Migrating webauthn / fido logins between domains

During the launch stream, I created an Internet Identity on https://identity.messaging.dfinity.network (same URL as in the video) and linked my devices / browsers to that identity. This worked nicely for a while. However, this domain is meanwhile erroring out, and mentions https://rdmx6-jaaaa-aaaaa-aaadq-cai.ic0.app – my old Internet Identity no longer worked there so I created another one. Then, I noticed that when trying to log in to https://nns.ic0.app neither of the two created Internet Identities work anymore, and created yet another one on https://identity.ic0.app.

All those different login forms seem to assign user IDs from the same pool. However, it seems that every time the domain changes, the old logins all get invalidated. This is problematic, because these logins are also used for the wallets and for staking. The https://identity.ic0.app login seems to also work on https://nns.ic0.app – but, what happens when those sites are moved to a different domain?

Is there any way to enumerate webauthn/fido logins and assign them to a different domain somehow? I have linked Safari on Mac (Touch ID), Safari on iOS (Face ID), as well as the FIDO U2F app on Ledger. Basically, I’d like to have a way to recover my original Internet Identity and use it to log in to a new domain. (Or, in the future, when there is maybe a nicer domain than https://nns.ic0.app I’d like to still be able to log in and access my wallet). Workaround answers are fine as well. I’d just like to have a plan in place to follow whenever the domain of the services changes.

identity.messaging.dfinity.network was a test installation, and does not share data with identity.ic0.app; they just happen to draw User Numbers from the same range.

https://rdmx6-jaaaa-aaaaa-aaadq-cai.ic0.app/ is the same service as identity.ic0.app, but as you noticed, WebAuthentication devices are tied to the Hostname.

You can “migrate“ your account by going to https://identity.ic0.app, follow the “new device” flow, and then in the link you get manually change the hostname to https://rdmx6-jaaaa-aaaaa-aaadq-cai.ic0.app/. Login, approve, and you can now log in at the new one as well.

2 Likes

Thanks for the details, this clarifies a lot! I could successfully migrate my account from https://rdmx6-jaaaa-aaaaa-aaadq-cai.ic0.app to https://identity.ic0.app by following your instructions.

Just to double-check: “draw User Numbers from the same range” means that both the test installation and the real installation happen to generate numbers in a similar way (e.g., both start at 10’000), but user number 12’345 on the test installation is completely separate from user number 12’345 on the main installation?

Followup: There used to be an installation of OpenChat over at https://2611p-6iaaa-aaaaa-qahmq-cai.ic0.app but this one had yet another login system. This has gone offline as well. Was this also part of the test installation, or was this using accounts on the main installation? If this was a main installation, how can I recover that account now that the site is gone? I wouldn’t mind losing the uploaded cat pictures, but it would be awesome if the user names could be recovered (if this were on main).

Is there an easy way to recognize what is test and what is main? https://identity.messaging.dfinity.network was on test, but when trying to access it now it mentions the service on the main network in the error message, so there seems to be at least some sort of link between the main and the test installation.

1 Like

Good to hear that!

Correct!

I am not 100% sure, but I think this might have been the Sodium network, which has now been shut down.

If you run dfx ping http:// you’ll get some information about the node behind that address, and in a way the root_key reported there is the identity of the network you are talking to.

2 Likes

Hmm, dfx ping does not seem to work for me.

These were my steps:

  1. Go to https://sdk.dfinity.org and install the SDK.
  2. dfx ping https://2611p-6iaaa-aaaaa-qahmq-cai.ic0.app – fails with Cannot find dfx configuration file in the current working directory.
  3. dfx new proj
  4. cd proj
  5. dfx ping https://2611p-6iaaa-aaaaa-qahmq-cai.ic0.app – fails with The replica returned an HTTP Error
  6. dfx ping http://identity.ic0.app – same error. Also with https://rdmx6-jaaaa-aaaaa-aaadq-cai.ic0.app

But for the OpenChat instance, as it is no longer reachable, would that ping command even work? Right now it seems to fail regardless of the passed argument.

Full error message:

% dfx ping http://identity.ic0.app
The replica returned an HTTP Error: Http Error: status 404 Not Found, content type "text/html", content: <html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.19.10</center>
</body>
</html>

Try the latest sdk, download it like so:

DFX_VERSION=0.7.0-beta.8 sh -ci "$(curl -sSL https://sdk.dfinity.org/install.sh)"

The main release and docs are currently on an earlier version but will be updated to 0.7.0 soon.

1 Like

Thanks, this resolved the errors.

