From 0d59af95e08e58fa87661d756246470ffb60bcd3 Mon Sep 17 00:00:00 2001
From: sea-snake <104725312+sea-snake@users.noreply.github.com>
Date: Fri, 3 Jan 2025 15:10:28 +0100
Subject: [PATCH] Implement OpenID add/remove accounts in identity management
 (#2762)

* Implement mock openID actor methods

* Implement (un)link account on manage page.

* Move Google client id to env variable.

* Move Google client id to env variable.

* Update CSP in test.

* Update CSP in test.

* Update CSP in test.

* Add OpenID to showcase

* Add OpenID to showcase

* Apply prettier to json

* Fix showcase

* Fix showcase

* Move callback path to shared constant.
---
 package.json                                  |   4 +-
 src/canister_tests/src/framework.rs           |   2 +-
 src/frontend/src/components/icons.ts          |  26 +++
 src/frontend/src/environment.ts               |   2 +
 src/frontend/src/featureFlags/index.ts        |   4 +-
 src/frontend/src/flows/manage/index.ts        |  82 +++++++-
 .../flows/manage/linkedAccountsSection.json   |  14 ++
 .../src/flows/manage/linkedAccountsSection.ts | 139 +++++++++++++
 src/frontend/src/flows/redirect.ts            |  45 ++++
 src/frontend/src/index.ts                     |   4 +
 src/frontend/src/styles/main.css              |  39 +++-
 src/frontend/src/utils/i18n.ts                |   5 +
 src/frontend/src/utils/iiConnection.ts        |  10 +-
 src/frontend/src/utils/mockOpenID.ts          |  23 +--
 src/frontend/src/utils/openID.ts              | 192 ++++++++++++++++++
 src/frontend/test-setup.ts                    |   1 +
 src/internet_identity/src/http.rs             |   2 +-
 src/showcase/src/constants.ts                 |   3 +
 src/showcase/src/pages/displayManage.astro    |   7 +
 .../displayManageCredentialsMultiple.astro    |  88 ++++++++
 .../displayManageCredentialsSingle.astro      |  76 +++++++
 .../src/pages/displayManageSingle.astro       |   7 +
 .../src/pages/displayManageTempKey.astro      |   7 +
 vite.config.ts                                |   3 +
 24 files changed, 747 insertions(+), 38 deletions(-)
 create mode 100644 src/frontend/src/flows/manage/linkedAccountsSection.json
 create mode 100644 src/frontend/src/flows/manage/linkedAccountsSection.ts
 create mode 100644 src/frontend/src/flows/redirect.ts
 create mode 100644 src/frontend/src/utils/openID.ts
 create mode 100644 src/showcase/src/pages/displayManageCredentialsMultiple.astro
 create mode 100644 src/showcase/src/pages/displayManageCredentialsSingle.astro

