From 387d4630e6ecb5dd75d48805ee6b8f9aa3b17f41 Mon Sep 17 00:00:00 2001 From: "pr-automation-bot-public[bot]" Date: Tue, 23 Jun 2026 10:19:24 +0000 Subject: [PATCH] chore: sync II spec to dfinity/internet-identity release-2026-06-20 --- .sources/VERSIONS | 2 +- .sources/internetidentity | 2 +- public/references/internet-identity.did | 112 +++++++++++++++--------- 3 files changed, 73 insertions(+), 43 deletions(-) diff --git a/.sources/VERSIONS b/.sources/VERSIONS index b4c62a3..03e4914 100644 --- a/.sources/VERSIONS +++ b/.sources/VERSIONS @@ -62,4 +62,4 @@ motoko-core v2.4.0 cdk-rs ic-cdk v0.20.1 / ic-cdk-timers v1.0.0 / ic-cdk-executor v2.0.0 317f55c candid 2025-12-18 # candid v0.10.20, didc v0.5.4 2e4a2cf response-verification v3.1.0 18c5a37 -internetidentity release-2026-06-15 1f4104b5 +internetidentity release-2026-06-20 66bd7bcf diff --git a/.sources/internetidentity b/.sources/internetidentity index 1f4104b..66bd7bc 160000 --- a/.sources/internetidentity +++ b/.sources/internetidentity @@ -1 +1 @@ -Subproject commit 1f4104b53ddaecf745426769e895013168591b17 +Subproject commit 66bd7bcf6350f51811057f4c4dae1ff12aa67b8c diff --git a/public/references/internet-identity.did b/public/references/internet-identity.did index e617bd2..ec4a562 100644 --- a/public/references/internet-identity.did +++ b/public/references/internet-identity.did @@ -247,10 +247,8 @@ type CaptchaConfig = record { }; // One entry of the `sso_credential_migration` backfill. Maps the -// (iss, aud) pair of stored SSO credentials to the discovery domain (and -// optional human-readable name) they were registered through. Field names -// match the `discovered_oidc_configs` query output so the deployer can -// transcribe its result field-for-field. +// (iss, aud) pair of a stored SSO credential to the discovery domain and +// optional human-readable name it resolves to. type SsoCredentialMigrationEntry = record { discovery_domain : text; // Matches the stored credential's `iss`. @@ -295,20 +293,17 @@ type InternetIdentityInit = record { new_flow_origins : opt vec text; // Configurations for OpenID clients openid_configs : opt vec OpenIdConfig; - // Allowlist of domains that may be registered as discoverable SSO - // providers via `add_discoverable_oidc_config`. When set, fully replaces - // the built-in defaults. When unset, falls back to `dfinity.org` - // (production) or `beta.dfinity.org` (everything else), keyed off - // `is_production`. + // Allowlist of domains that may be used as discoverable SSO providers. + // When set, fully replaces the built-in defaults. When unset, falls back + // to `dfinity.org` (production) or `beta.dfinity.org` (everything else), + // keyed off `is_production`. sso_discoverable_domains : opt vec text; // One-shot backfill of the `sso_domain` / `sso_name` fields on stored // OpenID credentials. When set, a batched timer-driven migration stamps // every stored credential whose (iss, aud) matches an entry and whose // `sso_domain` is not set yet. Idempotent — already-stamped credentials // are skipped, so re-submitting (e.g. with a corrected list) is safe. - // When unset, no backfill runs. The deployer builds the list from the - // running canister's `discovered_oidc_configs` query before - // submitting the upgrade proposal. + // When unset, no backfill runs. sso_credential_migration : opt vec SsoCredentialMigrationEntry; // Configuration for Web Analytics analytics_config : opt opt AnalyticsConfig; @@ -469,21 +464,25 @@ type OpenIdConfig = record { seed_jwks : opt vec vec record { text; text }; }; -// SSO provider config that uses two-hop discovery. -// The backend fetches https://{discovery_domain}/.well-known/ii-openid-configuration -// for { client_id, openid_configuration } and then fetches the standard OIDC -// discovery at openid_configuration for { issuer, jwks_uri }. -type DiscoverableOidcConfig = record { +// Fully resolved SSO discovery result for the sign-in initiation flow, +// returned by `discover_sso` / `discover_sso_query`. The canister resolves it +// from the domain's two-hop discovery documents, on demand and cached. +type SsoDiscovery = record { discovery_domain : text; + client_id : text; + issuer : text; + authorization_endpoint : text; + scopes : vec text; + name : opt text; }; -// Resolved SSO provider state. -// All fields other than discovery_domain are None until discovery completes. -type OidcConfig = record { - discovery_domain : text; - client_id : opt text; - openid_configuration : opt text; - issuer : opt text; +// State of a domain's SSO discovery, read by `get_sso_discovery`. A failed +// fetch isn't a distinct state — it reads as `Pending` and the frontend times +// out — so the states are resolved, in flight, or not allowed. +type SsoDiscoveryState = variant { + Resolved : SsoDiscovery; + Pending; + NotAllowed; }; type OpenIdCredentialKey = record { Iss; Sub; Aud }; @@ -503,10 +502,8 @@ type OpenIdCredential = record { aud : Aud; last_usage_timestamp : opt Timestamp; metadata : MetadataMapV2; - // SSO discovery domain, looked up by `(iss, aud)` against the - // canister's registered discoverable OIDC