Internet Identity: how can a user recover the principal for a specific web app?

peterparker · January 12, 2024, 2:28pm

The restriction was originally in place for security reasons. However, with the support of custom domains by the BN, it is now possible to extend this mechanism to include them while keeping the security level. @frederikrothenberger has even already outlined an idea for it. Nevertheless, since the stakeholders have not given this feature any priority, it may or may not be implemented in the future. I cannot tell. I’ve tried to move the topic multiple times last years.

dfxjesse · January 12, 2024, 2:39pm

I would very much like to have the possibility of custom domain canonical origins, It would open up a good few possibilities for our dApp such as backups etc.

I’m not sure how I could try push this feature forward other than voicing my support for it here. But I hope to see progress and the restriction removed.

peterparker · January 12, 2024, 2:47pm

Note that you don’t need to convince me; For instance, the inability to generate the same principal on customdomain.com and www.customdomain.com is quite awkward, to say the least.

dfxjesse · January 12, 2024, 2:53pm

It seems it would be a quick update maybe just removing the regex checks in this file:

github.com

dfinity/internet-identity/blob/main/src/frontend/src/flows/authorize/validateDerivationOrigin.ts#L7


      
          import { wrapError } from "$src/utils/utils";
          import { Principal } from "@dfinity/principal";
          import { isNullish } from "@dfinity/utils";
          
          // Regex that's used to ensure an alternative origin is valid. We only allow canisters as alternative origins.
          // Note: this allows origins that are served both from the legacy domain (ic0.app) and the official domain (icp0.io).
          const ORIGIN_VALIDATION_REGEX =
            /^https:\/\/([\w-]+)(?:\.raw)?\.(?:ic0\.app|icp0\.io)$/;
          
          const MAX_ALTERNATIVE_ORIGINS = 10;
          type ValidationResult =
            | { result: "valid" }
            | { result: "invalid"; message: string };
          
          /**
           * Function to validate the derivationOrigin. The derivationOrigin allows an application to request principals of a
           * different origin, given that origin allows this by listing the requesting application origin in the

peterparker · January 12, 2024, 2:58pm

Actually this regex cannot just be removed, there is a certain level of security to keep in place (I don’t have all the details in mind). This was discussed / reviewed with the security team.

peterparker · January 12, 2024, 2:59pm

That was also my first idea .

dfxjesse · January 12, 2024, 3:01pm

Ye that makes sense, It’s never as easy as it seems. Maybe @frederikrothenberger can advise on his idea in this scenario and / or the security situation surrounding this.

frederikrothenberger · January 12, 2024, 3:14pm

@dfxjesse: Yes, we can remove the regex, if we make sure in other ways that the /.well-known/ii-alternative-origins asset is served from a canister (and hence has passed asset certification). This is a requirement by product security because they fear that identities might get stolen if we allow this asset to be served from web2.

But we have a solution for that: we can rely on the boundary nodes custom domains feature to verify that the URL is indeed backed by a canister.

I have (again) surfaced this issue to II product management so that it can hopefully be addressed in the upcoming sprints.

dfxjesse · January 12, 2024, 3:32pm

Thanks for your response,

Our custom domain is backed by a canister as I presume many others are on the IC (IE not on web2). So if there is some way the boundary nodes can verify this and we can remove that regex would be awesome.

Thanks for raising it with the II product management, I’ll keep an eye on this.

Topic		Replies	Views
Deriving the wallet canister id from an authenticated user Developers	5	511	June 17, 2022
Internet Identity by canisterId instead of url Programs & Applications	13	1275	January 10, 2022
An Internet-Identity-principal is tied to a domain-name? Programs & Applications	6	2045	November 16, 2022
Why is there different versions of principal Ids for a single Internet Identity and how do the really work? Developers	2	364	June 20, 2023
Internet identity and login internet-identity	15	2384	November 18, 2023

Internet Identity: how can a user recover the principal for a specific web app?

Related Topics