diff --git a/package.json b/package.json
index bb595442cf..87dd45436d 100644
--- a/package.json
+++ b/package.json
@@ -7,8 +7,8 @@
   "private": true,
   "license": "SEE LICENSE IN LICENSE.md",
   "scripts": {
-    "dev": "II_FETCH_ROOT_KEY=1 II_DUMMY_CAPTCHA=1 vite",
-    "host": "II_FETCH_ROOT_KEY=1 II_DUMMY_CAPTCHA=1 vite --host",
+    "dev": "II_FETCH_ROOT_KEY=1 II_DUMMY_CAPTCHA=1 II_OPENID_GOOGLE_CLIENT_ID=45431994619-cbbfgtn7o0pp0dpfcg2l66bc4rcg7qbu.apps.googleusercontent.com vite",
+    "host": "II_FETCH_ROOT_KEY=1 II_DUMMY_CAPTCHA=1 II_OPENID_GOOGLE_CLIENT_ID=45431994619-cbbfgtn7o0pp0dpfcg2l66bc4rcg7qbu.apps.googleusercontent.com vite --host",
     "showcase": "astro dev --root ./src/showcase",
     "build": "tsc --noEmit && vite build",
     "check": "tsc --project ./tsconfig.all.json --noEmit",
diff --git a/src/canister_tests/src/framework.rs b/src/canister_tests/src/framework.rs
index 0bc05dc661..e980a61d2a 100644
--- a/src/canister_tests/src/framework.rs
+++ b/src/canister_tests/src/framework.rs
@@ -433,7 +433,7 @@ xr-spatial-tracking=()",
     let rgx = Regex::new(
         "^default-src 'none';\
 connect-src 'self' https:;\
-img-src 'self' data:;\
+img-src 'self' data: https://\\*.googleusercontent.com;\
 script-src 'strict-dynamic' ('[^']+' )*'unsafe-inline' 'unsafe-eval' https:;\
 base-uri 'none';\
 form-action 'none';\
diff --git a/src/frontend/src/components/icons.ts b/src/frontend/src/components/icons.ts
index f82f1829d6..0c8be576f7 100644
--- a/src/frontend/src/components/icons.ts
+++ b/src/frontend/src/components/icons.ts
@@ -445,3 +445,29 @@ export const cypherIcon = html`
     />
   </svg>
 `;
+
+export const googleIcon = html`
+  <svg
+    xmlns="http://www.w3.org/2000/svg"
+    height="24"
+    viewBox="0 0 24 24"
+    width="24"
+  >
+    <path
+      d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09z"
+      fill="#4285F4"
+    />
+    <path
+      d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z"
+      fill="#34A853"
+    />
+    <path
+      d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z"
+      fill="#FBBC05"
+    />
+    <path
+      d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z"
+      fill="#EA4335"
+    />
+  </svg>
+`;
diff --git a/src/frontend/src/environment.ts b/src/frontend/src/environment.ts
index ed36419d65..1b98538d67 100644
--- a/src/frontend/src/environment.ts
+++ b/src/frontend/src/environment.ts
@@ -5,3 +5,5 @@ export const VERSION = import.meta.env.II_VERSION ?? "";
 export const FETCH_ROOT_KEY = import.meta.env.II_FETCH_ROOT_KEY === "1";
 export const DUMMY_AUTH = import.meta.env.II_DUMMY_AUTH === "1";
 export const DUMMY_CAPTCHA = import.meta.env.II_DUMMY_CAPTCHA === "1";
+export const II_OPENID_GOOGLE_CLIENT_ID = import.meta.env
+  .II_OPENID_GOOGLE_CLIENT_ID;
diff --git a/src/frontend/src/featureFlags/index.ts b/src/frontend/src/featureFlags/index.ts
index 0b0c8d8aa4..14cd4c9b91 100644
--- a/src/frontend/src/featureFlags/index.ts
+++ b/src/frontend/src/featureFlags/index.ts
@@ -1,6 +1,7 @@
 // Feature flags with default values
 const FEATURE_FLAGS_WITH_DEFAULTS = {
   DOMAIN_COMPATIBILITY: false,
+  OPENID_AUTHENTICATION: false,
 } as const satisfies Record<string, boolean>;
 
 const LOCALSTORAGE_FEATURE_FLAGS_PREFIX = "ii-localstorage-feature-flags__";
@@ -63,4 +64,5 @@ const initializedFeatureFlags = Object.fromEntries(
 window.__featureFlags = initializedFeatureFlags;
 
