center justify-center"
+  >
+    <div class="my-5 flex items-center justify-center">
+      <SsoIcon class="text-text-tertiary size-12" />
+    </div>
+    <div>
+      <h1 class="mb-3 text-2xl font-medium sm:text-center">
+        {$t`Sign in with SSO`}
+      </h1>
+      <p
+        class="text-text-tertiary text-base font-medium text-balance sm:text-center"
+      >
+        {$t`Enter your organization's domain to sign in with your corporate identity provider.`}
+      </p>
+    </div>
+  </div>
+  <form
+    class="flex flex-col items-stretch gap-6"
+    onsubmit={(e) => {
+      e.preventDefault();
+      handleSubmit();
+    }}
+  >
+    <Input
+      bind:element={inputRef}
+      bind:value={domain}
+      oninput={() => {
+        error = undefined;
+      }}
+      inputmode="url"
+      placeholder={$t`e.g. dfinity.org`}
+      type="text"
+      size="md"
+      autocomplete="off"
+      autocorrect="off"
+      autocapitalize="off"
+      spellcheck="false"
+      disabled={isSubmitting}
+      {error}
+      aria-label={$t`Organization domain`}
+    />
+    <Button
+      onclick={handleSubmit}
+      variant="primary"
+      size="lg"
+      type="submit"
+      disabled={domain.trim().length === 0 || isSubmitting}
+    >
+      {#if isSubmitting}
+        <ProgressRing />
+        <span>{$t`Signing in...`}</span>
+      {:else}
+        <span>{$t`Continue`}</span>
+      {/if}
+    </Button>
+    <button
+      type="button"
+      onclick={goBack}
+      class="text-text-secondary self-center text-sm font-semibold outline-0 hover:underline focus-visible:underline"
+    >
+      {$t`Back to sign-in options`}
+    </button>
+  </form>
+</div>

src/frontend/src/lib/flows/authFlow.svelte.ts

@@ -33,7 +33,9 @@ import {
   RequestConfig,
   decodeJWT,
   extractIssuerTemplateClaims,
+  selectAuthScopes,
 } from "$lib/utils/openID";
+import type { SsoDiscoveryResult } from "$lib/utils/ssoDiscovery";
 import { nanosToMillis } from "$lib/utils/time";
 
 interface AuthFlowOptions {
@@ -47,6 +49,7 @@ export class AuthFlow {
     | "setupOrUseExistingPasskey"
     | "setupNewPasskey"
     | "setupNewIdentity"
+    | "signInWithSso"
   >("chooseMethod");
   #captcha = $state<{
     image: string;
@@ -90,6 +93,40 @@ export class AuthFlow {
     this.#view = "setupOrUseExistingPasskey";
   };
 
+  signInWithSso = (): void => {
+    this.#view = "signInWithSso";
+  };
+
+  continueWithSso = async (
+    ssoResult: SsoDiscoveryResult,
+  ): Promise<
+    | {
+        identityNumber: bigint;
+        type: "signIn";
+      }
+    | {
+        name?: string;
+        type: "signUp";
+      }
+  > => {
+    const { clientId, discovery } = ssoResult;
+
+    // Build a synthetic OpenIdConfig from SSO discovery result
+    const syntheticConfig: OpenIdConfig = {
+      auth_uri: discovery.authorization_endpoint,
+      jwks_uri: "",
+      logo: "",
+      name: "SSO",
+      fedcm_uri: [],
+      email_verification: [],
+      issuer: discovery.issuer,
+      auth_scope: selectAuthScopes(discovery.scopes_supported),
+      client_id: clientId,
+    };
+
+    return await this.continueWithOpenId(syntheticConfig);
+  };
+
   continueWithExistingPasskey = async (): Promise<bigint> => {
     authenticationV2Funnel.trigger(AuthenticationV2Events.UseExistingPasskey);
     const { identity, identityNumber, credentialId } =

src/frontend/src/lib/globals.ts

@@ -20,6 +20,12 @@ import { fromBase64 } from "./utils/utils";
 // direct dependencies between frontend and backend, as they may be deployed independently.
 //
 // Only compatibility between the two is guaranteed, not strict synchronization.
+const OpenIdEmailVerificationIDL = IDL.Variant({
+  Google: IDL.Null,
+  Unknown: IDL.Null,
+  Microsoft: IDL.Null,
+});
+
 const backendCanisterConfigIDL = IDL.Record({
   openid_configs: IDL.Opt(
     IDL.Vec(
@@ -29,19 +35,20 @@ const backendCanisterConfigIDL = IDL.Record({
         logo: IDL.Text,
         name: IDL.Text,
         fedcm_uri: IDL.Opt(IDL.Text),
-        email_verification: IDL.Opt(
-          IDL.Variant({
-            Google: IDL.Null,
-            Unknown: IDL.Null,
-            Microsoft: IDL.Null,
-          }),
-        ),
+        email_verification: IDL.Opt(OpenIdEmailVerificationIDL),
         issuer: IDL.Text,
         auth_scope: IDL.Vec(IDL.Text),
         client_id: IDL.Text,
       }),
     ),
   ),
+  oidc_configs: IDL.Opt(
+    IDL.Vec(
+      IDL.Record({
+        discovery_domain: IDL.Text,
+      }),
+    ),
+  ),
 });
 
 // Types for above IDL definition
@@ -60,7 +67,20 @@ export interface OpenIdConfig {
   auth_scope: Array<string>;
   client_id: string;
 }
-export type BackendCanisterConfig = { openid_configs: [] | [OpenIdConfig[]] };
+/**
+ * SSO-provider config registered by an II admin. The backend stores only the
+ * organization domain; the frontend resolves `client_id` / authorization
+ * endpoint / scopes on demand via the two-hop SSO discovery chain in
+ * `ssoDiscovery.ts` when the user enters this domain on the SSO screen.
+ */
+export interface DiscoverableOidcConfig {
+  discovery_domain: string;
+}
+
+export type BackendCanisterConfig = {
+  openid_configs: [] | [OpenIdConfig[]];
+  oidc_configs: [] | [DiscoverableOidcConfig[]];
+};
 
 export let canisterId: Principal;
 export let frontendCanisterConfig: InternetIdentityFrontendInit;