Add and remove OpenID credentials from anchor

src/canister_tests/src/api/archive.rs

@@ -98,7 +98,11 @@ pub mod compat {
                     new_device,
                 },
                 Operation::RemoveDevice { device } => CompatOperation::RemoveDevice { device },
-                Operation::IdentityMetadataReplace { .. } => panic!("not available in compat type"),
+                Operation::IdentityMetadataReplace { .. }
+                | Operation::AddOpenIdCredential { .. }
+                | Operation::RemoveOpenIdCredential { .. } => {
+                    panic!("not available in compat type")
+                }
             }
         }
     }

src/frontend/generated/internet_identity_idl.js

@@ -200,12 +200,21 @@ export const idlFactory = ({ IDL }) => {
     'purpose' : Purpose,
     'credential_id' : IDL.Opt(CredentialId),
   });
+  const OpenIdCredential = IDL.Record({
+    'aud' : IDL.Text,
+    'iss' : IDL.Text,
+    'sub' : IDL.Text,
+    'delegation_principal' : IDL.Principal,
+    'metadata' : MetadataMapV2,
+    'last_usage_timestamp' : Timestamp,
+  });
   const DeviceRegistrationInfo = IDL.Record({
     'tentative_device' : IDL.Opt(DeviceData),
     'expiration' : Timestamp,
   });
   const IdentityAnchorInfo = IDL.Record({
     'devices' : IDL.Vec(DeviceWithUsage),
+    'openid_credentials' : IDL.Vec(OpenIdCredential),
     'device_registration' : IDL.Opt(DeviceRegistrationInfo),
   });
   const FrontendHostname = IDL.Text;

src/frontend/generated/internet_identity_types.d.ts

@@ -175,6 +175,7 @@ export type IdRegStartError = { 'InvalidCaller' : null } |
   { 'RateLimitExceeded' : null };
 export interface IdentityAnchorInfo {
   'devices' : Array<DeviceWithUsage>,
+  'openid_credentials' : Array<OpenIdCredential>,
   'device_registration' : [] | [DeviceRegistrationInfo],
 }
 export interface IdentityAuthnInfo {
@@ -238,6 +239,14 @@ export type MetadataMapV2 = Array<
   ]
 >;
 export interface OpenIdConfig { 'client_id' : string }
+export interface OpenIdCredential {
+  'aud' : string,
+  'iss' : string,
+  'sub' : string,
+  'delegation_principal' : Principal,
+  'metadata' : MetadataMapV2,
+  'last_usage_timestamp' : Timestamp,
+}
 export type PrepareIdAliasError = { 'InternalCanisterError' : string } |
   { 'Unauthorized' : Principal };
 export interface PrepareIdAliasRequest {

src/internet_identity/internet_identity.did

@@ -293,6 +293,8 @@ type IdentityAnchorInfo = record {
     devices : vec DeviceWithUsage;
     // Device registration status used when adding devices, see DeviceRegistrationInfo
     device_registration: opt DeviceRegistrationInfo;
+    // OpenID accounts linked to this anchor
+    openid_credentials: vec OpenIdCredential;
 };
 
 type AnchorCredentials = record {
@@ -327,6 +329,15 @@ type OpenIdConfig = record {
     client_id: text;
 };
 
+type OpenIdCredential = record {
+    iss: text;
+    sub: text;
+    aud: text;
+    delegation_principal: principal;
+    last_usage_timestamp: Timestamp;
+    metadata: MetadataMapV2;
+};
+
 // API V2 specific types
 // WARNING: These type are experimental and may change in the future.
 

src/internet_identity/src/anchor_management.rs

@@ -1,23 +1,36 @@
 use crate::archive::{archive_operation, device_diff};
+use crate::openid::OpenIdCredential;
 use crate::state::RegistrationState::DeviceTentativelyAdded;
 use crate::state::TentativeDeviceRegistration;
 use crate::storage::anchor::{Anchor, AnchorError, Device};
 use crate::{state, stats::activity_stats};
 use ic_cdk::api::time;
 use ic_cdk::{caller, trap};
 use internet_identity_interface::archive::types::{DeviceDataWithoutAlias, Operation};
-use internet_identity_interface::internet_identity::types::*;
+use internet_identity_interface::internet_identity::types::openid::OpenIdCredentialData;
+use internet_identity_interface::internet_identity::types::{
+    AnchorNumber, DeviceData, DeviceKey, DeviceRegistrationInfo, DeviceWithUsage,
+    IdentityAnchorInfo, MetadataEntry,
+};
 use std::collections::HashMap;
 