 // Export initialized feature flags as named exports
-export const { DOMAIN_COMPATIBILITY } = initializedFeatureFlags;
+export const { DOMAIN_COMPATIBILITY, OPENID_AUTHENTICATION } =
+  initializedFeatureFlags;
diff --git a/src/frontend/src/flows/manage/index.ts b/src/frontend/src/flows/manage/index.ts
index c05f94d57e..e647d662d7 100644
--- a/src/frontend/src/flows/manage/index.ts
+++ b/src/frontend/src/flows/manage/index.ts
@@ -15,10 +15,13 @@ import { logoutSection } from "$src/components/logout";
 import { mainWindow } from "$src/components/mainWindow";
 import { toast } from "$src/components/toast";
 import { ENABLE_PIN_QUERY_PARAM_KEY, LEGACY_II_URL } from "$src/config";
+import { OPENID_AUTHENTICATION } from "$src/featureFlags";
 import { addDevice } from "$src/flows/addDevice/manage/addDevice";
 import { dappsExplorer } from "$src/flows/dappsExplorer";
 import { KnownDapp, getDapps } from "$src/flows/dappsExplorer/dapps";
 import { dappsHeader, dappsTeaser } from "$src/flows/dappsExplorer/teaser";
+import { linkedAccountsSection } from "$src/flows/manage/linkedAccountsSection";
+import copyJson from "$src/flows/manage/linkedAccountsSection.json";
 import {
   TempKeyWarningAction,
   tempKeyWarningBox,
@@ -29,6 +32,14 @@ import { setupKey, setupPhrase } from "$src/flows/recovery/setupRecovery";
 import { I18n } from "$src/i18n";
 import { AuthenticatedConnection, Connection } from "$src/utils/iiConnection";
 import { TemplateElement, renderPage } from "$src/utils/lit-html";
+import { OpenIDCredential } from "$src/utils/mockOpenID";
+import {
+  GOOGLE_REQUEST_CONFIG,
+  createAnonymousNonce,
+  decodeJWT,
+  isPermissionError,
+  requestJWT,
+} from "$src/utils/openID";
 import { PreLoadImage } from "$src/utils/preLoadImage";
 import {
   isProtected,
@@ -147,6 +158,9 @@ const displayManageTemplate = ({
   onAddDevice,
   addRecoveryPhrase,
   addRecoveryKey,
+  credentials,
+  onLinkAccount,
+  onUnlinkAccount,
   dapps,
   exploreDapps,
   identityBackground,
@@ -157,6 +171,9 @@ const displayManageTemplate = ({
   onAddDevice: () => void;
   addRecoveryPhrase: () => void;
   addRecoveryKey: () => void;
+  credentials: OpenIDCredential[];
+  onLinkAccount: () => void;
+  onUnlinkAccount: (credential: OpenIDCredential) => void;
   dapps: KnownDapp[];
   exploreDapps: () => void;
   identityBackground: PreLoadImage;
@@ -182,6 +199,14 @@ const displayManageTemplate = ({
       onAddDevice,
       warnNoPasskeys,
     })}
+    ${OPENID_AUTHENTICATION.isEnabled()
+      ? linkedAccountsSection({
+          credentials,
+          onLinkAccount,
+          onUnlinkAccount,
+          hasOtherAuthMethods: authenticators.length > 0,
+        })
+      : ""}
     ${recoveryMethodsSection({ recoveries, addRecoveryPhrase, addRecoveryKey })}
     <aside class="l-stack">
       ${dappsTeaser({
@@ -245,7 +270,7 @@ export const renderManage = async ({
   // There's nowhere to go from here (i.e. all flows lead to/start from this page), so we
   // loop forever
   for (;;) {
-    let anchorInfo: IdentityAnchorInfo;
+    let anchorInfo: IdentityAnchorInfo & { credentials: OpenIDCredential[] };
     try {
       // Ignore the `commitMetadata` response, it's not critical for the application.
       void connection.commitMetadata();
@@ -267,6 +292,7 @@ export const renderManage = async ({
       userNumber,
       connection,
       anchorInfo.devices,
+      anchorInfo.credentials,
       identityBackground
     );
     connection = newConnection ?? connection;
@@ -291,21 +317,32 @@ function isPinAuthenticated(
   );
 }
 
