Add support for issuer custom/alternative origin

.github/workflows/canister-tests.yml

@@ -468,13 +468,11 @@ jobs:
 
       - name: Deploy canisters
         run: |
+          # NOTE: dfx install will run the postinstall scripts from dfx.json
           dfx canister install internet_identity --wasm internet_identity_test.wasm.gz
           dfx canister install test_app --wasm demos/test-app/test_app.wasm
           dfx canister install issuer --wasm demos/vc_issuer/vc_demo_issuer.wasm.gz
 
-      - name: Provision issuer canister
-        run: ./demos/vc_issuer/provision
-
       # Check the return code of npm ci
       - name: Check on npm ci
         # make sure we don't wait too long if for some unlikely reason the npm status file doesn't get created

demos/vc_issuer/app/index.tsx

@@ -117,6 +117,16 @@ const App = () => {
           />
         </label>
       </section>
+      <section>
+        <label>
+          Custom principal:
+          <input
+            data-role="custom-principal"
+            type="text"
+            onChange={(evt) => setPrincipal(evt.target.value)}
+          />
+        </label>
+      </section>
       <section>
         <button
           data-action="authenticate"

demos/vc_issuer/provision

@@ -61,12 +61,12 @@ do
             shift;
             ;;
         --issuer-derivation-origin)
-            DERIVATION_ORIGIN="${2:?missing value for '--issuer-derivation-origin'}"
+            ISSUER_DERIVATION_ORIGIN="${2:?missing value for '--issuer-derivation-origin'}"
             shift; # shift past --issuer-canister & value
             shift;
             ;;
         --issuer-frontend-hostname)
-            FRONTEND_HOSTNAME="${2:?missing value for '--issuer-frontend-hostname'}"
+            ISSUER_FRONTEND_HOSTNAME="${2:?missing value for '--issuer-frontend-hostname'}"
             shift; # shift past --issuer-canister & value
             shift;
             ;;
@@ -84,7 +84,7 @@ done
 DFX_NETWORK="${DFX_NETWORK:-local}"
 II_CANISTER_ID="${II_CANISTER_ID:-$(dfx canister id internet_identity)}"
 ISSUER_CANISTER="${ISSUER_CANISTER:-issuer}"
-ISSUER_CANISTER_ID=$(dfx canister id $ISSUER_CANISTER)
+ISSUER_CANISTER_ID=$(dfx canister id "$ISSUER_CANISTER")
 DEFAULT_DERIVATION_ORIGIN="https://$ISSUER_CANISTER_ID.icp0.io"
 ISSUER_DERIVATION_ORIGIN="${ISSUER_DERIVATION_ORIGIN:-$DEFAULT_DERIVATION_ORIGIN}"
 ISSUER_FRONTEND_HOSTNAME="${ISSUER_FRONTEND_HOSTNAME:-$ISSUER_DERIVATION_ORIGIN}"

demos/vc_issuer/src/main.rs

@@ -307,15 +307,16 @@ async fn derivation_origin(
 fn get_derivation_origin(hostname: &str) -> Result<DerivationOriginData, DerivationOriginError> {
     CONFIG.with_borrow(|config| {
         let config = config.get();
-        if hostname == config.frontend_hostname {
-            Ok(DerivationOriginData {
-                origin: config.derivation_origin.clone(),
-            })
-        } else {
-            Err(DerivationOriginError::UnsupportedOrigin(
-                hostname.to_string(),
-            ))
+
+        // We don't currently rely on the value provided, so if it doesn't match
+        // we just print a warning
+        if hostname != config.frontend_hostname {
+            println!("*** achtung! bad frontend hostname {}", hostname,);
         }
+
+        Ok(DerivationOriginData {
+            origin: config.derivation_origin.clone(),
+        })
     })
 }
 

demos/vc_issuer/tests/issue_credential.rs

@@ -371,23 +371,6 @@ fn should_return_derivation_origin_with_custom_init() {
     assert_eq!(response.origin, custom_init.derivation_origin);
 }
 