 pub mod registration;
 pub mod tentative_device_registration;
 
 pub fn get_anchor_info(anchor_number: AnchorNumber) -> IdentityAnchorInfo {
-    let devices = state::anchor(anchor_number)
-        .into_devices()
+    let anchor = state::anchor(anchor_number);
+    let devices = anchor
+        .devices()
+        .clone()
         .into_iter()
         .map(DeviceWithUsage::from)
         .collect();
+    let openid_credentials = anchor
+        .openid_credentials()
+        .clone()
+        .into_iter()
+        .map(OpenIdCredentialData::from)
+        .collect();
     let now = time();
 
     state::tentative_device_registrations(|tentative_device_registrations| {
@@ -34,6 +47,7 @@ pub fn get_anchor_info(anchor_number: AnchorNumber) -> IdentityAnchorInfo {
                     expiration: *expiration,
                     tentative_device: Some(tentative_device.clone()),
                 }),
+                openid_credentials,
             },
             Some(TentativeDeviceRegistration { expiration, .. }) if *expiration > now => {
                 IdentityAnchorInfo {
@@ -42,11 +56,13 @@ pub fn get_anchor_info(anchor_number: AnchorNumber) -> IdentityAnchorInfo {
                         expiration: *expiration,
                         tentative_device: None,
                     }),
+                    openid_credentials,
                 }
             }
             None | Some(_) => IdentityAnchorInfo {
                 devices,
                 device_registration: None,
+                openid_credentials,
             },
         }
     })
@@ -81,7 +97,7 @@ pub fn post_operation_bookkeeping(anchor_number: AnchorNumber, operation: Operat
 
 /// Adds a device to the given anchor and returns the operation to be archived.
 /// Panics if this operation violates anchor constraints (see [Anchor]).
-pub fn add(anchor: &mut Anchor, device_data: DeviceData) -> Operation {
+pub fn add_device(anchor: &mut Anchor, device_data: DeviceData) -> Operation {
     let new_device = Device::from(device_data);
     anchor
         .add_device(new_device.clone())
@@ -96,7 +112,11 @@ pub fn add(anchor: &mut Anchor, device_data: DeviceData) -> Operation {
 /// Panics if
 /// * the device to be updated does not exist
 /// * the operation violates anchor constraints (see [Anchor])
-pub fn update(anchor: &mut Anchor, device_key: DeviceKey, device_data: DeviceData) -> Operation {
+pub fn update_device(
+    anchor: &mut Anchor,
+    device_key: DeviceKey,
+    device_data: DeviceData,
+) -> Operation {
     let Some(existing_device) = anchor.device(&device_key) else {
         trap("Could not find device to update, check device key")
     };
@@ -119,7 +139,7 @@ pub fn update(anchor: &mut Anchor, device_key: DeviceKey, device_data: DeviceDat
 /// Panics if
 /// * the device to be replaced does not exist
 /// * the operation violates anchor constraints (see [Anchor])
-pub fn replace(
+pub fn replace_device(
     anchor_number: AnchorNumber,
     anchor: &mut Anchor,
     old_device: DeviceKey,
@@ -142,7 +162,7 @@ pub fn replace(
 
