chore: sync II spec to dfinity/internet-identity release-2026-06-20

.sources/VERSIONS

@@ -62,4 +62,4 @@ motoko-core           v2.4.0
 cdk-rs                ic-cdk v0.20.1 / ic-cdk-timers v1.0.0 / ic-cdk-executor v2.0.0  317f55c
 candid                2025-12-18  # candid v0.10.20, didc v0.5.4                2e4a2cf
 response-verification v3.1.0                                                    18c5a37
-internetidentity      release-2026-06-15                                         1f4104b5
+internetidentity      release-2026-06-20                                         66bd7bcf

public/references/internet-identity.did

@@ -247,10 +247,8 @@ type CaptchaConfig = record {
 };
 
 // One entry of the `sso_credential_migration` backfill. Maps the
-// (iss, aud) pair of stored SSO credentials to the discovery domain (and
-// optional human-readable name) they were registered through. Field names
-// match the `discovered_oidc_configs` query output so the deployer can
-// transcribe its result field-for-field.
+// (iss, aud) pair of a stored SSO credential to the discovery domain and
+// optional human-readable name it resolves to.
 type SsoCredentialMigrationEntry = record {
     discovery_domain : text;
     // Matches the stored credential's `iss`.
@@ -295,20 +293,17 @@ type InternetIdentityInit = record {
     new_flow_origins : opt vec text;
     // Configurations for OpenID clients
     openid_configs : opt vec OpenIdConfig;
-    // Allowlist of domains that may be registered as discoverable SSO
-    // providers via `add_discoverable_oidc_config`. When set, fully replaces
-    // the built-in defaults. When unset, falls back to `dfinity.org`
-    // (production) or `beta.dfinity.org` (everything else), keyed off
-    // `is_production`.
+    // Allowlist of domains that may be used as discoverable SSO providers.
+    // When set, fully replaces the built-in defaults. When unset, falls back
+    // to `dfinity.org` (production) or `beta.dfinity.org` (everything else),
+    // keyed off `is_production`.
     sso_discoverable_domains : opt vec text;
     // One-shot backfill of the `sso_domain` / `sso_name` fields on stored
     // OpenID credentials. When set, a batched timer-driven migration stamps
     // every stored credential whose (iss, aud) matches an entry and whose
     // `sso_domain` is not set yet. Idempotent — already-stamped credentials
     // are skipped, so re-submitting (e.g. with a corrected list) is safe.
-    // When unset, no backfill runs. The deployer builds the list from the
-    // running canister's `discovered_oidc_configs` query before
-    // submitting the upgrade proposal.
+    // When unset, no backfill runs.
     sso_credential_migration : opt vec SsoCredentialMigrationEntry;
     // Configuration for Web Analytics
     analytics_config : opt opt AnalyticsConfig;
@@ -469,21 +464,25 @@ type OpenIdConfig = record {
     seed_jwks : opt vec vec record { text; text };
 };
 
-// SSO provider config that uses two-hop discovery.
-// The backend fetches https://{discovery_domain}/.well-known/ii-openid-configuration
-// for { client_id, openid_configuration } and then fetches the standard OIDC
-// discovery at openid_configuration for { issuer, jwks_uri }.
-type DiscoverableOidcConfig = record {
+// Fully resolved SSO discovery result for the sign-in initiation flow,
+// returned by `discover_sso` / `discover_sso_query`. The canister resolves it
+// from the domain's two-hop discovery documents, on demand and cached.
+type SsoDiscovery = record {
     discovery_domain : text;
+    client_id : text;
+    issuer : text;
+    authorization_endpoint : text;
+    scopes : vec text;
+    name : opt text;
 };
 
-// Resolved SSO provider state.
-// All fields other than discovery_domain are None until discovery completes.
-type OidcConfig = record {
-    discovery_domain : text;
-    client_id : opt text;
-    openid_configuration : opt text;
-    issuer : opt text;
+// State of a domain's SSO discovery, read by `get_sso_discovery`. A failed
+// fetch isn't a distinct state — it reads as `Pending` and the frontend times
+// out — so the states are resolved, in flight, or not allowed.
+type SsoDiscoveryState = variant {
+    Resolved : SsoDiscovery;
+    Pending;
+    NotAllowed;
 };
 
 type OpenIdCredentialKey = record { Iss; Sub; Aud };
@@ -503,10 +502,8 @@ type OpenIdCredential = record {
     aud : Aud;
     last_usage_timestamp : opt Timestamp;
     metadata : MetadataMapV2;
-    // SSO discovery domain, looked up by `(iss, aud)` against the
-    // canister's registered discoverable OIDC configs. `None` for
-    // direct-provider credentials (Google / Apple / Microsoft) and for
-    // SSO credentials whose provider is no longer registered.
+    // SSO discovery domain this credential was verified through. `None` for
+    // direct-provider credentials (Google / Apple / Microsoft).
     sso_domain : opt text;
     // Human-readable SSO name from the domain's
     // `/.well-known/ii-openid-configuration`. `None` when the domain
@@ -853,6 +850,9 @@ type OpenIDRegFinishArg = record {
     jwt : JWT;
     salt : Salt;
     name : text;
+    // SSO discovery domain the JWT was obtained through, or null for a direct
+    // provider (Google / Microsoft / Apple). Selects the JWK source.
+    discovery_domain : opt text;
 };
 