-export const displayManage = (
+export const displayManage = async (
   userNumber: bigint,
   connection: AuthenticatedConnection,
   devices_: DeviceWithUsage[],
+  credentials: OpenIDCredential[],
   identityBackground: PreLoadImage
 ): Promise<void | AuthenticatedConnection> => {
+  const i18n = new I18n();
+  const copy = i18n.i18n(copyJson);
+
   // Fetch the dapps used in the teaser & explorer
   // (dapps are suffled to encourage discovery of new dapps)
   const dapps = shuffleArray(getDapps());
+
+  // Create anonymous nonce and salt for connection principal
+  const { nonce, salt } = await createAnonymousNonce(
+    connection.identity.getPrincipal()
+  );
+
   return new Promise((resolve) => {
     const devices = devicesFromDevicesWithUsage({
       devices: devices_,
       userNumber,
       connection,
       reload: resolve,
+      hasOtherAuthMethods: credentials.length > 0,
     });
 
     if (devices.dupPhrase) {
@@ -334,6 +371,35 @@ export const displayManage = (
       resolve();
     };
 
+    const onLinkAccount = async () => {
+      try {
+        const jwt = await withLoader(() =>
+          requestJWT(GOOGLE_REQUEST_CONFIG, {
+            mediation: "required",
+            nonce,
+          })
+        );
+        const { iss, sub } = decodeJWT(jwt);
+        if (credentials.find((c) => c.iss === iss && c.sub === sub)) {
+          toast.error(copy.account_already_linked);
+          return;
+        }
+        await connection.addJWT(jwt, salt);
+        resolve();
+      } catch (error) {
+        if (isPermissionError(error)) {
+          toast.error(copy.third_party_sign_in_permission_required);
+        }
+      }
+    };
+    const onUnlinkAccount = async (credential: OpenIDCredential) => {
+      if (!confirm(copy.unlink_account_confirmation.toString())) {
+        return;
+      }
+      await connection.removeJWT(credential.iss, credential.sub);
+      resolve();
+    };
+
     // Function to figure out what temp keys warning should be shown, if any.
     const determineTempKeysWarning = (): TempKeyWarningAction | undefined => {
       if (!isPinAuthenticated(devices_, connection)) {
@@ -369,6 +435,9 @@ export const displayManage = (
           await setupKey({ connection });
           resolve();
         },
+        credentials,
+        onLinkAccount,
+        onUnlinkAccount,
         dapps,
         exploreDapps: async () => {
           await dappsExplorer({ dapps });
@@ -445,11 +514,13 @@ export const devicesFromDevicesWithUsage = ({
   reload,
   connection,
   userNumber,
+  hasOtherAuthMethods,
 }: {
   devices: DeviceWithUsage[];
   reload: (connection?: AuthenticatedConnection) => void;
   connection: AuthenticatedConnection;
   userNumber: bigint;
+  hasOtherAuthMethods: boolean;
 }): Devices & { dupPhrase: boolean; dupKey: boolean } => {
   const hasSingleDevice = devices_.length <= 1;
 
@@ -478,9 +549,10 @@ export const devicesFromDevicesWithUsage = ({
         last_usage: device.last_usage,
         warn: domainWarning(device),
         rename: () => renameDevice({ connection, device, reload }),
-        remove: hasSingleDevice
-          ? undefined
-          : () => deleteDevice({ connection, device, reload }),
+        remove:
+          hasSingleDevice && !hasOtherAuthMethods
+            ? undefined
+            : () => deleteDevice({ connection, device, reload }),
       };
 
