@dfinity/auth-client 403 response

Hi,
I’m trying to plug my app to Internet Identity.
I added the @dfinity/auth-client package and managed to login by being redirected to Internet Identity. When I’m redirected to my app I setup my actors with :

const identity = await authClient.getIdentity();
const agent = new HttpAgent({ identity });

Seems okay but when I call a canister I get a 403 forbidden error :

Error: Server returned an error:
  Code: 403 (Forbidden)
  Body: Failed to authenticate request 0x52fc981d5e084791392dd64d5a4047cfcccce0518a7764039b3f7958b779257a due to: Invalid delegation: Invalid canister signature: IcCanisterSignature signature could not be verified: public key 0a00000000000000070101068d920ad8a5c842785f6413fda4fb9dbacf90278379154b383297a43954952a, signature d9d9f7a26b63657274696669636174655901fdd9d9f7a2647472656583018301830183024863616e69737465728301830182045820a940364d76663a24f7ad21323bd7cc3215645e4987a98166bdc414a2970a3114830182045820273f25913d6d4f2d3f4c81757df7b27a402e9e2c4e4015ff8dc3307d6c65736e8301820458206219183bd3bd20a28b9dfc594f4dfd8d8af57d02daa542bea32c55351a2f5d5183024a000000000000000701018301830183024e6365727469666965645f6461746182035820f78e30b9e9fcd71c7159041933b734616c9152a663c8d507e4bc03061e326f2c82045820fd5b59459758c8afecaf7285da359e4b5adb945fb86a3c1f0efd996c21a969388204582081e4b7cc6d146559ae285ffe3a8a73ea19026c1e1e890035984d788a98c6cb1a82045820fe02b28e2834dc30e29101ae4e6efa53a432f86e15e93550e0cfacc71364218382045820dfb7cc919d68f0d62241d33048f32ff0616c448b013ed7b93c7b77f997a2c51282045820b881eec819db2500e3892ba78a354fbe39c1f11b288609d00fd596eb8d05cde683018204582099a1a976abb8e066bce396d5953f88bdca2e3aa7a8540cf1573ba77f1f87dd8583024474696d65820349ef84da97cc81b0bf16697369676e61747572655830989542b1af60c8fa0b6af2962b50016f1913d881efe928453d981e140d57d64f5124d660745467b848bae5afd6d12ba564747265658301820458200c2cc6c48fd56f4729b0052577f8d7c9bf95b6d5d23ea64c3c7e8941d6c2e8d08302437369678301820458207725f1891353fab3d70a2716e767a2a55360e9036d6cdb9c9e4d0a828a086680830182045820c581c5fcd7170735e524cdf680231b3374c5d84c7ab017bf8e0ab0b491622e188301830183025820667c9861f59e47abe9590130735f44033589a16b23a30d413cd633063015866b83025820dca69d6ccd46d4f68070dcaef50d4fae22e89763d5410bf45ad8e3d36170ffd3820340820458202beb9e706a2687b53b8b93c33d0d64425f23912e81bf36b13e3a61fa6b69bfaf82045820d4cf18138e654dff4bc8c8249b08f26441789625a800302c5f0e26a0ac4a0a61, error: certificate verification failed: failed to verify threshold signature: failed to verify threshold signature: root_hash=CryptoHash(0x6f77592ef292660a92c8494133813b60a8c4769898bea57655b7898c71e10207), sig=Blob{48 bytes;989542b1af60c8fa0b6af2962b50016f1913d881efe928453d981e140d57d64f5124d660745467b848bae5afd6d12ba5}, pk=ThresholdSigPublicKey { internal: ThresBls12_381(0xa5527afa3476be3185139e2aa27771fdefdce8b69ab7b582c3a65c76e1356238965a3d2324f0ac466ebdb737db2d3daa0e42a13356b33f31d78d8e0b671b5fad64740daafefa58ee8594c90d1bbc8e6e48aa9860fd81d86f51014c62777e4a0e) }, error=ThresBls12_381 signature could not be verified: public key a5527afa3476be3185139e2aa27771fdefdce8b69ab7b582c3a65c76e1356238965a3d2324f0ac466ebdb737db2d3daa0e42a13356b33f31d78d8e0b671b5fad64740daafefa58ee8594c90d1bbc8e6e48aa9860fd81d86f51014c62777e4a0e, signature 989542b1af60c8fa0b6af2962b50016f1913d881efe928453d981e140d57d64f5124d660745467b848bae5afd6d12ba5, error: Invalid combined threshold signature

Do I miss something ? I’m running my frontend on a devserver and being redirected to identity.ic0.app for authentication

Edit: same error when I deploy the frontend on my local node

1 Like

I guess I have to deploy Internet Identity locally.
I built the wasm module by using Docker see.
How should I deploy it ? I tried to copy the wasm file to my application repo and add this to dfx.json:

"internet-identity": {
      "wasm": "src/backend/internet-identity/internet_identity.wasm",
      "custom": "custom"
    },

But when I try to install the canister I get an error :

dfx canister install internet-identity                     
thread 'Installing code for canister internet-identity, with canister_id rdmx6-jaaaa-aaaaa-aaadq-cai
main' panicked at 'Cannot get WASM output path.', src/dfx/src/lib/operations/canister/install_canister.rs:49:21

Is there a simple way to deploy Internet Identity locally ?

