Invalid Derivation Origin

nolma · November 23, 2023, 1:41am

I followed this guide: How to Deploy Your First Canister Smart Contract Using the NNS Dapp | by DFINITY | The Internet Computer Review | Medium for deploying a canister and was able to deploy 3 canisters successfully.

As part of my token deployment params, I marked my nns principal as being the owner of the token with a starting balance. I can see the balance is correct in the Candid UI.

I want to interact with the canister so I click login, expecting to be prompted to connect with my nns account.

Instead I get an Invalid Derivation Origin error:

Invalid Derivation Origin
"https://6japz-gyaaa-aaaag-accza-cai.raw.icp0.io" is not a valid derivation origin for "https://a4gq6-oaaaa-aaaab-qaa4q-cai.raw.icp0.io"
Error details:
An error occurred while validating the derivationOrigin "https://6japz-gyaaa-aaaag-accza-cai.raw.icp0.io": Failed to fetch

How can I connect my nns account to login to the Candid UI?
Are there settings I need to set when deploying the canister?

Thanks!

frederikrothenberger · November 23, 2023, 10:48am

Hi @nolma

You are hitting a special case here which is related to principal derivation on Internet Identity. Normally Internet Identity hands out different principals for each application. There is a feature however, to have two applications with different URLs use the same principal. It is called alternative origins and is documented here.

Apparently, candid UI now supports that feature (very useful for debugging), which means it is able to use the same principal as you would have on your own front-end given you grant it the permission to do so. The error you see here, is because you are currently not granting it the permission.

To grant it the permission, simply host a file in your canister using the path /.well-known/ii-alternative-origins and add the following content:

{
  "alternativeOrigins": ["https://a4gq6-oaaaa-aaaab-qaa4q-cai.raw.icp0.io"]
}

Be aware of the consequences though: This allows the Candid UI canister a4gq6-oaaaa-aaaab-qaa4q-cai to use the same principals as you get on your front-end (https://6japz-gyaaa-aaaag-accza-cai.raw.icp0.io). It can therefore impersonate your front-end, which would be really bad if it were to turn malicious (I don’t know who controls a4gq6-oaaaa-aaaab-qaa4q-cai). Remove the entry from the /.well-known/ii-alternative-origins file before associating anything of value with the user principals from your front-end.

You should also be able to deploy your own candid UI to mainnet if you don’t trust a4gq6-oaaaa-aaaab-qaa4q-cai. @Severin: What would be the easiest way to do so?

Severin · November 23, 2023, 12:32pm

The easiest way to deploy your own Candid UI is to clone this folder, delete canister_ids.json (so dfx doesn’t try to deploy to the ‘official’ Candid UI, and then deploy the project for yourself

Samer · November 23, 2023, 7:29pm

@nolma

If your canister is written in Motoko, here’s what you need to add for it to work with Candid UI login.

github.com

Web3NL/candid/blob/test-authenticated-calls/tools/ui/target_test_canister/main.mo

import Principal "mo:base/Principal";
import Error "mo:base/Error";
import Text "mo:base/Text";
import { responseBody } "./AlternativeOrigin";

actor {
    var allowed = Principal.fromText("oigup-gpnce-ytl3m-gkuwt-hf4yc-lci5d-ijsy5-oc4ak-kz3v2-fjbl5-mae");

    public func _set_allowed_principal(principal : Text) : async () {
        allowed := Principal.fromText(principal);
    };

    public query func _get_allowed_principal() : async Text {
        Principal.toText(allowed);
    };

    public shared query ({ caller }) func hello() : async Text {
        if (caller != allowed) {
            throw Error.reject("Unauthorized");
        };

This file has been truncated. show original

If you are not using the http_request function for fast certified queries, you can add the upgrade = ?true; field in the response and serve the alternativeOrigin file from http_request_update, see example

zensh · November 26, 2024, 9:41am

@Severin
I recently encountered an “Invalid Derivation Origin” issue.

A few days ago, I faced this problem when logging into oc.app, but today it worked fine.
However, I’m now experiencing the same issue with dmsg.net and can’t log in at all, despite no new version being released recently.

Severin · November 26, 2024, 9:43am

I don’t know this enough to help. @lmuntaner maybe?

lmuntaner · November 26, 2024, 9:48am

Weird, it’s working for me…

From where do you login?

Did someone upgrade panda.fans maybe? The alternative origins file is properly set: https://panda.fans/.well-known/ii-alternative-origins

zensh · November 26, 2024, 9:53am

I can sign in normally now. panda.fans hasn’t been updated, so I suspect it was a node or boundary gateway upgrade and restart that I happened to encounter.

lmuntaner · November 26, 2024, 10:19am

That could be. Good to know it’s all working normally again.

Topic		Replies	Views
Deriving the wallet canister id from an authenticated user Developers	5	614	June 17, 2022
Release Announcement: Canister Chosen Alternative Origins internet-identity	11	2446	August 18, 2022
Use the --no-wallet parameter to deploy the canister prompt created on nns: code 4, message: "Caller is not authorized" Developers in-progress	3	2071	September 3, 2021
User Privacy Concerns with the new Canister Chosen Alternative Origins feature internet-identity privacy	11	1318	July 22, 2022
Candid UI stopped working for my canister at Mainnet CDK	1	255	March 26, 2024

Invalid Derivation Origin

Related topics