Add and remove OpenID credentials from anchor

dfx.json

@@ -5,7 +5,7 @@
       "candid": "src/internet_identity/internet_identity.did",
       "wasm": "internet_identity.wasm.gz",
       "build": "bash -c 'II_DEV_CSP=1 II_FETCH_ROOT_KEY=1 II_DUMMY_CAPTCHA=${II_DUMMY_CAPTCHA:-1} scripts/build'",
-      "init_arg": "(opt record { captcha_config = opt record { max_unsolved_captchas= 50:nat64; captcha_trigger = variant {Static = variant {CaptchaDisabled}}}})",
+      "init_arg": "(opt record { captcha_config = opt record { max_unsolved_captchas= 50:nat64; captcha_trigger = variant {Static = variant {CaptchaDisabled}}}; openid_google = opt opt record { client_id = \"45431994619-cbbfgtn7o0pp0dpfcg2l66bc4rcg7qbu.apps.googleusercontent.com\" }})",
       "shrink": false
     },
     "test_app": {

package.json

@@ -7,8 +7,8 @@
   "private": true,
   "license": "SEE LICENSE IN LICENSE.md",
   "scripts": {
-    "dev": "II_FETCH_ROOT_KEY=1 II_DUMMY_CAPTCHA=1 II_OPENID_GOOGLE_CLIENT_ID=\"45431994619-cbbfgtn7o0pp0dpfcg2l66bc4rcg7qbu.apps.googleusercontent.com\" vite",
-    "host": "II_FETCH_ROOT_KEY=1 II_DUMMY_CAPTCHA=1 II_OPENID_GOOGLE_CLIENT_ID=\"45431994619-cbbfgtn7o0pp0dpfcg2l66bc4rcg7qbu.apps.googleusercontent.com\" vite --host",
+    "dev": "II_FETCH_ROOT_KEY=1 II_DUMMY_CAPTCHA=1 vite",
+    "host": "II_FETCH_ROOT_KEY=1 II_DUMMY_CAPTCHA=1 vite --host",
     "showcase": "astro dev --root ./src/showcase",
     "build": "tsc --noEmit && vite build",
     "check": "tsc --project ./tsconfig.all.json --noEmit",

src/archive/archive.did

@@ -46,6 +46,12 @@ type Operation = variant {
         // Only the top level keys are archived for privacy reasons.
         metadata_keys: vec text;
     };
+    add_openid_credential: record {
+        iss: text;
+    };
+    remove_openid_credential: record {
+        iss: text;
+    };
 };
 
 type Entry = record {

src/canister_tests/src/api/archive.rs

@@ -80,6 +80,10 @@ pub mod compat {
         },
         #[serde(rename = "remove_device")]
         RemoveDevice { device: PublicKey },
+        #[serde(rename = "add_openid_credential")]
+        AddOpenIdCredential { iss: String },
+        #[serde(rename = "remove_openid_credential")]
+        RemoveOpenIdCredential { iss: String },
     }
 
     impl From<Operation> for CompatOperation {
@@ -98,7 +102,15 @@ pub mod compat {
                     new_device,
                 },
                 Operation::RemoveDevice { device } => CompatOperation::RemoveDevice { device },
-                Operation::IdentityMetadataReplace { .. } => panic!("not available in compat type"),
+                Operation::AddOpenIdCredential { iss } => {
+                    CompatOperation::AddOpenIdCredential { iss }
+                }
+                Operation::RemoveOpenIdCredential { iss } => {
+                    CompatOperation::RemoveOpenIdCredential { iss }
+                }
+                Operation::IdentityMetadataReplace { .. } => {
+                    panic!("not available in compat type")
+                }
             }
         }
     }

