fix(fe): address sea-snake nit review comments on SSO sign-in

- Rename "Sign in with SSO" → "Continue with SSO" (auth + add-method)
- Simplify mapSubmitError: log raw errors to console, show user-facing
  messages for the key cases (domain not configured, OAuth errors,
  canary allowlist, rate limit), generic fallback for everything else
- Disable SSO continue button in add-access-method flow when the
  discovery result reveals the same (iss, aud) is already linked
- Add optional `name` to ii-openid-configuration schema and propagate
  orgName through SsoDiscoveryResult → ssoDomainStorage → openIdName
  so the access-methods UI can render e.g. "DFINITY" instead of just
  the domain
- Update locale catalogs via lingui extract

Author: timothyaterton

src/frontend/src/lib/components/wizards/addAccessMethod/AddAccessMethodWizard.svelte

@@ -100,6 +100,7 @@
   <SignInWithSso
     continueWithSso={handleContinueWithSso}
     goBack={addAccessMethodFlow.chooseMethod}
+    existingCredentials={openIdCredentials}
   />
 {/if}
 

src/frontend/src/lib/components/wizards/addAccessMethod/views/AddAccessMethod.svelte

@@ -125,7 +125,7 @@
         disabled={authenticatingProviderId !== undefined}
         size="xl"
         class="flex-1"
-        aria-label={$t`Sign in with SSO`}
+        aria-label={$t`Continue with SSO`}
       >
         <SsoIcon class="size-6" />
       </Button>

src/frontend/src/lib/components/wizards/auth/views/PickAuthenticationMethod.svelte

@@ -98,7 +98,7 @@
         disabled={authenticatingProviderId !== undefined}
         size="xl"
         class="flex-1"
-        aria-label={$t`Sign in with SSO`}
+        aria-label={$t`Continue with SSO`}
       >
         <SsoIcon class="size-6" />
       </Button>

src/frontend/src/lib/components/wizards/auth/views/SignInWithSso.svelte

@@ -13,16 +13,18 @@
   } from "$lib/utils/ssoDiscovery";
   import type { SsoDiscoveryResult } from "$lib/utils/ssoDiscovery";
   import { OAuthProviderError } from "$lib/utils/openID";
+  import type { OpenIdCredential } from "$lib/generated/internet_identity_types";
   import { t } from "$lib/stores/locale.store";
 
   interface Props {
     continueWithSso: (
       result: SsoDiscoveryResult,
     ) => Promise<void | "cancelled">;
     goBack: () => void;
+    existingCredentials?: OpenIdCredential[];
   }
 
-  const { continueWithSso, goBack }: Props = $props();
+  const { continueWithSso, goBack, existingCredentials }: Props = $props();
 
   /**
    * Debounce delay before kicking off the (network-heavy) two-hop lookup.
@@ -47,62 +49,29 @@
   let debounceTimer: ReturnType<typeof setTimeout> | undefined;
 
