Implement API to auto-select identity based on known principal #2563
Conversation
This adds the option to specify a principal when requesting a session such that II auto-select the identity if the principal is known. If the principal is not known, II will fall back to default behaviour (same as now) with manual identity selection.
docs/ii-spec.mdx
Outdated
| @@ -172,6 +173,8 @@ This section describes the Internet Identity Service from the point of view of a | |||
|
|
|||
| - the `derivationOrigin`, if present, indicates an origin that should be used for principal derivation instead of the client origin. Internet Identity will only accept values that are also listed in the HTTP resource `/.well-known/ii-alternative-origins` of the corresponding canister (see [Alternative Frontend Origins](#alternative-frontend-origins)). | |||
|
|
|||
| - the `autoSelectMatchingIdentity`, if present, indicates the textual representation of this dapp's principal for which the delegation is requested. If it is known to Internet Identity, it will skip the identity selection and immediately prompt for authentication. This feature can be used to streamline re-authentication after a session expiry. | |||
There was a problem hiding this comment.
Do you have a list of changes downstream for this?
First thoughts are auth-client and II docs
Anything else?
There was a problem hiding this comment.
As discussed, we only need to have the docs rebuilt after merging.
| pick: (pickProps: { anchors: NonEmptyArray<bigint> }) => | ||
| pick: (pickProps: { | ||
| anchors: NonEmptyArray<bigint>; | ||
| autoSelect?: bigint; |
There was a problem hiding this comment.
autoSelect seems like a boolean type of parameter. How about selectedIdentity?
There was a problem hiding this comment.
As discussed, it is only automatically selected on the initial picker screen, but the user can still override that by cancelling the passkey interaction and picking something else.
| new Promise< | ||
| { tag: "more_options" } | { tag: "pick"; userNumber: bigint } | ||
| >((resolve) => | ||
| >((resolve) => { | ||
| // render page first so that when the identity is picked and the passkey |
There was a problem hiding this comment.
What is it that we need to wait? Couldn't we show a spinner while we wait for it and then resolve?
There was a problem hiding this comment.
Well, normally we wait for the user to chose. But if we have an a autoSelect identity, then the action completes immediately. I am just threading it through here, because the identity picker should still be rendered, before automatically selecting something. Otherwise you have the passkey interaction from a completely blank page, which is pretty weird. This way, you have at least a (albeit blurred out) version of the II page in the background.
There was a problem hiding this comment.
We could render something else if we want to improve it I guess. But definitely not a priority.
| @@ -188,6 +188,14 @@ const authenticate = async ( | |||
| }; | |||
| } | |||
|
|
|||
| let autoSelectIdentity = undefined; | |||
| if (nonNullish(authContext.authRequest.autoSelectMatchingIdentity)) { | |||
| autoSelectIdentity = await getAnchorByPrincipal({ | |||
There was a problem hiding this comment.
Same here, this is an identity, now? Why call it auto?
There was a problem hiding this comment.
Well, yes. getAnchorByPrincipal resolves the supplied Principal to an identity (number).
| @@ -1,5 +1,6 @@ | |||
| // Types and functions related to the window post message interface used by | |||
| // applications that want to authenticate the user using Internet Identity | |||
| import { zodPrincipal } from "@dfinity/internet-identity-vc-api"; | |||
There was a problem hiding this comment.
Should we put it somewhere else? zodPrincipal doesn't seem related to internet-identity-vc-api to me. I don't think I would remember to import it from here.
Maybe not in this PR though.
There was a problem hiding this comment.
Yeah, I thought about it. But then we need to have yet another package that only provides the zodPrincipal. Maybe we could put that into ic-js? AFAIK @peterpeterparker also needs this definition in the signer library.
There was a problem hiding this comment.
Seems weird there as well. I was thinking more in II directly. I think that repeating this code in multiple places is also ok.
Because it automatically selects the identity when loading the page (in the future). And it is not guaranteed that it finds the apropriate identity to select. Also, the user can override that selection.
The rp can only supply a principal (that we then need to match against known values). We can also call it |
After some consideration I like Thanks for the feedback! |
This is an enhancement to the auto-selection feature introduced in #2563: In order to not confuse users, only the most recently used identity can be auto-selected (i.e. when refreshing sessions). This way, a dapp cannot make a user _switch_ identities without them having the identity selected explicitly.
This is an enhancement to the auto-selection feature introduced in #2563: In order to not confuse users, only the most recently used identity can be auto-selected (i.e. when refreshing sessions). This way, a dapp cannot make a user _switch_ identities without them having the identity selected explicitly.
This is an enhancement to the auto-selection feature introduced in #2563: In order to not confuse users, only the most recently used identity can be auto-selected (i.e. when refreshing sessions). This way, a dapp cannot make a user _switch_ identities without them having the identity selected explicitly.
This is an enhancement to the auto-selection feature introduced in #2563: In order to not confuse users, only the most recently used identity can be auto-selected (i.e. when refreshing sessions). This way, a dapp cannot make a user _switch_ identities without them having the identity selected explicitly.
* Only allow the most recently used identity to be auto-selected This is an enhancement to the auto-selection feature introduced in #2563: In order to not confuse users, only the most recently used identity can be auto-selected (i.e. when refreshing sessions). This way, a dapp cannot make a user _switch_ identities without them having the identity selected explicitly. * Address review input
This adds the option to specify a principal when requesting a session such that II auto-select the identity if the principal is known.
If the principal is not known, II will fall back to default behaviour (same as now) with manual identity selection.
🟡 Some screens were changed