feat(be): OpenIdCredentialKey with data migration — add aud for SSO security (dfinity#3784)

## Summary

Add the `aud` (audience / client_id) field to `OpenIdCredentialKey`,
changing it from `(iss, sub)` to `(iss, sub, aud)`. This is a security
prerequisite for SSO: since SSO allows anyone to provide a `client_id`
via their `ii-openid-configuration` endpoint, without `aud` in the key
two different OIDC clients at the same provider with the same user `sub`
would collide, enabling impersonation.

## Changes

- **Type update**: `OpenIdCredentialKey` type alias changed from `(Iss,
Sub)` to `(Iss, Sub, Aud)` in both `internet_identity_interface` and the
`openid` module
- **CBOR encoding**: `StorableOpenIdCredentialKey` rewritten with manual
`Encode`/`Decode` impls — new entries use CBOR map format `{0:iss,
1:sub, 2:aud}`; the decoder also handles legacy CBOR array format `[iss,
sub]` for backward compatibility
- **Migration**: `post_upgrade` drains the credential key index via
`pop_first`, resolves `aud` from each anchor's
`StorableOpenIdCredential` (which already stores `aud` at CBOR index
`#[n(2)]`), and re-inserts with the complete `(iss, sub, aud)` key.
Unresolvable entries are preserved with empty `aud` for retry on next
upgrade.
- **Key construction**: Updated `OpenIdCredential::key()`,
`StorableOpenIdCredential::key()`, `calculate_delegation_seed()`, and
all call sites
- **Candid interface**: Updated `.did` file and generated JS/TS
declarations
- **Frontend**: Updated credential removal call to pass `aud`
- **Tests**: Added unit tests for new CBOR map encoding, legacy array
decoding, and round-trip serialization. Updated existing test assertions
to use 3-tuple keys.

## Delegation seed backward compatibility

The `calculate_delegation_seed` function already receives `client_id`
(which equals `aud`) as a separate parameter. The seed calculation is
unchanged — `aud` from the key tuple is ignored (`_aud`) in the
destructuring, preserving identical `Principal` derivation for existing
credentials.

## Migration safety

- Uses `pop_first()` to drain the BTreeMap, avoiding byte-level encoding
mismatches between legacy array-encoded keys and new map-encoded keys
- Resolves `aud` from the anchor's stored `StorableOpenIdCredential`
which already has `aud` at CBOR index 2
- Falls back to re-inserting with empty `aud` if resolution fails, with
a logged warning — the entry is preserved for retry on next upgrade
- Idempotent: safe to run on every upgrade; entries already in the new
format are preserved unchanged

## Test plan

- [x] All 209 unit tests pass (including Candid interface compatibility)
- [ ] Integration tests (require canister WASM build — pass in CI)
- [ ] Deploy to testnet and verify migration of existing credentials
- [ ] Verify credential lookup works after migration
- [ ] Verify new credential registration includes `aud` in key

---
[< Previous PR](dfinity#3778)
| [Next PR >](dfinity#3785)

---------

Co-authored-by: Claude Agent <noreply@anthropic.com>
Co-authored-by: Arshavir Ter-Gabrielyan <arshavir.ter.gabrielyan@dfinity.org>

Author: 3 people

src/frontend/src/lib/generated/internet_identity_idl.js

@@ -481,7 +481,7 @@ export const idlFactory = ({ IDL }) => {
     'Unauthorized' : IDL.Principal,
     'JwtVerificationFailed' : IDL.Null,
   });
-  const OpenIdCredentialKey = IDL.Tuple(Iss, Sub);
+  const OpenIdCredentialKey = IDL.Tuple(Iss, Sub, Aud);
   const OpenIdCredentialRemoveError = IDL.Variant({
     'InternalCanisterError' : IDL.Text,
     'OpenIdCredentialNotFound' : IDL.Null,

src/frontend/src/lib/generated/internet_identity_types.d.ts

@@ -932,7 +932,7 @@ export type OpenIdCredentialAddError = {
   { 'JwtExpired' : null } |
   { 'Unauthorized' : Principal } |
   { 'JwtVerificationFailed' : null };
-export type OpenIdCredentialKey = [Iss, Sub];
+export type OpenIdCredentialKey = [Iss, Sub, Aud];
 export type OpenIdCredentialRemoveError = { 'InternalCanisterError' : string } |
   { 'OpenIdCredentialNotFound' : null } |
   { 'Unauthorized' : Principal };

src/frontend/src/routes/(new-styling)/manage/(authenticated)/(access-and-recovery)/access/+page.svelte