 /// Removes a device of the given anchor and returns the operation to be archived.
 /// Panics if the device to be removed does not exist
-pub fn remove(
+pub fn remove_device(
     anchor_number: AnchorNumber,
     anchor: &mut Anchor,
     device_key: DeviceKey,
@@ -165,3 +185,28 @@ pub fn identity_metadata_replace(
     anchor.replace_identity_metadata(metadata)?;
     Ok(Operation::IdentityMetadataReplace { metadata_keys })
 }
+
+/// Adds an `OpenIdCredential` to the given anchor and returns the operation to be archived.
+/// Returns an error if the `OpenIdCredential` already exists.
+#[allow(unused)]
+pub fn add_openid_credential(
+    anchor: &mut Anchor,
+    openid_credential: OpenIdCredential,
+) -> Result<Operation, AnchorError> {
+    anchor.add_openid_credential(openid_credential.clone())?;
+    Ok(Operation::AddOpenIdCredential {
+        iss: openid_credential.iss,
+    })
+}
+
+/// Removes an `OpenIdCredential` of the given anchor and returns the operation to be archived.
+/// Return an error if the `OpenIdCredential` to be removed does not exist.
+#[allow(unused)]
+pub fn remove_openid_credential(
+    anchor: &mut Anchor,
+    iss: &str,
+    sub: &str,
+) -> Result<Operation, AnchorError> {
+    anchor.remove_openid_credential(iss, sub)?;
+    Ok(Operation::RemoveOpenIdCredential { iss: iss.into() })
+}

src/internet_identity/src/anchor_management/tentative_device_registration.rs

@@ -1,4 +1,4 @@
-use crate::anchor_management::add;
+use crate::anchor_management::add_device;
 use crate::authz_utils::IdentityUpdateError;
 use crate::state::RegistrationState::{DeviceRegistrationModeActive, DeviceTentativelyAdded};
 use crate::state::TentativeDeviceRegistration;
@@ -129,7 +129,7 @@ pub fn verify_tentative_device(
 ) -> Result<((), Operation), VerifyTentativeDeviceError> {
     match get_verified_device(anchor_number, user_verification_code) {
         Ok(device) => {
-            let operation = add(anchor, device);
+            let operation = add_device(anchor, device);
             Ok(((), operation))
         }
         Err(err) => Err(err),

src/internet_identity/src/main.rs

@@ -153,7 +153,7 @@ fn register(
 #[update]
 fn add(anchor_number: AnchorNumber, device_data: DeviceData) {
     anchor_operation_with_authz_check(anchor_number, |anchor| {
-        Ok::<_, String>(((), anchor_management::add(anchor, device_data)))
+        Ok::<_, String>(((), anchor_management::add_device(anchor, device_data)))
     })
     .unwrap_or_else(|err| trap(err.as_str()))
 }
@@ -163,7 +163,7 @@ fn update(anchor_number: AnchorNumber, device_key: DeviceKey, device_data: Devic
     anchor_operation_with_authz_check(anchor_number, |anchor| {
         Ok::<_, String>((
             (),
-            anchor_management::update(anchor, device_key, device_data),
+            anchor_management::update_device(anchor, device_key, device_data),
         ))
     })
     .unwrap_or_else(|err| trap(err.as_str()))
@@ -174,7 +174,7 @@ fn replace(anchor_number: AnchorNumber, device_key: DeviceKey, device_data: Devi
     anchor_operation_with_authz_check(anchor_number, |anchor| {
         Ok::<_, String>((
             (),
-            anchor_management::replace(anchor_number, anchor, device_key, device_data),
+            anchor_management::replace_device(anchor_number, anchor, device_key, device_data),
         ))
     })
     .unwrap_or_else(|err| trap(err.as_str()))
@@ -185,7 +185,7 @@ fn remove(anchor_number: AnchorNumber, device_key: DeviceKey) {
     anchor_operation_with_authz_check(anchor_number, |anchor| {
         Ok::<_, String>((
             (),
-            anchor_management::remove(anchor_number, anchor, device_key),
+            anchor_management::remove_device(anchor_number, anchor, device_key),
         ))
     })
     .unwrap_or_else(|err| trap(err.as_str()))

src/internet_identity/src/openid.rs

@@ -1,19 +1,27 @@
-use candid::{Deserialize, Principal};
+use crate::delegation::der_encode_canister_sig_key;
+use crate::state;
+use candid::{CandidType, Deserialize, Principal};
+use ic_certification::Hash;
 use identity_jose::jws::Decoder;
 use internet_identity_interface::internet_identity::types::{
     MetadataEntryV2, OpenIdConfig, Timestamp,
 };
+use sha2::{Digest, Sha256};
 use std::cell::RefCell;
 use std::collections::HashMap;
 
 mod google;
 