   const mapSubmitError = (e: unknown, domainInput: string): string => {
+    console.error("SSO sign-in error:", e);
     if (e instanceof DomainNotConfiguredError) {
-      if (e.reason === "http-error" && e.httpStatus !== undefined) {
-        return $t`${domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP ${String(e.httpStatus)}). The domain owner needs to publish it for II to sign you in.`;
-      }
       if (e.reason === "network") {
         return $t`Couldn't reach ${domainInput}. Check the spelling and your network, then try again.`;
       }
-      if (e.detail !== undefined && e.detail.length > 0) {
-        return $t`${domainInput}'s /.well-known/ii-openid-configuration is malformed: ${e.detail}`;
-      }
-      return $t`${domainInput}'s /.well-known/ii-openid-configuration is malformed.`;
+      return $t`${domainInput} isn't set up for SSO with Internet Identity. The domain owner needs to publish /.well-known/ii-openid-configuration.`;
     }
     if (e instanceof OAuthProviderError) {
-      // `unsupported_response_type` is the signature of an SSO app that
-      // only allows the plain authorization-code flow. II needs the
-      // hybrid flow (id_token + code) because it verifies JWTs canister-
-      // side with no token-endpoint exchange. Spell out the fix so the
-      // SSO admin can act on it directly.
       if (e.error === "unsupported_response_type") {
-        return $t`${domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type "id_token code" (e.g. in Okta, set the app to Single-Page Application with "Implicit (hybrid)" grant enabled).`;
+        return $t`${domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type "id_token code".`;
       }
       if (e.error === "access_denied") {
-        return $t`${domainInput}'s SSO denied the sign-in. Try again, and check with your SSO admin if the problem persists.`;
-      }
-      if (e.errorDescription !== undefined && e.errorDescription.length > 0) {
-        return $t`${domainInput}'s SSO returned "${e.error}": ${e.errorDescription}`;
+        return $t`${domainInput}'s SSO denied the sign-in. Try again, or check with your SSO admin.`;
       }
       return $t`${domainInput}'s SSO returned error "${e.error}".`;
     }
     if (e instanceof Error) {
-      const msg = e.message;
-      if (msg.toLowerCase().includes("canary allowlist")) {
-        return $t`SSO is not available for "${domainInput}" yet. Ask an II admin to register this domain.`;
-      }
-      if (msg.includes("Provider issuer hostname mismatch")) {
-        return $t`SSO provider misconfigured: issuer doesn't match the configured hostname. (${msg})`;
-      }
-      if (msg.includes("Provider authorization endpoint hostname mismatch")) {
-        return $t`SSO provider misconfigured: authorization endpoint points to a different host than the issuer. (${msg})`;
+      if (e.message.toLowerCase().includes("canary allowlist")) {
+        return $t`SSO is not available for "${domainInput}" yet.`;
       }
-      if (msg.includes("Provider issuer must use HTTPS")) {
-        return $t`SSO provider misconfigured: issuer URL is not HTTPS. (${msg})`;
-      }
-      if (msg.includes("Provider authorization endpoint must use HTTPS")) {
-        return $t`SSO provider misconfigured: authorization endpoint is not HTTPS. (${msg})`;
-      }
-      if (msg.startsWith("Provider discovery:")) {
-        return $t`SSO provider's discovery document is malformed: ${msg}`;
-      }
-      if (msg.startsWith("Rate limited:")) {
+      if (e.message.startsWith("Rate limited:")) {
         return $t`Too many recent attempts for ${domainInput}. Wait a few minutes and try again.`;
       }
-      if (msg === "Too many concurrent SSO discovery requests") {
-        return $t`Several SSO sign-ins are in flight already. Wait a moment and try again.`;
-      }
-      return msg;
     }
     return $t`SSO sign-in failed. Please try again.`;
   };
@@ -156,7 +125,17 @@
         });
         const result = await discoverSsoConfig(trimmed);
         if (matchesCurrent()) {
-          preparedResult = result;
+          if (
+            existingCredentials?.some(
+              (c) =>
+                c.iss === result.discovery.issuer &&
+                c.aud === result.clientId,
+            )
+          ) {
+            error = $t`This SSO domain is already linked to your identity.`;
+          } else {
+            preparedResult = result;
+          }
         }
       } catch (e) {
         if (matchesCurrent()) {

src/frontend/src/lib/flows/addAccessMethodFlow.svelte.ts

@@ -155,7 +155,7 @@ export class AddAccessMethodFlow {
   linkSsoAccount = async (
     result: SsoDiscoveryResult,
   ): Promise<OpenIdCredential> => {
-    const { domain, clientId, discovery } = result;
+    const { domain, orgName, clientId, discovery } = result;
     const syntheticConfig: OpenIdConfig = {
       auth_uri: discovery.authorization_endpoint,
       jwks_uri: "",
@@ -171,6 +171,7 @@ export class AddAccessMethodFlow {
     rememberSsoDomainForCredential(
       { iss: credential.iss, sub: credential.sub, aud: credential.aud },
       domain,
+      orgName,
     );
     return credential;
   };

src/frontend/src/lib/flows/authFlow.svelte.ts

@@ -108,7 +108,7 @@ export class AuthFlow {
         type: "signUp";
       }
   > => {
-    const { domain, clientId, discovery } = ssoResult;
+    const { domain, orgName, clientId, discovery } = ssoResult;
 