-#[test]
-fn should_fail_derivation_origin_if_unsupported_origin() {
-    let env = env();
-    let canister_id = install_canister(&env, VC_ISSUER_WASM.clone());
-    let req = DerivationOriginRequest {
-        frontend_hostname: "https://wrong.fe.host".to_string(),
-    };
-    let response =
-        api::derivation_origin(&env, canister_id, principal_1(), &req).expect("API call failed");
-    assert_eq!(
-        response,
-        Err(DerivationOriginError::UnsupportedOrigin(
-            req.frontend_hostname
-        ))
-    );
-}
-
 fn employee_credential_spec() -> CredentialSpec {
     let mut args = HashMap::new();
     args.insert(

dfx.json

@@ -18,7 +18,7 @@
       "candid": "demos/vc_issuer/vc_demo_issuer.did",
       "wasm": "demos/vc_issuer/vc_demo_issuer.wasm.gz",
       "build": "demos/vc_issuer/build.sh",
-      "post_install": "demos/vc_issuer/provision",
+      "post_install": "bash -c 'demos/vc_issuer/provision --issuer-derivation-origin https://$(dfx canister id test_app).icp0.io'",
       "dependencies": [ "internet_identity" ]
     }
   },

src/frontend/src/flows/verifiableCredentials/abortedCredentials.json

@@ -5,6 +5,8 @@
     "aborted_internal_error": "There was an unexpected issue while verifying your credentials. Please retry, and if the problem persist contact support.",
     "aborted_auth_failed_ii": "There was an error authenticating you with your Internet Identity. Aliases were not created.",
     "aborted_auth_failed_issuer": "There was an error authenticating you with the issuer. Make sure you can authenticate with the issuer.",
+    "aborted_invalid_derivation_origin_issuer": "The derivation origin given for the issuer is not valid.",
+    "aborted_derivation_origin_issuer_error": "The issuer produced an error when queried for its derivation origin.",
     "aborted_issuer_api_error": "There was an error requesting credentials with the issuer. The issuer returned an error.",
     "aborted_bad_principal_rp": "The principal provided by the relying party does not match the data Internet Identity has.",
     "aborted_no_canister_id": "Internet Identity could not find the canister for the issuer.",

src/frontend/src/flows/verifiableCredentials/abortedCredentials.ts

@@ -12,6 +12,8 @@ export type AbortReason =
   | "internal_error"
   | "auth_failed_ii"
   | "auth_failed_issuer"
+  | "derivation_origin_issuer_error"
+  | "invalid_derivation_origin_issuer"
   | "issuer_api_error"
   | "bad_principal_rp"
   | "no_canister_id"

src/frontend/src/flows/verifiableCredentials/index.ts

@@ -91,16 +91,32 @@ const verifyCredentials = async ({
     }
   }
 
-  const validationResult = await withLoader(() =>
+  // Verify that principals may be issued to RP using the specified
+  // derivation origin
+  const validRpDerivationOrigin = await withLoader(() =>
     validateDerivationOrigin(rpOrigin_, rpDerivationOrigin)
   );
-  if (validationResult.result === "invalid") {
+  if (validRpDerivationOrigin.result === "invalid") {
     return abortedCredentials({ reason: "bad_derivation_origin_rp" });
   }
-  validationResult.result satisfies "valid";
+  validRpDerivationOrigin.result satisfies "valid";
   const rpOrigin = rpDerivationOrigin ?? rpOrigin_;
 
   const vcIssuer = new VcIssuer(issuerCanisterId);
+
+  const issuerDerivationOriginResult = await getValidatedIssuerDerivationOrigin(
+    {
+      vcIssuer,
+      issuerOrigin,
+    }
+  );
+
+  if (issuerDerivationOriginResult.kind === "error") {
+    return abortedCredentials({ reason: issuerDerivationOriginResult.err });
+  }
+
+  const issuerDerivationOrigin = issuerDerivationOriginResult.origin;
+
   // XXX: We don't check that the language matches the user's language. We need
   // to figure what to do UX-wise first.
   const consentInfo = await vcIssuer.getConsentMessage({ credentialSpec });
@@ -164,7 +180,7 @@ const verifyCredentials = async ({
 
   const pAliasPending = getAliasCredentials({
     rpOrigin,
-    issuerOrigin,
+    issuerOrigin: issuerDerivationOrigin /* Use the actual derivation origin */,
     authenticatedConnection,
   });
 