-#[derive(Debug, PartialEq)]
+pub type Iss = String;
+pub type Sub = String;
+pub type Aud = String;
+
+#[derive(Debug, PartialEq, Eq, CandidType, Deserialize, Clone)]
 pub struct OpenIdCredential {
-    pub iss: String,
-    pub sub: String,
-    pub aud: String,
-    pub principal: Principal,
+    pub iss: Iss,
+    pub sub: Sub,
+    pub aud: Aud,
+    pub delegation_principal: Principal,
     pub last_usage_timestamp: Timestamp,
     pub metadata: HashMap<String, MetadataEntryV2>,
 }
@@ -30,11 +38,11 @@ struct PartialClaims {
 }
 
 thread_local! {
-    static OPEN_ID_PROVIDERS: RefCell<Vec<Box<dyn OpenIdProvider >>> = RefCell::new(vec![]);
+    static PROVIDERS: RefCell<Vec<Box<dyn OpenIdProvider >>> = RefCell::new(vec![]);
 }
 
 pub fn setup_google(config: OpenIdConfig) {
-    OPEN_ID_PROVIDERS
+    PROVIDERS
         .with_borrow_mut(|providers| providers.push(Box::new(google::Provider::create(config))));
 }
 
@@ -46,7 +54,7 @@ pub fn verify(jwt: &str, salt: &[u8; 32]) -> Result<OpenIdCredential, String> {
     let claims: PartialClaims =
         serde_json::from_slice(validation_item.claims()).map_err(|_| "Unable to decode claims")?;
 
-    OPEN_ID_PROVIDERS.with_borrow(|providers| {
+    PROVIDERS.with_borrow(|providers| {
         match providers
             .iter()
             .find(|provider| provider.issuer() == claims.iss)
@@ -57,6 +65,34 @@ pub fn verify(jwt: &str, salt: &[u8; 32]) -> Result<OpenIdCredential, String> {
     })
 }
 
+#[allow(clippy::cast_possible_truncation)]
+fn calculate_seed(client_id: &str, iss: &Iss, sub: &Sub) -> Hash {
+    let salt = state::salt();
+
+    let mut blob: Vec<u8> = vec![];
+    blob.push(32);
+    blob.extend_from_slice(&salt);
+
+    blob.push(client_id.bytes().len() as u8);
+    blob.extend(client_id.bytes());
+
+    blob.push(iss.bytes().len() as u8);
+    blob.extend(iss.bytes());
+
+    blob.push(sub.bytes().len() as u8);
+    blob.extend(sub.bytes());
+
+    let mut hasher = Sha256::new();
+    hasher.update(blob);
+    hasher.finalize().into()
+}
+
+fn get_delegation_principal(client_id: &str, iss: &Iss, sub: &Sub) -> Principal {
+    let seed = calculate_seed(client_id, iss, sub);
+    let public_key = der_encode_canister_sig_key(seed.to_vec());
+    Principal::self_authenticating(public_key)
+}
+
 #[cfg(test)]
 struct ExampleProvider;
 
@@ -78,7 +114,7 @@ impl ExampleProvider {
             iss: self.issuer().into(),
             sub: "example-sub".into(),
             aud: "example-aud".into(),
-            principal: Principal::anonymous(),
+            delegation_principal: Principal::anonymous(),
             last_usage_timestamp: 0,
             metadata: HashMap::new(),
         }
@@ -89,15 +125,15 @@ impl ExampleProvider {
 fn should_return_credential() {
     let provider = ExampleProvider {};
     let credential = provider.credential();
-    OPEN_ID_PROVIDERS.replace(vec![Box::new(provider)]);
+    PROVIDERS.replace(vec![Box::new(provider)]);
     let jwt = "eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tIn0.SBeD7pV65F98wStsBuC_VRn-yjLoyf6iojJl9Y__wN0";
 
     assert_eq!(verify(jwt, &[0u8; 32]), Ok(credential));
 }
 
 #[test]
 fn should_return_error_unsupported_issuer() {
-    OPEN_ID_PROVIDERS.replace(vec![]);
+    PROVIDERS.replace(vec![]);
     let jwt = "eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tIn0.SBeD7pV65F98wStsBuC_VRn-yjLoyf6iojJl9Y__wN0";
 
     assert_eq!(