configs. `None` for - // direct-provider credentials (Google / Apple / Microsoft) and for - // SSO credentials whose provider is no longer registered. + // SSO discovery domain this credential was verified through. `None` for + // direct-provider credentials (Google / Apple / Microsoft). sso_domain : opt text; // Human-readable SSO name from the domain's // `/.well-known/ii-openid-configuration`. `None` when the domain @@ -853,6 +850,9 @@ type OpenIDRegFinishArg = record { jwt : JWT; salt : Salt; name : text; + // SSO discovery domain the JWT was obtained through, or null for a direct + // provider (Google / Microsoft / Apple). Selects the JWK source. + discovery_domain : opt text; }; // Extra information about registration status for new authentication methods @@ -1037,6 +1037,17 @@ type PrepareAccountDelegation = record { expiration : Timestamp; }; +type SessionDelegationError = variant { + InternalCanisterError : text; + Unauthorized : principal; + NoSuchDelegation; +}; + +type PrepareSessionDelegation = record { + user_key : UserKey; + expiration : Timestamp; +}; + type GetAccountsError = variant { InternalCanisterError : text; Unauthorized : principal; @@ -1214,10 +1225,10 @@ type PrepareAttributeRequest = record { // or `sso:` (e.g. `sso:dfinity.org:email`). // // Each linked credential is addressable via exactly one scope: - // credentials obtained through a `DiscoverableOidcConfig` (two-hop SSO - // discovery) are reachable only via `sso:`; credentials from - // hardcoded OIDC providers (Google, Microsoft, …) are reachable only via - // `openid:`. Under `sso:` only `email` and `name` are supported; + // credentials obtained through SSO two-hop discovery are reachable only + // via `sso:`; credentials from hardcoded OIDC providers (Google, + // Microsoft, …) are reachable only via `openid:`. Under `sso:` + // only `email` and `name` are supported; // under `openid:` `email`, `name`, and `verified_email` are supported. attribute_keys : vec text; }; @@ -1549,11 +1560,23 @@ service : (opt InternetIdentityInit) -> { // OpenID credentials protocol // =========================== - openid_identity_registration_finish : (OpenIDRegFinishArg) -> (variant { Ok : IdRegFinishResult; Err : IdRegFinishError }); - openid_credential_add : (IdentityNumber, JWT, Salt) -> (variant { Ok; Err : OpenIdCredentialAddError }); + openid_identity_registration_finish : (OpenIDRegFinishArg) -> (variant { Ok : IdRegFinishResult; Pending; Err : IdRegFinishError }); + // The trailing `opt text` is the SSO discovery domain (null for a direct + // provider). For SSO sign-ins a cold discovery/JWKS cache yields the + // `Pending` result arm — a retry signal, not an error: the caller re-calls + // the method (and for delegations, polls `openid_get_delegation`, re-calling + // `openid_prepare_delegation` on a `Pending` poll result). + openid_credential_add : (IdentityNumber, JWT, Salt, opt text) -> (variant { Ok; Pending; Err : OpenIdCredentialAddError }); openid_credential_remove : (IdentityNumber, OpenIdCredentialKey) -> (variant { Ok; Err : OpenIdCredentialRemoveError }); - openid_prepare_delegation : (JWT, Salt, SessionKey) -> (variant { Ok : OpenIdPrepareDelegationResponse; Err : OpenIdDelegationError }); - openid_get_delegation : (JWT, Salt, SessionKey, Timestamp) -> (variant { Ok : SignedDelegation; Err : OpenIdDelegationError }) query; + openid_prepare_delegation : (JWT, Salt, SessionKey, opt text) -> (variant { Ok : OpenIdPrepareDelegationResponse; Pending; Err : OpenIdDelegationError }); + openid_get_delegation : (JWT, Salt, SessionKey, Timestamp, opt text) -> (variant { Ok : SignedDelegation; Pending; Err : OpenIdDelegationError }) query; + + // SSO discovery for the sign-in initiation flow. The frontend polls + // `get_sso_discovery` (query) and, while it reads `Pending`, drives the + // on-demand two-hop discovery fetch with `discover_sso` (update); once the + // fetch completes the query returns `Resolved` with the config. + discover_sso : (text) -> (); + get_sso_discovery : (text) -> (SsoDiscoveryState) query; // Email-recovery protocol // ======================= @@ -1601,11 +1624,6 @@ service : (opt InternetIdentityInit) -> { // ===================== http_request : (request : HttpRequest) -> (HttpResponse) query; - // OIDC Discovery - // =============== - discovered_oidc_configs : () -> (vec OidcConfig) query; - add_discoverable_oidc_config : (DiscoverableOidcConfig) -> (); - // Internal Methods // ================ init_salt : () -> (); @@ -1658,6 +1676,18 @@ service : (opt InternetIdentityInit) -> { expiration : Timestamp ) -> (variant { Ok : SignedDelegation; Err : AccountDelegationError }) query; + prepare_session_delegation : ( + anchor_number : UserNumber, + session_key : SessionKey, + max_ttl : opt nat64 + ) -> (variant { Ok : PrepareSessionDelegation; Err : SessionDelegationError }); + + get_session_delegation : ( + anchor_number : UserNumber, + session_key : SessionKey, + expiration : Timestamp + ) -> (variant { Ok : SignedDelegation; Err : SessionDelegationError }) query; + get_default_account : ( anchor_number : UserNumber, origin : FrontendHostname,