       if ("browser_storage_key" in device.key_type) {
diff --git a/src/frontend/src/flows/manage/linkedAccountsSection.json b/src/frontend/src/flows/manage/linkedAccountsSection.json
new file mode 100644
index 0000000000..9ebda31036
--- /dev/null
+++ b/src/frontend/src/flows/manage/linkedAccountsSection.json
@@ -0,0 +1,14 @@
+{
+  "en": {
+    "account_already_linked": "This account has already been linked",
+    "unlink_account_confirmation": "Do you want to unlink this account?",
+    "third_party_sign_in_permission_required": "You need to enable the \"Third-party sign-in\" browser permission for this site",
+    "link_your_account_to_hold_assets_and_sign_into_dapps": "Link your online account to hold assets and securely sign into dapps.",
+    "use_your_accounts_to_hold_assets_and_sign_into_dapps": "Use your online accounts to hold assets and securely sign into dapps.",
+    "link_account": "Link account",
+    "link_additional_account": "Link additional account",
+    "max_linked_accounts_reached": "You can link up to 100 online accounts. You must unlink an account before you can link another.",
+    "unlink": "Unlink",
+    "last_used": "Last used"
+  }
+}
diff --git a/src/frontend/src/flows/manage/linkedAccountsSection.ts b/src/frontend/src/flows/manage/linkedAccountsSection.ts
new file mode 100644
index 0000000000..729d342a78
--- /dev/null
+++ b/src/frontend/src/flows/manage/linkedAccountsSection.ts
@@ -0,0 +1,139 @@
+import { googleIcon } from "$src/components/icons";
+import copyJson from "$src/flows/manage/linkedAccountsSection.json";
+import { I18n } from "$src/i18n";
+import { OpenIDCredential } from "$src/utils/mockOpenID";
+import { getMetadataString } from "$src/utils/openID";
+import { formatLastUsage } from "$src/utils/time";
+import { nonNullish } from "@dfinity/utils";
+import { TemplateResult, html } from "lit-html";
+import { settingsDropdown } from "./settingsDropdown";
+
+// The maximum number of linked accounts we allow.
+// The canister limits the _total_ number of linked accounts to 100,
+// and we (the frontend) won't show a counter since this number is intentionally
+// high to avoid showing a usage counter while still having an actual limit.
+const MAX_CREDENTIALS = 100;
+
+export const linkedAccountsSection = ({
+  credentials,
+  onLinkAccount,
+  onUnlinkAccount,
+  hasOtherAuthMethods,
+}: {
+  credentials: OpenIDCredential[];
+  onLinkAccount: () => void;
+  onUnlinkAccount: (credential: OpenIDCredential) => void;
+  hasOtherAuthMethods: boolean;
+}): TemplateResult => {
+  const i18n = new I18n();
+  const copy = i18n.i18n(copyJson);
+  const unlinkAvailable = credentials.length > 1 || hasOtherAuthMethods;
+
+  return html` <aside
+    class="l-stack c-card c-card--narrow"
+    data-role="linked-accounts"
+  >
+    <h2 class="t-title">Linked Accounts</h2>
+    <p class="t-paragraph t-lead">
+      ${credentials.length === 0
+        ? copy.link_your_account_to_hold_assets_and_sign_into_dapps
+        : copy.use_your_accounts_to_hold_assets_and_sign_into_dapps}
+    </p>
+    <div class="c-action-list">
+      <ul>
+        ${credentials.map((credential, index) =>
+          accountItem({
+            credential,
+            index,
+            unlink: onUnlinkAccount,
+            unlinkAvailable,
+          })
+        )}
+      </ul>
+      <div class="c-action-list__actions">
+        <button
+          ?disabled=${credentials.length >= MAX_CREDENTIALS}
+          class="c-button c-button--primary c-tooltip c-tooltip--onDisabled c-tooltip--left"
+          @click="${() => onLinkAccount()}"
+          id="linkAdditionalAccount"
+        >
+          <span class="c-tooltip__message c-card c-card--tight">
+            ${copy.max_linked_accounts_reached}
+          </span>
+          <span>
+            ${credentials.length === 0
+              ? copy.link_account
+              : copy.link_additional_account}
+          </span>
+        </button>
+      </div>
+    </div>
+  </aside>`;
+};
+
+export const accountItem = ({
+  credential,
+  index,
+  unlink,
+  unlinkAvailable,
+}: {
+  credential: OpenIDCredential;
+  index: number;
+  unlink: (credential: OpenIDCredential) => void;
+  unlinkAvailable: boolean;
+}) => {
+  const i18n = new I18n();
+  const copy = i18n.i18n(copyJson);