@@ -187,6 +187,7 @@
           .openid_credential_remove($authenticatedStore.identityNumber, [
             removingAccessMethod.openid.iss,
             removingAccessMethod.openid.sub,
+            removingAccessMethod.openid.aud,
           ])
           .then(throwCanisterError);
       }

src/frontend/src/routes/(new-styling)/manage/(authenticated)/(access-and-recovery)/access/utils.ts

@@ -55,7 +55,8 @@ export const toAccessMethods = (
 
 /**
  * Returns a unique string key for an access method.
- * Uses credential ID for passkeys and issuer+subject for OpenID.
+ * Uses credential ID for passkeys and a JSON-encoded (iss, sub, aud) triple
+ * for OpenID so components can't collide via concatenation.
  */
 export const toKey = (accessMethod: AccessMethod): string => {
   if (
@@ -67,7 +68,11 @@ export const toKey = (accessMethod: AccessMethod): string => {
     );
   }
   if ("openid" in accessMethod) {
-    return accessMethod.openid.iss + accessMethod.openid.sub;
+    return JSON.stringify([
+      accessMethod.openid.iss,
+      accessMethod.openid.sub,
+      accessMethod.openid.aud,
+    ]);
   }
   throw new Error("Unknown access method type");
 };

src/internet_identity/internet_identity.did

@@ -403,7 +403,7 @@ type OidcConfig = record {
     issuer : opt text;
 };
 
-type OpenIdCredentialKey = record { Iss; Sub };
+type OpenIdCredentialKey = record { Iss; Sub; Aud };
 
 type AnalyticsConfig = variant {
     Plausible : record {

src/internet_identity/src/anchor_management.rs

@@ -229,7 +229,7 @@ pub fn remove_openid_credential(
     key: &OpenIdCredentialKey,
 ) -> Result<Operation, AnchorError> {
     anchor.remove_openid_credential(key)?;
-    let (iss, _) = key;
+    let (iss, _, _) = key;
     Ok(Operation::RemoveOpenIdCredential { iss: iss.clone() })
 }
 

src/internet_identity/src/attributes.rs

@@ -978,7 +978,11 @@ mod tests {
             assert!(requested.is_empty());
 
             let attrs = result
-                .get(&(GOOGLE_ISSUER.to_string(), "google-user-123".to_string()))
+                .get(&(
+                    GOOGLE_ISSUER.to_string(),
+                    "google-user-123".to_string(),
+                    "test-client-id".to_string(),
+                ))
                 .expect("google verified email attributes should be present");
 
             pretty_assert_eq!(attrs.len(), 1);
@@ -1011,7 +1015,11 @@ mod tests {
             assert!(requested.is_empty());
 
             let attrs = result
-                .get(&(GOOGLE_ISSUER.to_string(), "google-user-123".to_string()))
+                .get(&(
+                    GOOGLE_ISSUER.to_string(),
+                    "google-user-123".to_string(),
+                    "test-client-id".to_string(),
+                ))
                 .expect("credential key should be present");
             pretty_assert_eq!(
                 attrs.len(),
@@ -1034,7 +1042,11 @@ mod tests {
             assert!(requested.is_empty());
 
             let attrs = result
-                .get(&(GOOGLE_ISSUER.to_string(), "google-user-123".to_string()))
+                .get(&(
+                    GOOGLE_ISSUER.to_string(),
+                    "google-user-123".to_string(),
+                    "test-client-id".to_string(),
+                ))
                 .expect("credential key should be present");
             pretty_assert_eq!(
                 attrs.len(),
@@ -1057,7 +1069,11 @@ mod tests {
             assert!(requested.is_empty());
 
             let attrs = result
-                .get(&(GOOGLE_ISSUER.to_string(), "google-user-123".to_string()))
+                .get(&(
+                    GOOGLE_ISSUER.to_string(),
+                    "google-user-123".to_string(),
+                    "test-client-id".to_string(),
+                ))
                 .expect("credential key should be present");
             pretty_assert_eq!(
                 attrs.len(),
@@ -1087,7 +1103,11 @@ mod tests {
             assert!(requested.is_empty());
 
             let attrs = result
-                .get(&(GOOGLE_ISSUER.to_string(), "google-user-123".to_string()))
+                .get(&(
+                    GOOGLE_ISSUER.to_string(),
+                    "google-user-123".to_string(),
+                    "test-client-id".to_string(),
+                ))
                 .expect("credential key should be present");
             pretty_assert_eq!(
                 attrs.len(),
@@ -1123,7 +1143,11 @@ mod tests {
             assert!(requested.is_empty());
 
             let attrs = result
-                .get(&(GOOGLE_ISSUER.to_string(), "google-user-123".to_string()))
+                .get(&(
+                    GOOGLE_ISSUER.to_string(),
+                    "google-user-123".to_string(),
+                    "test-client-id".to_string(),
+                ))
                 .expect("credential key should be present");
             pretty_assert_eq!(
                 attrs.len(),
@@ -1157,6 +1181,7 @@ mod tests {
                 .get(&(
                     MICROSOFT_RESOLVED_ISSUER.to_string(),
                     "ms-user-456".to_string(),
+                    "test-client-id".to_string(),
                 ))
                 .expect("microsoft verified email attributes should be present");
 