% dfx ping https://rdmx6-jaaaa-aaaaa-aaadq-cai.ic0.app/ # Identity backend
{
  "ic_api_version": "0.17.0"  "impl_hash": "029b46fa3385c17f9a33f1616156f5be956701ea7109fe94d22b6ff828514461"  "impl_version": "8a560f9510b0df9e747ffaede3b731f2ade9c0b7"  "root_key": [48, 129, 130, 48, 29, 6, 13, 43, 6, 1, 4, 1, 130, 220, 124, 5, 3, 1, 2, 1, 6, 12, 43, 6, 1, 4, 1, 130, 220, 124, 5, 3, 2, 1, 3, 97, 0, 129, 76, 14, 110, 199, 31, 171, 88, 59, 8, 189, 129, 55, 60, 37, 92, 60, 55, 27, 46, 132, 134, 60, 152, 164, 241, 224, 139, 116, 35, 93, 20, 251, 93, 156, 12, 213, 70, 217, 104, 95, 145, 58, 12, 11, 44, 197, 52, 21, 131, 191, 75, 67, 146, 228, 103, 219, 150, 214, 91, 155, 180, 203, 113, 113, 18, 248, 71, 46, 13, 90, 77, 20, 80, 95, 253, 116, 132, 176, 18, 145, 9, 28, 95, 135, 185, 136, 131, 70, 63, 152, 9, 26, 11, 170, 174]
}
% dfx ping https://identity.ic0.app/                   
{
  "ic_api_version": "0.17.0"  "impl_hash": "029b46fa3385c17f9a33f1616156f5be956701ea7109fe94d22b6ff828514461"  "impl_version": "8a560f9510b0df9e747ffaede3b731f2ade9c0b7"  "root_key": [48, 129, 130, 48, 29, 6, 13, 43, 6, 1, 4, 1, 130, 220, 124, 5, 3, 1, 2, 1, 6, 12, 43, 6, 1, 4, 1, 130, 220, 124, 5, 3, 2, 1, 3, 97, 0, 129, 76, 14, 110, 199, 31, 171, 88, 59, 8, 189, 129, 55, 60, 37, 92, 60, 55, 27, 46, 132, 134, 60, 152, 164, 241, 224, 139, 116, 35, 93, 20, 251, 93, 156, 12, 213, 70, 217, 104, 95, 145, 58, 12, 11, 44, 197, 52, 21, 131, 191, 75, 67, 146, 228, 103, 219, 150, 214, 91, 155, 180, 203, 113, 113, 18, 248, 71, 46, 13, 90, 77, 20, 80, 95, 253, 116, 132, 176, 18, 145, 9, 28, 95, 135, 185, 136, 131, 70, 63, 152, 9, 26, 11, 170, 174]
}
% dfx ping https://2611p-6iaaa-aaaaa-qahmq-cai.ic0.app/ # OpenChat demo
{
  "ic_api_version": "0.17.0"  "impl_hash": "029b46fa3385c17f9a33f1616156f5be956701ea7109fe94d22b6ff828514461"  "impl_version": "8a560f9510b0df9e747ffaede3b731f2ade9c0b7"  "root_key": [48, 129, 130, 48, 29, 6, 13, 43, 6, 1, 4, 1, 130, 220, 124, 5, 3, 1, 2, 1, 6, 12, 43, 6, 1, 4, 1, 130, 220, 124, 5, 3, 2, 1, 3, 97, 0, 129, 76, 14, 110, 199, 31, 171, 88, 59, 8, 189, 129, 55, 60, 37, 92, 60, 55, 27, 46, 132, 134, 60, 152, 164, 241, 224, 139, 116, 35, 93, 20, 251, 93, 156, 12, 213, 70, 217, 104, 95, 145, 58, 12, 11, 44, 197, 52, 21, 131, 191, 75, 67, 146, 228, 103, 219, 150, 214, 91, 155, 180, 203, 113, 113, 18, 248, 71, 46, 13, 90, 77, 20, 80, 95, 253, 116, 132, 176, 18, 145, 9, 28, 95, 135, 185, 136, 131, 70, 63, 152, 9, 26, 11, 170, 174]
}

All of these give me the same root_key, suggesting that all is from the main network.

If someone happens to know the current OpenChat address, maybe I can try to recover my username using a similar trick as the older wallets (by changing the URL in the middle). Would be awesome if someone has a newer link :slight_smile:

Excuse me, what is the latest available official website address of open chat?

Correct, *.ic0.app should all be on the mainnet, in contrast to *.messaging.dfinity.network for example.

1 Like

Previously, you mentioned “Sodium” – was this also on *.ic0.app or was this on a different domain? As I was testing OpenChat on the weekend, and “full token liquidity” got enabled only on Monday, I’m not sure if I was using it on Sodium or on the real mainnet.

Sodium used to be served from ic0.app, and I think the switch was on Monday, but I am not sure.

2 Likes

i have logged in to internet identity portal with FaceID on my iphone. Attempting to log in via another device - it did not trigger a request on my iphone. now neither of them work - i do not get asked for my faceid anymore on my iphone. how do i fix this? thank you

1 Like

I have the exact same issue here. I cannot access my funds since my iPhone is not asking for the Face ID anymore. After deleting the Cache it only asks for a security key. I don’t have one only Face ID. Urgently need help

Regarding OpenChat, I found the current link https://7e6iv-biaaa-aaaaf-aaada-cai.ic0.app/
Since the previous version, they changed the log in to use Internet Identity instead of their own mechanism, and also the user names were reset so I could re-register them. Seems like the previous version was indeed still running on the test installation.

Bug report:
Trying to run the latest version of OpenChat at my phone and it’s only screen with “Installing Internet Computer Validating Service Worker” keeps refreshing.
iPhone XR, iOs 13.2.3

I did the same thing during the launch event.

What does “migrate” mean here? Would I get to keep using the original number?