@@ -180,7 +196,7 @@ const verifyCredentials = async ({
 
     const issuedCredential = await issueCredential({
       vcIssuer,
-      issuerOrigin,
+      issuerOrigin: issuerDerivationOrigin,
       issuerAliasCredential: pAlias.issuerAliasCredential,
       credentialSpec,
       authenticatedConnection,
@@ -302,6 +318,46 @@ const getAliasCredentials = async ({
   return { ok: { rpAliasCredential, issuerAliasCredential } };
 };
 
+// Looks up and verify the derivation origin to be used by the issuer
+const getValidatedIssuerDerivationOrigin = async ({
+  vcIssuer,
+  issuerOrigin,
+}: {
+  vcIssuer: VcIssuer;
+  issuerOrigin: string;
+}): Promise<
+  | {
+      kind: "error";
+      err:
+        | "derivation_origin_issuer_error"
+        | "invalid_derivation_origin_issuer";
+    }
+  | { kind: "ok"; origin: string }
+> => {
+  const result = await vcIssuer.getDerivationOrigin({ origin: issuerOrigin });
+
+  if (result.kind === "error") {
+    return { kind: "error", err: "derivation_origin_issuer_error" };
+  }
+
+  result.kind satisfies "origin";
+
+  const validDerivationOrigin = await validateDerivationOrigin(
+    issuerOrigin,
+    result.origin
+  );
+  if (validDerivationOrigin.result === "invalid") {
+    console.error(
+      "Invalid derivation origin for issuer",
+      JSON.stringify(validDerivationOrigin)
+    );
+    return { kind: "error", err: "invalid_derivation_origin_issuer" };
+  }
+  validDerivationOrigin.result satisfies "valid";
+
+  return { kind: "ok", origin: result.origin };
+};
+
 // Contact the issuer to issue the credentials
 const issueCredential = async ({
   vcIssuer,

src/frontend/src/flows/verifiableCredentials/vcIssuer.ts

@@ -54,7 +54,9 @@ export class VcIssuer {
     });
 
     if ("Err" in result) {
-      console.error("Could not prepare credential", result.Err);
+      console.error(
+        "Could not prepare credential: " + JSON.stringify(result.Err)
+      );
       return "error";
     }
 
@@ -107,4 +109,32 @@ export class VcIssuer {
 
     return result.Ok;
   };
+
+  getDerivationOrigin = async ({
+    origin,
+  }: {
+    origin: string;
+  }): Promise<{ kind: "origin"; origin: string } | { kind: "error" }> => {
+    const actor = await this.createActor();
+
+    let result;
+    try {
+      result = await actor.derivation_origin({
+        frontend_hostname: origin,
+      });
+    } catch (e: unknown) {
+      console.error("Could not get derivation origin (unexpected error)", e);
+      return { kind: "error" };
+    }
+
+    if ("Err" in result) {
+      console.error(
+        "Could not get derivation origin (issuer error)",
+        JSON.stringify(result.Err)
+      );
+      return { kind: "error" };
+    }
+
+    return { kind: "origin", origin: result.Ok.origin };
+  };
 }

src/frontend/src/test-e2e/constants.ts

@@ -13,6 +13,9 @@ export const TEST_APP_NICE_URL = "https://nice-name.com";
 export const ISSUER_APP_URL = `https://${issuerAppCanisterId}.icp0.io`;
 export const ISSUER_APP_URL_LEGACY = `https://${issuerAppCanisterId}.ic0.app`;
 
+// Value needs to match how the canister was provisioned
+export const ISSUER_CUSTOM_ORIGIN_NICE_URL = `https://nice-issuer-custom-orig.com`;
+
 export const II_URL =
   process.env.II_URL ?? "https://identity.internetcomputer.org";