fix(fe): label SSO credentials by discovery domain, not IdP issuer

An SSO-linked access method (e.g. via `dfinity.org`'s Okta) was being
rendered as "Google account" with the Google logo because
`findConfig(iss, metadata)` matched on issuer alone. When the
underlying IdP happens to be Google, the credential's `iss` is the
Google issuer and collides with the direct "Sign in with Google"
entry in `openid_configs` — even though the `aud` (client_id) is
completely different.

Changes:

- `findConfig(iss, aud, metadata)` now matches on both `iss` and `aud`
  (the OAuth client_id). `aud` is accepted as `string | undefined`;
  callers that haven't been extended to track `aud` yet
  (`LastUsedIdentity`-based paths — see dfinity#3795) keep their issuer-only
  behavior for now, which is correct for direct providers and
  mis-attributes SSO credentials at those legacy sites only.

- `openIdName(iss, sub, aud, metadata)` now also consults a per-device
  localStorage map (`ssoDomainStorage.ts`) populated at SSO link time.
  If the credential was linked via SSO on this device, the label
  becomes the `discovery_domain` the user typed (e.g. "dfinity.org
  account").

- `openIdLogo(iss, aud, metadata)` returns `undefined` for credentials
  that don't match any direct provider — the access-methods UI uses
  the generic SSO key icon as a fallback in that case.

- `SsoDiscoveryResult` grows a `domain` field; both sign-in and
  add-access-method flows persist the `(iss, sub, aud) → domain`
  mapping after a successful SSO link, so the next render shows the
  correct label.

- `OpenIdItem` renders the `<SsoIcon>` when `openIdLogo` returns
  undefined, and falls back to the literal "SSO" word when no domain
  is stored (cross-device case).

Cross-device labelling (credential linked on device A, viewed on
device B) remains wrong until the `discovery_domain` is persisted on
the backend credential — tracked in dfinity#3795.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: aterga

src/frontend/src/lib/components/ui/IdentityAvatar.svelte

@@ -17,6 +17,10 @@
       identity.authMethod.openid.metadata !== undefined
       ? openIdLogo(
           identity.authMethod.openid.iss,
+          // `aud` not currently tracked on `LastUsedIdentity`; see #3795.
+          // Falls back to issuer-only matching — correct for direct
+          // providers, imprecise for SSO until that's fixed.
+          undefined,
           identity.authMethod.openid.metadata,
         )
       : undefined,

src/frontend/src/lib/components/ui/ManageIdentities.svelte

@@ -44,6 +44,9 @@
     identity.authMethod.openid.metadata !== undefined
       ? openIdName(
           identity.authMethod.openid.iss,
+          identity.authMethod.openid.sub,
+          // `aud` not tracked on `LastUsedIdentity`; see #3795.
+          undefined,
           identity.authMethod.openid.metadata,
         )
       : undefined}

src/frontend/src/lib/flows/addAccessMethodFlow.svelte.ts

@@ -14,6 +14,7 @@ import { DiscoverableDummyIdentity } from "$lib/utils/discoverableDummyIdentity"
 import { DiscoverablePasskeyIdentity } from "$lib/utils/discoverablePasskeyIdentity";
 import { passkeyAuthnMethodData } from "$lib/utils/authnMethodData";
 import type { SsoDiscoveryResult } from "$lib/utils/ssoDiscovery";
+import { rememberSsoDomainForCredential } from "$lib/utils/ssoDomainStorage";
 
 export class AddAccessMethodFlow {
   #view = $state<"chooseMethod" | "addPasskey" | "signInWithSso">(
@@ -119,9 +120,15 @@ export class AddAccessMethodFlow {
    * identity. Reuses {@link linkOpenIdAccount} by synthesizing an
    * `OpenIdConfig` from the two-hop discovery result — the issuer and
    * client_id we got from discovery plus a default name.
+   *
+   * On success we also remember `(iss, sub, aud) → domain` in localStorage
+   * so the access-methods UI can later label this credential by the SSO
+   * domain the user typed instead of by the underlying IdP's issuer.
    */
-  linkSsoAccount = (result: SsoDiscoveryResult): Promise<OpenIdCredential> => {
-    const { clientId, discovery } = result;
+  linkSsoAccount = async (
+    result: SsoDiscoveryResult,
+  ): Promise<OpenIdCredential> => {
+    const { domain, clientId, discovery } = result;
     const syntheticConfig: OpenIdConfig = {
       auth_uri: discovery.authorization_endpoint,
       jwks_uri: "",
@@ -133,6 +140,11 @@ export class AddAccessMethodFlow {
       auth_scope: selectAuthScopes(discovery.scopes_supported),
       client_id: clientId,
     };
-    return this.linkOpenIdAccount(syntheticConfig);
+    const credential = await this.linkOpenIdAccount(syntheticConfig);
+    rememberSsoDomainForCredential(
+      { iss: credential.iss, sub: credential.sub, aud: credential.aud },
+      domain,
+    );
+    return credential;
   };
 }