@@ -1200,7 +1225,11 @@ mod tests {
             assert!(requested.is_empty());
 
             let attrs = result
-                .get(&(enterprise_iss, "enterprise-user".to_string()))
+                .get(&(
+                    enterprise_iss,
+                    "enterprise-user".to_string(),
+                    "test-client-id".to_string(),
+                ))
                 .expect("credential key should be present");
             pretty_assert_eq!(
                 attrs.len(),
@@ -1259,6 +1288,7 @@ mod tests {
                 .get(&(
                     MICROSOFT_RESOLVED_ISSUER.to_string(),
                     "ms-user-456".to_string(),
+                    "test-client-id".to_string(),
                 ))
                 .expect("credential key should be present");
             pretty_assert_eq!(
@@ -1310,7 +1340,11 @@ mod tests {
             pretty_assert_eq!(result.len(), 2, "both credentials should be present");
 
             let google_attrs = result
-                .get(&(GOOGLE_ISSUER.to_string(), "google-user-123".to_string()))
+                .get(&(
+                    GOOGLE_ISSUER.to_string(),
+                    "google-user-123".to_string(),
+                    "test-client-id".to_string(),
+                ))
                 .expect("google attributes");
             pretty_assert_eq!(
                 attribute_pairs(google_attrs),
@@ -1324,6 +1358,7 @@ mod tests {
                 .get(&(
                     MICROSOFT_RESOLVED_ISSUER.to_string(),
                     "ms-user-456".to_string(),
+                    "test-client-id".to_string(),
                 ))
                 .expect("microsoft attributes");
             pretty_assert_eq!(
@@ -1367,7 +1402,11 @@ mod tests {
             assert!(requested.is_empty());
 
             let attrs = result
-                .get(&(GOOGLE_ISSUER.to_string(), "google-user-123".to_string()))
+                .get(&(
+                    GOOGLE_ISSUER.to_string(),
+                    "google-user-123".to_string(),
+                    "test-client-id".to_string(),
+                ))
                 .expect("google attributes");
 
             pretty_assert_eq!(attrs.len(), 3, "all three attributes should be returned");
@@ -1540,6 +1579,7 @@ mod tests {
                 .get(&(
                     MICROSOFT_RESOLVED_ISSUER.to_string(),
                     "ms-user-456".to_string(),
+                    "test-client-id".to_string(),
                 ))
                 .expect("credential key should be present");
             pretty_assert_eq!(attrs.len(), 1, "email attribute should be returned");

src/internet_identity/src/main.rs

@@ -13,6 +13,9 @@ use ic_canister_sig_creation::signature_map::LABEL_SIG;
 use ic_cdk::api::{caller, set_certified_data, trap};
 use ic_cdk::call;
 use ic_cdk_macros::{init, post_upgrade, pre_upgrade, query, update};
+use ic_cdk_timers::TimerId;
+use std::cell::RefCell;
+use std::time::Duration;
 
 use internet_identity_interface::archive::types::{BufferedEntry, Operation};
 use internet_identity_interface::http_gateway::{HttpRequest, HttpResponse};
@@ -75,6 +78,95 @@ const INTERNETCOMPUTER_ORG_ORIGIN: &str = "https://identity.internetcomputer.org
 const ID_AI_DOMAIN: &str = "id.ai";
 const ID_AI_ORIGIN: &str = "https://id.ai";
 