1 Like

Change dfx.json to

    "internet-identity": {
      "main": "src/backend/internet-identity/internet_identity.wasm",
      "custom": "custom"
    },

then, copy the wasm into local canisters, and install with args:

mkdir -p ./dfx/local/canisters/internet-identity
cp src/backend/internet-identity/internet_identity.wasm ./dfx/local/canisters/internet-identity/internet-identity.wasm
dfx canister install internet-identity --argument "(null)"
3 Likes

Alright I missed the deploy arguments but my authentication fails on my local Internet Identity :
POST http://identity.localhost/api/v2/canister/rdmx6-jaaaa-aaaaa-aaadq-cai/call 404 (Not Found)

I guess the source of the error is that when I deploy Internet Identity like this it generates me a new canister id.
In the Internet Identity docs it’s said that it’s prebuilt with "rdmx6-jaaaa-aaaaa-aaadq-cai".
How can I deploy the canister with a fixed canister id ? Everytime it overrides my .dfx/local/canister_ids.json :frowning:
I followed the tuto internet-identity/Demo.md at main · dfinity/internet-identity · GitHub it helped a lot !

I’m getting really closer.

I managed to deploy everything by deploying Internet Identity to retrieve the newly created CANISTER_ID and rebuilding the internet_identity.wasm with this new CANISTER_ID.

Anyone knows how to specify the canister_id before deploying ?

You can run dfx canister create to assign a canister id before building and installing the canister (which deploy does), if that’s what you need?

1 Like
dfx canister create internet_identity r7inp-6aaaa-aaaaa-aaabq-cai                                                       [email protected]
Creating canister "internet_identity"...
"internet_identity" canister created with canister id: "rno2w-sqaaa-aaaaa-aaacq-cai"

:sob:

Why did it change the canister_id ?
The thing is that I have built Internet Identity with a fixed CANISTER_ID (via docker build) and I want to deploy the wasm module alongside my app with the same CANISTER_ID. Is there any way to specify the CANISTER_ID that dfx canister create will generate ?
It is important to ease the bootstrap of the dev environment.

Thanks for playing early adopter here. The mid-term plan is to make it possible to use https://identity.ic0.app/ also for local development, but that requires changes to the local instance (the thing you start with dfx start), so please bear with us and with some inconveniences until then.

Is there any way to specify the CANISTER_ID that dfx canister create will generate ?

Unfortunately not.

What we do during local development on the Internet Identity is that our test app (internet-identity/demos/sample-javascript at main · dfinity/internet-identity · GitHub) has a text field where I can paste the URL to the identity provider to use; this way you can test your app with a local identity provider and don’t have to recompile/redeploy when the URL changes.

Another tip: You can just clone https://github.com/dfinity/internet-identity/ and use dfx deploy --no-wallet --argument "(null)" from that. You can run dfx start in one project (yours), and then deploy to local in another one, and they will be able to talk to each other.

5 Likes

Thanks, the problem is that i can’t compile the Internet Identity app locally. I’ll spend more time to fix this but for the moment i compile it through docker which works great.
Besides this problem i managed to deploy it locally and it works great. Login then authenticated request are OK !
For those who are willing to try:
AuthClient.login({identityProvider:“localhost…”})

The error while compiling locally:

error: failed to parse lock file at:~/workspace-dfinity/internet-identity/Cargo.lock

Caused by:
  invalid serialized PackageId for key `package.dependencies`
The build step failed for canister 'renrk-eyaaa-aaaaa-aaada-cai' with an embedded error: The custom tool failed.

Do you have any hints for me ?

What’s the best way to deploy all NNS canisters locally, if I wanted to use ledger, cycles-minting, and governance?

Ok I had an old rust… Looks good now. Thanks @nomeata I’ll continue like this to build locally.

Interested by this to, maybe in another thread, I already diverged a lot :rofl:

1 Like

The dfinity/ic repo should contain instructions to build them, but unfortunately deploying isn’t trivial (their initial configuration data needs to be produced), and the tool that does that isn’t made available yet. There is the source, though, so you could probably build your own tool :slight_smile:

(NNS canisters are not my particular expertise, so maybe others will know a way).

Did anyone ever build this? I’m trying to get the system canisters to run under dfx with little luck.

If you’re referring to the Internet Identity canister:
Yes I was able to build it a couple of days ago. Make sure you use the right version of Rust & dfx and have CMake installed. Then just follow the steps outlined in the README

1 Like

I’m trying to get the major system canisters. Cycle_minting, ledger, governance. I’ve been able to get Identity to work in the past.

1 Like