src/frontend/src/lib/flows/authFlow.svelte.ts

@@ -34,6 +34,7 @@ import {
   selectAuthScopes,
 } from "$lib/utils/openID";
 import type { SsoDiscoveryResult } from "$lib/utils/ssoDiscovery";
+import { rememberSsoDomainForCredential } from "$lib/utils/ssoDomainStorage";
 import { nanosToMillis } from "$lib/utils/time";
 
 interface AuthFlowOptions {
@@ -107,7 +108,7 @@ export class AuthFlow {
         type: "signUp";
       }
   > => {
-    const { clientId, discovery } = ssoResult;
+    const { domain, clientId, discovery } = ssoResult;
 
     // Build a synthetic OpenIdConfig from SSO discovery result
     const syntheticConfig: OpenIdConfig = {
@@ -122,7 +123,37 @@ export class AuthFlow {
       client_id: clientId,
     };
 
-    return await this.continueWithOpenId(syntheticConfig);
+    // Pre-fetch the JWT so we can record the `(iss, sub, aud) → domain`
+    // mapping before handing off to the OpenID flow. Passing the JWT into
+    // `continueWithOpenId` avoids a second round-trip to the provider.
+    // The SSO domain is what the user typed; without remembering it here,
+    // `OpenIdItem` would later render this credential as e.g. "Google
+    // account" when the underlying IdP happens to be Google.
+    this.#systemOverlay = true;
+    let jwt: string;
+    try {
+      jwt = await requestJWT(
+        {
+          clientId,
+          authURL: discovery.authorization_endpoint,
+          authScope: syntheticConfig.auth_scope.join(" "),
+        },
+        {
+          nonce: get(sessionStore).nonce,
+          mediation: "required",
+        },
+      );
+    } catch (error) {
+      this.#view = "chooseMethod";
+      throw error;
+    } finally {
+      this.#systemOverlay = false;
+      authenticationV2Funnel.trigger(AuthenticationV2Events.ContinueWithOpenID);
+    }
+    const { iss, sub, aud } = decodeJWT(jwt);
+    rememberSsoDomainForCredential({ iss, sub, aud }, domain);
+
+    return await this.continueWithOpenId(syntheticConfig, jwt);
   };
 
   continueWithExistingPasskey = async (): Promise<bigint> => {

src/frontend/src/lib/flows/authLastUsedFlow.svelte.ts

@@ -60,6 +60,9 @@ export class AuthLastUsedFlow {
         const issuer = lastUsedIdentity.authMethod.openid.iss;
         const config = findConfig(
           issuer,
+          // `aud` not tracked on `LastUsedIdentity`; see #3795. Falls back
+          // to issuer-only matching.
+          undefined,
           lastUsedIdentity.authMethod.openid.metadata ?? [],
         );
         if (config === undefined) {

src/frontend/src/lib/locales/de.po

@@ -22,6 +22,15 @@ msgstr "{0}-Benutzer"
 msgid "{application} has moved to the new Internet Identity"
 msgstr "{application} ist zur neuen Internet Identity umgezogen"
 
+msgid "{domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP {0}). The domain owner needs to publish it for II to sign you in."
+msgstr ""
+
+msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed: {0}"
+msgstr ""
+
+msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
+msgstr ""
+
 msgid "{identityName} has been removed from this device."
 msgstr "{identityName} wurde von diesem Gerät entfernt."
 