src/frontend/generated/internet_identity_idl.js

@@ -200,12 +200,23 @@ export const idlFactory = ({ IDL }) => {
     'purpose' : Purpose,
     'credential_id' : IDL.Opt(CredentialId),
   });
+  const Aud = IDL.Text;
+  const Iss = IDL.Text;
+  const Sub = IDL.Text;
+  const OpenIdCredential = IDL.Record({
+    'aud' : Aud,
+    'iss' : Iss,
+    'sub' : Sub,
+    'metadata' : MetadataMapV2,
+    'last_usage_timestamp' : Timestamp,
+  });
   const DeviceRegistrationInfo = IDL.Record({
     'tentative_device' : IDL.Opt(DeviceData),
     'expiration' : Timestamp,
   });
   const IdentityAnchorInfo = IDL.Record({
     'devices' : IDL.Vec(DeviceWithUsage),
+    'openid_credentials' : IDL.Opt(IDL.Vec(OpenIdCredential)),
     'device_registration' : IDL.Opt(DeviceRegistrationInfo),
   });
   const FrontendHostname = IDL.Text;
@@ -286,6 +297,7 @@ export const idlFactory = ({ IDL }) => {
     'authn_methods' : IDL.Vec(AuthnMethodData),
     'metadata' : MetadataMapV2,
     'authn_method_registration' : IDL.Opt(AuthnMethodRegistrationInfo),
+    'openid_credentials' : IDL.Opt(IDL.Vec(OpenIdCredential)),
   });
   const IdentityInfoError = IDL.Variant({
     'InternalCanisterError' : IDL.Text,
@@ -313,6 +325,20 @@ export const idlFactory = ({ IDL }) => {
     'AlreadyInProgress' : IDL.Null,
     'RateLimitExceeded' : IDL.Null,
   });
+  const JWT = IDL.Text;
+  const Salt = IDL.Vec(IDL.Nat8);
+  const OpenIdCredentialAddError = IDL.Variant({
+    'OpenIdCredentialAlreadyRegistered' : IDL.Null,
+    'InternalCanisterError' : IDL.Text,
+    'Unauthorized' : IDL.Principal,
+    'JwtVerificationFailed' : IDL.Null,
+  });
+  const OpenIdCredentialKey = IDL.Tuple(Iss, Sub);
+  const OpenIdCredentialRemoveError = IDL.Variant({
+    'InternalCanisterError' : IDL.Text,
+    'OpenIdCredentialNotFound' : IDL.Null,
+    'Unauthorized' : IDL.Principal,
+  });
   const UserKey = PublicKey;
   const PrepareIdAliasRequest = IDL.Record({
     'issuer' : FrontendHostname,
@@ -506,6 +532,16 @@ export const idlFactory = ({ IDL }) => {
       ),
     'init_salt' : IDL.Func([], [], []),
     'lookup' : IDL.Func([UserNumber], [IDL.Vec(DeviceData)], ['query']),
+    'openid_credential_add' : IDL.Func(
+        [IdentityNumber, JWT, Salt],
+        [IDL.Variant({ 'Ok' : IDL.Null, 'Err' : OpenIdCredentialAddError })],
+        [],
+      ),
+    'openid_credential_remove' : IDL.Func(
+        [IdentityNumber, OpenIdCredentialKey],
+        [IDL.Variant({ 'Ok' : IDL.Null, 'Err' : OpenIdCredentialRemoveError })],
+        [],
+      ),
     'prepare_delegation' : IDL.Func(
         [UserNumber, FrontendHostname, SessionKey, IDL.Opt(IDL.Nat64)],
         [UserKey, Timestamp],