     // Build a synthetic OpenIdConfig from SSO discovery result
     const syntheticConfig: OpenIdConfig = {
@@ -151,7 +151,7 @@ export class AuthFlow {
       authenticationV2Funnel.trigger(AuthenticationV2Events.ContinueWithOpenID);
     }
     const { iss, sub, aud } = decodeJWT(jwt);
-    rememberSsoDomainForCredential({ iss, sub, aud }, domain);
+    rememberSsoDomainForCredential({ iss, sub, aud }, domain, orgName);
 
     return await this.continueWithOpenId(syntheticConfig, jwt);
   };

src/frontend/src/lib/locales/de.po

@@ -25,13 +25,16 @@ msgstr "{application} ist zur neuen Internet Identity umgezogen"
 msgid "{displayName} account"
 msgstr ""
 
-msgid "{domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP {0}). The domain owner needs to publish it for II to sign you in."
+msgid "{domainInput} isn't set up for SSO with Internet Identity. The domain owner needs to publish /.well-known/ii-openid-configuration."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed: {0}"
+msgid "{domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type \"id_token code\"."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
+msgid "{domainInput}'s SSO denied the sign-in. Try again, or check with your SSO admin."
+msgstr ""
+
+msgid "{domainInput}'s SSO returned error \"{0}\"."
 msgstr ""
 
 msgid "{identityName} has been removed from this device."
@@ -241,6 +244,9 @@ msgstr "Mit {name} fortfahren"
 msgid "Continue with passkey"
 msgstr "Mit Passkey fortfahren"
 
+msgid "Continue with SSO"
+msgstr ""
+
 msgid "Couldn't reach {domainInput}. Check the spelling and your network, then try again."
 msgstr ""
 
@@ -830,9 +836,6 @@ msgstr "Sitzung abgelaufen"
 msgid "Set as default sign-in"
 msgstr "Als Standardanmeldung festlegen"
 
-msgid "Several SSO sign-ins are in flight already. Wait a moment and try again."
-msgstr ""
-
 msgid "Show all"
 msgstr "Alle anzeigen"
 
@@ -851,9 +854,6 @@ msgstr "Anmelden mit bekannten Methoden"
 msgid "Sign in with another identity"
 msgstr "Mit einer anderen Identität anmelden"
 
-msgid "Sign in with SSO"
-msgstr ""
-
 msgid "Sign In With SSO"
 msgstr ""
 
@@ -903,22 +903,7 @@ msgstr "Quellcode"
 msgid "SSO"
 msgstr ""
 
-msgid "SSO is not available for \"{domainInput}\" yet. Ask an II admin to register this domain."
-msgstr ""
-
-msgid "SSO provider misconfigured: authorization endpoint is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: authorization endpoint points to a different host than the issuer. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer doesn't match the configured hostname. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer URL is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider's discovery document is malformed: {msg}"
+msgid "SSO is not available for \"{domainInput}\" yet."
 msgstr ""
 
 msgid "SSO sign-in failed. Please try again."
@@ -1017,6 +1002,9 @@ msgstr "Dies kann einige Sekunden dauern"
 msgid "This passkey is no longer associated with any identity."
 msgstr "Dieser Passkey ist mit keiner Identität mehr verknüpft."
 
+msgid "This SSO domain is already linked to your identity."
+msgstr ""
+
 msgid "This YubiKey has older firmware (5.1) that's incompatible."
 msgstr "Dieser YubiKey hat eine ältere Firmware (5.1), die inkompatibel ist."
 

src/frontend/src/lib/locales/en.po

@@ -25,14 +25,17 @@ msgstr "{application} has moved to the new Internet Identity"
 msgid "{displayName} account"
 msgstr "{displayName} account"
 