+// ---- OpenID credential key migration (temporary, see PR #3784) ----
+//
+// The `OpenIdCredentialKey` type grew an `aud` field. Existing index entries
+// were written in the legacy `(iss, sub)` CBOR array shape and must be
+// upgraded to the new `(iss, sub, aud)` CBOR map shape. Upgrading all entries
+// synchronously in `post_upgrade` would blow the instruction limit on II's
+// production canister, so we batch the work via an interval timer using the
+// same convention as the prior anchor migration (#3713).
+
+/// How long to wait between migration batches.
+const OIDC_KEY_MIGRATION_BATCH_BACKOFF_SECONDS: Duration = Duration::from_secs(1);
+
+/// Maximum number of index entries to upgrade per batch (= per ingress message).
+/// Matches the 2 000-anchor-per-batch convention used for previous migrations.
+const OIDC_KEY_MIGRATION_BATCH_SIZE: u64 = 2_000;
+
+thread_local! {
+    // TODO: Remove these after the data migration is complete.
+    static OIDC_KEY_MIGRATION_DONE: RefCell<bool> = const { RefCell::new(false) };
+    static OIDC_KEY_MIGRATION_PROCESSED: RefCell<u64> = const { RefCell::new(0) };
+    static OIDC_KEY_MIGRATION_ERRORS: RefCell<Vec<String>> = const { RefCell::new(Vec::new()) };
+    static OIDC_KEY_MIGRATION_TIMER_ID: RefCell<Option<TimerId>> = const { RefCell::new(None) };
+}
+
+/// Temporary hidden endpoint: returns any orphan-entry errors encountered
+/// during the OpenID credential key migration.
+#[update(hidden = true)]
+fn list_oidc_key_migration_errors() -> Vec<String> {
+    OIDC_KEY_MIGRATION_ERRORS.with_borrow(|errors| errors.clone())
+}
+
+/// Temporary hidden endpoint: returns `(processed_entries, is_done)` so
+/// monitoring can track migration progress.
+#[query(hidden = true)]
+fn oidc_key_migration_status() -> (u64, bool) {
+    (
+        OIDC_KEY_MIGRATION_PROCESSED.with_borrow(|c| *c),
+        OIDC_KEY_MIGRATION_DONE.with_borrow(|d| *d),
+    )
+}
+
+/// Process one batch of the OpenID credential key migration. Bound to the
+/// interval timer set up in [`init_oidc_key_migration_timer`]; clears the
+/// timer once the migration signals completion.
+fn run_oidc_key_migration_batch() {
+    if OIDC_KEY_MIGRATION_DONE.with_borrow(|done| *done) {
+        return;
+    }
+
+    let outcome = state::storage_borrow_mut(|storage| {
+        storage.migrate_openid_credential_keys_batch(OIDC_KEY_MIGRATION_BATCH_SIZE)
+    });
+
+    OIDC_KEY_MIGRATION_PROCESSED.with_borrow_mut(|count| {
+        *count = count.saturating_add(outcome.processed);
+    });
+    if !outcome.errors.is_empty() {
+        OIDC_KEY_MIGRATION_ERRORS.with_borrow_mut(|errors| errors.extend(outcome.errors));
+    }
+
+    if outcome.is_done {
+        OIDC_KEY_MIGRATION_DONE.replace(true);
+        OIDC_KEY_MIGRATION_TIMER_ID.with_borrow_mut(|id_slot| {
+            if let Some(timer_id) = id_slot.take() {
+                ic_cdk_timers::clear_timer(timer_id);
+            }
+        });
+        let processed = OIDC_KEY_MIGRATION_PROCESSED.with_borrow(|c| *c);
+        ic_cdk::println!(
+            "OpenID credential key migration COMPLETED ({processed} entries processed)."
+        );
+    }
+}
+
+/// Start the interval timer driving [`run_oidc_key_migration_batch`]. Safe to
+/// call from both `init` (the first batch will immediately see an empty index
+/// and mark the migration done) and `post_upgrade`.
+fn init_oidc_key_migration_timer() {
+    let timer_id = ic_cdk_timers::set_timer_interval(
+        OIDC_KEY_MIGRATION_BATCH_BACKOFF_SECONDS,
+        run_oidc_key_migration_batch,
+    );
+    OIDC_KEY_MIGRATION_TIMER_ID.with_borrow_mut(|id_slot| {
+        if let Some(old_id) = id_slot.replace(timer_id) {
+            ic_cdk_timers::clear_timer(old_id);
+        }
+    });
+}
+
 #[update]
 async fn init_salt() {
     state::init_salt().await;
@@ -639,6 +731,11 @@ fn initialize(maybe_arg: Option<InternetIdentityInit>) {
     if let Some(oidc_configs) = config.oidc_configs {
         openid::setup_oidc(oidc_configs);
     }
+
+    // Kick off the OpenID credential key batch migration. Processes at most
+    // `OIDC_KEY_MIGRATION_BATCH_SIZE` entries per tick so each batch fits in
+    // one ingress message; timer self-clears once the migration signals done.
+    init_oidc_key_migration_timer();
 }
 
 fn apply_install_arg(maybe_arg: Option<InternetIdentityInit>) {