Why is there different versions of principal Ids for a single Internet Identity and how do the really work?

I have noticed that my internet identiy have so many different version of the principal ids, the one I get from the command line is different from the one I get from the browser locally, and its also different from the one I get from the broswer on the live network.
But now what really promted me to ask is that the ones I get from the browser are also changing and it’s really confusing me. I have implimented access control using these docs Internet Computer Loading, I assign a role to a certain principal Id, and then after some it changes and the access control is no longer working because the id have changed.

Some days ago I had assigned the admin role to this id like this:

dfx canister --network ic call my_canister assign_role '((principal "7oa___________xr-vhf6d-qdvov-cqe"),opt variant{admin})'

And then today I no longer had access because the principal id had changed to this to something else. This is not the first time.

How exactly does these principal ids work and what am I doing wrong on setting this access control system?. Thank you.

Hi @iamenochchirima

It looks like you’re using both Internet Identity (https://identity.ic0.app) and local identities (~/.config/dfx/identities).

It sounds like you’re trying to create a canister where users can authenticate through Internet Identity. That would mean you also have some frontend/asset canister. Can you clarify this is the case?

If so, then for each user (or rather each Internet Identity) a new principal will be created. These principals are generated for a particular URL only. That means that if your asset canister/frontend is reachable from two different URLs, then by default a user will get two different principals. You can however work around this using the alternative origin feature described here.

Let us know if that helps!

Okay I get it now that makes sense. The url for my assets canister had changed.