-msgid "{domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP {0}). The domain owner needs to publish it for II to sign you in."
-msgstr "{domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP {0}). The domain owner needs to publish it for II to sign you in."
+msgid "{domainInput} isn't set up for SSO with Internet Identity. The domain owner needs to publish /.well-known/ii-openid-configuration."
+msgstr "{domainInput} isn't set up for SSO with Internet Identity. The domain owner needs to publish /.well-known/ii-openid-configuration."
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed: {0}"
-msgstr "{domainInput}'s /.well-known/ii-openid-configuration is malformed: {0}"
+msgid "{domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type \"id_token code\"."
+msgstr "{domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type \"id_token code\"."
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
-msgstr "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
+msgid "{domainInput}'s SSO denied the sign-in. Try again, or check with your SSO admin."
+msgstr "{domainInput}'s SSO denied the sign-in. Try again, or check with your SSO admin."
+
+msgid "{domainInput}'s SSO returned error \"{0}\"."
+msgstr "{domainInput}'s SSO returned error \"{0}\"."
 
 msgid "{identityName} has been removed from this device."
 msgstr "{identityName} has been removed from this device."
@@ -241,6 +244,9 @@ msgstr "Continue with {name}"
 msgid "Continue with passkey"
 msgstr "Continue with passkey"
 
+msgid "Continue with SSO"
+msgstr "Continue with SSO"
+
 msgid "Couldn't reach {domainInput}. Check the spelling and your network, then try again."
 msgstr "Couldn't reach {domainInput}. Check the spelling and your network, then try again."
 
@@ -830,9 +836,6 @@ msgstr "Session timed out"
 msgid "Set as default sign-in"
 msgstr "Set as default sign-in"
 
-msgid "Several SSO sign-ins are in flight already. Wait a moment and try again."
-msgstr "Several SSO sign-ins are in flight already. Wait a moment and try again."
-
 msgid "Show all"
 msgstr "Show all"
 
@@ -851,9 +854,6 @@ msgstr "Sign in using familiar methods"
 msgid "Sign in with another identity"
 msgstr "Sign in with another identity"
 
-msgid "Sign in with SSO"
-msgstr "Sign in with SSO"
-
 msgid "Sign In With SSO"
 msgstr "Sign In With SSO"
 
@@ -903,23 +903,8 @@ msgstr "Source code"
 msgid "SSO"
 msgstr "SSO"
 
-msgid "SSO is not available for \"{domainInput}\" yet. Ask an II admin to register this domain."
-msgstr "SSO is not available for \"{domainInput}\" yet. Ask an II admin to register this domain."
-
-msgid "SSO provider misconfigured: authorization endpoint is not HTTPS. ({msg})"
-msgstr "SSO provider misconfigured: authorization endpoint is not HTTPS. ({msg})"
-
-msgid "SSO provider misconfigured: authorization endpoint points to a different host than the issuer. ({msg})"
-msgstr "SSO provider misconfigured: authorization endpoint points to a different host than the issuer. ({msg})"
-
-msgid "SSO provider misconfigured: issuer doesn't match the configured hostname. ({msg})"
-msgstr "SSO provider misconfigured: issuer doesn't match the configured hostname. ({msg})"
-
-msgid "SSO provider misconfigured: issuer URL is not HTTPS. ({msg})"
-msgstr "SSO provider misconfigured: issuer URL is not HTTPS. ({msg})"
-
-msgid "SSO provider's discovery document is malformed: {msg}"
-msgstr "SSO provider's discovery document is malformed: {msg}"
+msgid "SSO is not available for \"{domainInput}\" yet."
+msgstr "SSO is not available for \"{domainInput}\" yet."
 
 msgid "SSO sign-in failed. Please try again."
 msgstr "SSO sign-in failed. Please try again."
@@ -1017,6 +1002,9 @@ msgstr "This may take a few seconds"
 msgid "This passkey is no longer associated with any identity."
 msgstr "This passkey is no longer associated with any identity."
 
+msgid "This SSO domain is already linked to your identity."
+msgstr "This SSO domain is already linked to your identity."
+
 msgid "This YubiKey has older firmware (5.1) that's incompatible."
 msgstr "This YubiKey has older firmware (5.1) that's incompatible."