src/frontend/generated/internet_identity_types.d.ts

@@ -27,6 +27,7 @@ export interface ArchiveInfo {
   'archive_config' : [] | [ArchiveConfig],
   'archive_canister' : [] | [Principal],
 }
+export type Aud = string;
 export type AuthnMethod = { 'PubKey' : PublicKeyAuthn } |
   { 'WebAuthn' : WebAuthn };
 export type AuthnMethodAddError = { 'InvalidMetadata' : string };
@@ -175,6 +176,7 @@ export type IdRegStartError = { 'InvalidCaller' : null } |
   { 'RateLimitExceeded' : null };
 export interface IdentityAnchorInfo {
   'devices' : Array<DeviceWithUsage>,
+  'openid_credentials' : [] | [Array<OpenIdCredential>],
   'device_registration' : [] | [DeviceRegistrationInfo],
 }
 export interface IdentityAuthnInfo {
@@ -185,6 +187,7 @@ export interface IdentityInfo {
   'authn_methods' : Array<AuthnMethodData>,
   'metadata' : MetadataMapV2,
   'authn_method_registration' : [] | [AuthnMethodRegistrationInfo],
+  'openid_credentials' : [] | [Array<OpenIdCredential>],
 }
 export type IdentityInfoError = { 'InternalCanisterError' : string } |
   { 'Unauthorized' : Principal };
@@ -216,6 +219,8 @@ export interface InternetIdentityStats {
   'canister_creation_cycles_cost' : bigint,
   'event_aggregations' : Array<[string, Array<[string, bigint]>]>,
 }
+export type Iss = string;
+export type JWT = string;
 export type KeyType = { 'platform' : null } |
   { 'seed_phrase' : null } |
   { 'cross_platform' : null } |
@@ -238,6 +243,23 @@ export type MetadataMapV2 = Array<
   ]
 >;
 export interface OpenIdConfig { 'client_id' : string }
+export interface OpenIdCredential {
+  'aud' : Aud,
+  'iss' : Iss,
+  'sub' : Sub,
+  'metadata' : MetadataMapV2,
+  'last_usage_timestamp' : Timestamp,
+}
+export type OpenIdCredentialAddError = {
+    'OpenIdCredentialAlreadyRegistered' : null
+  } |
+  { 'InternalCanisterError' : string } |
+  { 'Unauthorized' : Principal } |
+  { 'JwtVerificationFailed' : null };
+export type OpenIdCredentialKey = [Iss, Sub];
+export type OpenIdCredentialRemoveError = { 'InternalCanisterError' : string } |
+  { 'OpenIdCredentialNotFound' : null } |
+  { 'Unauthorized' : Principal };
 export type PrepareIdAliasError = { 'InternalCanisterError' : string } |
   { 'Unauthorized' : Principal };
 export interface PrepareIdAliasRequest {
@@ -265,6 +287,7 @@ export type RegistrationFlowNextStep = {
     'CheckCaptcha' : { 'captcha_png_base64' : string }
   } |
   { 'Finish' : null };
+export type Salt = Uint8Array | number[];
 export type SessionKey = PublicKey;
 export interface SignedDelegation {
   'signature' : Uint8Array | number[],
@@ -282,6 +305,7 @@ export interface StreamingCallbackHttpResponse {
 export type StreamingStrategy = {
     'Callback' : { 'token' : Token, 'callback' : [Principal, string] }
   };
+export type Sub = string;
 export type Timestamp = bigint;
 export type Token = {};
 export type UserKey = PublicKey;
@@ -404,6 +428,16 @@ export interface _SERVICE {
   >,
   'init_salt' : ActorMethod<[], undefined>,
   'lookup' : ActorMethod<[UserNumber], Array<DeviceData>>,
+  'openid_credential_add' : ActorMethod<
+    [IdentityNumber, JWT, Salt],
+    { 'Ok' : null } |
+      { 'Err' : OpenIdCredentialAddError }
+  >,
+  'openid_credential_remove' : ActorMethod<
+    [IdentityNumber, OpenIdCredentialKey],
+    { 'Ok' : null } |
+      { 'Err' : OpenIdCredentialRemoveError }
+  >,
   'prepare_delegation' : ActorMethod<
     [UserNumber, FrontendHostname, SessionKey, [] | [bigint]],
     [UserKey, Timestamp]

src/frontend/src/environment.ts

@@ -5,5 +5,3 @@ export const VERSION = import.meta.env.II_VERSION ?? "";
 export const FETCH_ROOT_KEY = import.meta.env.II_FETCH_ROOT_KEY === "1";
 export const DUMMY_AUTH = import.meta.env.II_DUMMY_AUTH === "1";
 export const DUMMY_CAPTCHA = import.meta.env.II_DUMMY_CAPTCHA === "1";
-export const II_OPENID_GOOGLE_CLIENT_ID = import.meta.env
-  .II_OPENID_GOOGLE_CLIENT_ID;