Why is the identity different when logging in through a custom domain compared to logging in through the original address?

What is the reason for the difference in identity addresses between the one generated during deployment and the one after using a custom domain? Is there any way to make the addresses the same? :thinking:

What is the reason

In short, I think the reason is preventing tracking by generating a different identity per domain.

Not sure where it’s documented on the IC portal.

Yes, you can use a feature called “Alternative origin” or “derivation origin” to allow up to 10 domains to sign in with the same principal. You can find more information about this feature in the documentation: https://internetcomputer.org/docs/current/developer-docs/integrations/internet-identity/alternative-origins/

However, it’s important to note that there is a catch. This feature only works if the origin is a cryptic canister URL. For example, if you have a canister running at abcd.icp0.io and you want users to sign in on hello.com, it will only work if users sign in on hello.com using a derivation origin of abcd.icp0.io, not the other way around. So in Internet Identity, users will see a screen that says “hello.com is derived from abcd.icp0.io”. Fun fact, I have asked the II team if it would be possible to review this limitation which was set by the security team once again this week because a developer of Juno faced it not later than few days ago.

1 Like