 // Extra information about registration status for new authentication methods
@@ -1037,6 +1037,17 @@ type PrepareAccountDelegation = record {
     expiration : Timestamp;
 };
 
+type SessionDelegationError = variant {
+    InternalCanisterError : text;
+    Unauthorized : principal;
+    NoSuchDelegation;
+};
+
+type PrepareSessionDelegation = record {
+    user_key : UserKey;
+    expiration : Timestamp;
+};
+
 type GetAccountsError = variant {
     InternalCanisterError : text;
     Unauthorized : principal;
@@ -1214,10 +1225,10 @@ type PrepareAttributeRequest = record {
     // or `sso:<domain>` (e.g. `sso:dfinity.org:email`).
     //
     // Each linked credential is addressable via exactly one scope:
-    // credentials obtained through a `DiscoverableOidcConfig` (two-hop SSO
-    // discovery) are reachable only via `sso:<domain>`; credentials from
-    // hardcoded OIDC providers (Google, Microsoft, …) are reachable only via
-    // `openid:<issuer>`. Under `sso:` only `email` and `name` are supported;
+    // credentials obtained through SSO two-hop discovery are reachable only
+    // via `sso:<domain>`; credentials from hardcoded OIDC providers (Google,
+    // Microsoft, …) are reachable only via `openid:<issuer>`. Under `sso:`
+    // only `email` and `name` are supported;
     // under `openid:` `email`, `name`, and `verified_email` are supported.
     attribute_keys : vec text;
 };
@@ -1549,11 +1560,23 @@ service : (opt InternetIdentityInit) -> {
 
     // OpenID credentials protocol
     // ===========================
-    openid_identity_registration_finish : (OpenIDRegFinishArg) -> (variant { Ok : IdRegFinishResult; Err : IdRegFinishError });
-    openid_credential_add : (IdentityNumber, JWT, Salt) -> (variant { Ok; Err : OpenIdCredentialAddError });
+    openid_identity_registration_finish : (OpenIDRegFinishArg) -> (variant { Ok : IdRegFinishResult; Pending; Err : IdRegFinishError });
+    // The trailing `opt text` is the SSO discovery domain (null for a direct
+    // provider). For SSO sign-ins a cold discovery/JWKS cache yields the
+    // `Pending` result arm — a retry signal, not an error: the caller re-calls
+    // the method (and for delegations, polls `openid_get_delegation`, re-calling
+    // `openid_prepare_delegation` on a `Pending` poll result).
+    openid_credential_add : (IdentityNumber, JWT, Salt, opt text) -> (variant { Ok; Pending; Err : OpenIdCredentialAddError });
     openid_credential_remove : (IdentityNumber, OpenIdCredentialKey) -> (variant { Ok; Err : OpenIdCredentialRemoveError });
-    openid_prepare_delegation : (JWT, Salt, SessionKey) -> (variant { Ok : OpenIdPrepareDelegationResponse; Err : OpenIdDelegationError });
-    openid_get_delegation : (JWT, Salt, SessionKey, Timestamp) -> (variant { Ok : SignedDelegation; Err : OpenIdDelegationError }) query;
+    openid_prepare_delegation : (JWT, Salt, SessionKey, opt text) -> (variant { Ok : OpenIdPrepareDelegationResponse; Pending; Err : OpenIdDelegationError });
+    openid_get_delegation : (JWT, Salt, SessionKey, Timestamp, opt text) -> (variant { Ok : SignedDelegation; Pending; Err : OpenIdDelegationError }) query;
+
+    // SSO discovery for the sign-in initiation flow. The frontend polls
+    // `get_sso_discovery` (query) and, while it reads `Pending`, drives the
+    // on-demand two-hop discovery fetch with `discover_sso` (update); once the
+    // fetch completes the query returns `Resolved` with the config.
+    discover_sso : (text) -> ();
+    get_sso_discovery : (text) -> (SsoDiscoveryState) query;
 
     // Email-recovery protocol
     // =======================
@@ -1601,11 +1624,6 @@ service : (opt InternetIdentityInit) -> {
     // =====================
     http_request : (request : HttpRequest) -> (HttpResponse) query;
 
-    // OIDC Discovery
-    // ===============
-    discovered_oidc_configs : () -> (vec OidcConfig) query;
-    add_discoverable_oidc_config : (DiscoverableOidcConfig) -> ();
-
     // Internal Methods
     // ================
     init_salt : () -> ();
@@ -1658,6 +1676,18 @@ service : (opt InternetIdentityInit) -> {
         expiration : Timestamp
     ) -> (variant { Ok : SignedDelegation; Err : AccountDelegationError }) query;
 
+    prepare_session_delegation : (
+        anchor_number : UserNumber,
+        session_key : SessionKey,
+        max_ttl : opt nat64
+    ) -> (variant { Ok : PrepareSessionDelegation; Err : SessionDelegationError });
+
+    get_session_delegation : (
+        anchor_number : UserNumber,
+        session_key : SessionKey,
+        expiration : Timestamp
+    ) -> (variant { Ok : SignedDelegation; Err : SessionDelegationError }) query;
+
     get_default_account : (
         anchor_number : UserNumber,
         origin : FrontendHostname,