@@ -229,6 +238,9 @@ msgstr "Mit {name} fortfahren"
 msgid "Continue with passkey"
 msgstr "Mit Passkey fortfahren"
 
+msgid "Couldn't reach {domainInput}. Check the spelling and your network, then try again."
+msgstr ""
+
 msgid "Create account"
 msgstr "Konto erstellen"
 
@@ -389,9 +401,6 @@ msgstr "Wie unterscheidet sich Internet Identity von anderen Web3-Authentifizier
 msgid "How to stay secure"
 msgstr "So bleiben Sie sicher"
 
-msgid "HTTP {0}"
-msgstr ""
-
 msgid "I Acknowledge"
 msgstr "Ich bestätige"
 
@@ -491,9 +500,6 @@ msgstr "Ungültige Wiederherstellungsphrase"
 msgid "Invalid request"
 msgstr "Ungültige Anfrage"
 
-msgid "invalid response"
-msgstr ""
-
 msgid "Is my Face ID or Fingerprint stored in Internet Identity?"
 msgstr "Werden Face ID oder Fingerabdruck in Internet Identity gespeichert?"
 
@@ -617,9 +623,6 @@ msgstr "Konto benennen"
 msgid "Name your identity"
 msgstr "Benennen Sie Ihre Identität"
 
-msgid "network error"
-msgstr ""
-
 msgid "No data is shared with Google, Microsoft or Apple on which applications you log in with Internet Identity."
 msgstr "Es werden keine Daten an Google, Microsoft oder Apple darüber weitergegeben, bei welchen Anwendungen Sie sich mit Internet Identity anmelden."
 
@@ -827,6 +830,9 @@ msgstr "Sitzung abgelaufen"
 msgid "Set as default sign-in"
 msgstr "Als Standardanmeldung festlegen"
 
+msgid "Several SSO sign-ins are in flight already. Wait a moment and try again."
+msgstr ""
+
 msgid "Show all"
 msgstr "Alle anzeigen"
 
@@ -894,7 +900,22 @@ msgstr ""
 msgid "Source code"
 msgstr "Quellcode"
 
-msgid "SSO is not available for \"{domainInput}\" yet."
+msgid "SSO is not available for \"{domainInput}\" yet. Ask an II admin to register this domain."
+msgstr ""
+
+msgid "SSO provider misconfigured: authorization endpoint is not HTTPS. ({msg})"
+msgstr ""
+
+msgid "SSO provider misconfigured: authorization endpoint points to a different host than the issuer. ({msg})"
+msgstr ""
+
+msgid "SSO provider misconfigured: issuer doesn't match the configured hostname. ({msg})"
+msgstr ""
+
+msgid "SSO provider misconfigured: issuer URL is not HTTPS. ({msg})"
+msgstr ""
+
+msgid "SSO provider's discovery document is malformed: {msg}"
 msgstr ""
 
 msgid "SSO sign-in failed. Please try again."
@@ -981,9 +1002,6 @@ msgstr "Diese App ist zur neuen Internet Identity umgezogen"
 msgid "This browser is not supported."
 msgstr ""
 
-msgid "This domain isn't correctly configured for Internet Identity ({detail})."
-msgstr ""
-
 msgid "This identity has already been upgraded to the new experience."
 msgstr "Diese Identität wurde bereits auf die neue Version aktualisiert."
 
@@ -1032,6 +1050,9 @@ msgstr "So fahren Sie fort:"
 msgid "To finish setting up your passkey, follow the instructions shown on your <0>new device</0>."
 msgstr "Um die Einrichtung Ihres Passkeys abzuschließen, folgen Sie den Anweisungen auf Ihrem <0>neuen Gerät</0>."
 
+msgid "Too many recent attempts for {domainInput}. Wait a few minutes and try again."
+msgstr ""
+
 msgid "Type each word in the correct order:"
 msgstr "Geben Sie jedes Wort in der richtigen Reihenfolge ein:"
 

src/frontend/src/lib/locales/en.po

@@ -22,6 +22,15 @@ msgstr "{0} user"
 msgid "{application} has moved to the new Internet Identity"
 msgstr "{application} has moved to the new Internet Identity"
 
+msgid "{domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP {0}). The domain owner needs to publish it for II to sign you in."
+msgstr "{domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP {0}). The domain owner needs to publish it for II to sign you in."
+
+msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed: {0}"
+msgstr "{domainInput}'s /.well-known/ii-openid-configuration is malformed: {0}"
+
+msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
+msgstr "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
+
 msgid "{identityName} has been removed from this device."
 msgstr "{identityName} has been removed from this device."
 
@@ -229,6 +238,9 @@ msgstr "Continue with {name}"
 msgid "Continue with passkey"
 msgstr "Continue with passkey"
 
+msgid "Couldn't reach {domainInput}. Check the spelling and your network, then try again."
+msgstr "Couldn't reach {domainInput}. Check the spelling and your network, then try again."
+
 msgid "Create account"
 msgstr "Create account"
 
@@ -389,9 +401,6 @@ msgstr "How does Internet Identity compare to other Web3 authentication tools?"
 msgid "How to stay secure"
 msgstr "How to stay secure"
 
-msgid "HTTP {0}"
-msgstr "HTTP {0}"
-
 msgid "I Acknowledge"
 msgstr "I Acknowledge"
 
@@ -491,9 +500,6 @@ msgstr "Invalid recovery phrase"
 msgid "Invalid request"
 msgstr "Invalid request"
 
-msgid "invalid response"
-msgstr "invalid response"
-
 msgid "Is my Face ID or Fingerprint stored in Internet Identity?"
 msgstr "Is my Face ID or Fingerprint stored in Internet Identity?"
 
@@ -617,9 +623,6 @@ msgstr "Name account"
 msgid "Name your identity"
 msgstr "Name your identity"
 
-msgid "network error"
-msgstr "network error"
-
 msgid "No data is shared with Google, Microsoft or Apple on which applications you log in with Internet Identity."
 msgstr "No data is shared with Google, Microsoft or Apple on which applications you log in with Internet Identity."
 
@@ -827,6 +830,9 @@ msgstr "Session timed out"
 msgid "Set as default sign-in"
 msgstr "Set as default sign-in"
 
+msgid "Several SSO sign-ins are in flight already. Wait a moment and try again."
+msgstr "Several SSO sign-ins are in flight already. Wait a moment and try again."
+
 msgid "Show all"
 msgstr "Show all"
 
@@ -894,8 +900,23 @@ msgstr "Something went wrong while sharing attributes. Please try again; if the
 msgid "Source code"
 msgstr "Source code"
 
-msgid "SSO is not available for \"{domainInput}\" yet."
-msgstr "SSO is not available for \"{domainInput}\" yet."
+msgid "SSO is not available for \"{domainInput}\" yet. Ask an II admin to register this domain."
+msgstr "SSO is not available for \"{domainInput}\" yet. Ask an II admin to register this domain."
+
+msgid "SSO provider misconfigured: authorization endpoint is not HTTPS. ({msg})"
+msgstr "SSO provider misconfigured: authorization endpoint is not HTTPS. ({msg})"
+
+msgid "SSO provider misconfigured: authorization endpoint points to a different host than the issuer. ({msg})"
+msgstr "SSO provider misconfigured: authorization endpoint points to a different host than the issuer. ({msg})"
+
+msgid "SSO provider misconfigured: issuer doesn't match the configured hostname. ({msg})"
+msgstr "SSO provider misconfigured: issuer doesn't match the configured hostname. ({msg})"
+
+msgid "SSO provider misconfigured: issuer URL is not HTTPS. ({msg})"
+msgstr "SSO provider misconfigured: issuer URL is not HTTPS. ({msg})"
+
+msgid "SSO provider's discovery document is malformed: {msg}"
+msgstr "SSO provider's discovery document is malformed: {msg}"
 
 msgid "SSO sign-in failed. Please try again."
 msgstr "SSO sign-in failed. Please try again."
@@ -981,9 +1002,6 @@ msgstr "This app has moved to the new Internet Identity"
 msgid "This browser is not supported."
 msgstr "This browser is not supported."
 
-msgid "This domain isn't correctly configured for Internet Identity ({detail})."
-msgstr "This domain isn't correctly configured for Internet Identity ({detail})."
-
 msgid "This identity has already been upgraded to the new experience."
 msgstr "This identity has already been upgraded to the new experience."
 
@@ -1032,6 +1050,9 @@ msgstr "To continue:"
 msgid "To finish setting up your passkey, follow the instructions shown on your <0>new device</0>."
 msgstr "To finish setting up your passkey, follow the instructions shown on your <0>new device</0>."
 
+msgid "Too many recent attempts for {domainInput}. Wait a few minutes and try again."
+msgstr "Too many recent attempts for {domainInput}. Wait a few minutes and try again."
+
 msgid "Type each word in the correct order:"
 msgstr "Type each word in the correct order:"