+  const settings = [
+    {
+      action: "unlink",
+      caption: copy.unlink.toString(),
+      fn: () => unlink(credential),
+    },
+  ];
+
+  const lastUsageTimeStamp = new Date(
+    Number(credential.last_usage_timestamp / BigInt(1000000))
+  );
+  const lastUsageFormattedString = formatLastUsage(lastUsageTimeStamp);
+  const name = getMetadataString(credential.metadata, "name");
+  const email = getMetadataString(credential.metadata, "email");
+  const picture = getMetadataString(credential.metadata, "picture");
+
+  return html`
+    <li class="c-action-list__item" data-account=${credential.sub}>
+      ${
+        nonNullish(picture)
+          ? html` <div class="c-action-list__avatar">
+              <img src="${picture}" alt="" aria-hidden="true" loading="lazy" />
+              <div class="c-action-list__avatar--badge">${googleIcon}</div>
+            </div>`
+          : ""
+      }
+      <div class="c-action-list__label--stacked c-action-list__label">
+        <div class="c-action-list__label c-action-list__label--spacer">
+          <div class="c-action-list__label">
+            <span class="c-tooltip" tabindex="0">
+              <span class="c-tooltip__message c-card c-card--tight t-nowrap">${email}</span
+              <span>${name}</span>
+            </span>
+          </div>
+          ${
+            unlinkAvailable
+              ? settingsDropdown({
+                  alias: credential.sub,
+                  id: `account-${index}`,
+                  settings,
+                })
+              : ""
+          }
+        </div>
+        <div>
+          <div class="t-muted">
+            ${copy.last_used}: ${lastUsageFormattedString}
+          </div>
+        </div>
+      </div>
+    </li>
+  `;
+};
diff --git a/src/frontend/src/flows/redirect.ts b/src/frontend/src/flows/redirect.ts
new file mode 100644
index 0000000000..3befcb000b
--- /dev/null
+++ b/src/frontend/src/flows/redirect.ts
@@ -0,0 +1,45 @@
+import { withLoader } from "$src/components/loader";
+
+export const REDIRECT_CALLBACK_PATH = "/callback";
+
+export const callbackFlow = (): Promise<never> => {
+  // User was returned here after redirect from a OpenID flow callback,
+  // these flows are always handled in a popup and the callback url is
+  // returned to the opener window through the PostMessage API.
+  window.opener.postMessage(window.location.href, window.location.origin);
+
+  return withLoader(
+    () =>
+      new Promise<never>((_) => {
+        /* halt */
+      })
+  );
+};
+
+export const redirectInPopup = (url: string): Promise<string> => {
+  const callbackPromise = new Promise<string>((resolve) => {
+    const listener = (event: MessageEvent) => {
+      if (
+        event.source === redirectWindow &&
+        event.origin === window.location.origin &&
+        typeof event.data === "string"
+      ) {
+        window.removeEventListener("message", listener);
+        redirectWindow?.close();
+        window.focus();
+        resolve(event.data);
+      }
+    };
+    window.addEventListener("message", listener);
+  });
+  const width = 500;
+  const height = 600;
+  const left = (window.innerWidth - width) / 2 + window.screenX;
+  const top = (window.innerHeight - height) / 2 + window.screenY;
+  const redirectWindow = window.open(
+    url,
+    "_blank",
+    `width=${width},height=${height},left=${left},top=${top}`
+  );
+  return callbackPromise;
+};
diff --git a/src/frontend/src/index.ts b/src/frontend/src/index.ts
index c535bdf56e..e50488e77b 100644
--- a/src/frontend/src/index.ts
+++ b/src/frontend/src/index.ts
@@ -1,4 +1,5 @@
 import { handleLoginFlowResult } from "$src/components/authenticateBox";
+import { callbackFlow, REDIRECT_CALLBACK_PATH } from "$src/flows/redirect";
 import { nonNullish } from "@dfinity/utils";
 import { registerTentativeDevice } from "./flows/addDevice/welcomeView/registerTentativeDevice";
 import { authFlowAuthorize } from "./flows/authorize";
@@ -43,6 +44,9 @@ void createSpa(async (connection) => {
   if (url.hash === "#authorize") {
     // User was brought here by a dapp for authorization
     return authFlowAuthorize(connection);
+  } else if (url.pathname === REDIRECT_CALLBACK_PATH) {
+    // User was returned here after redirect from a OpenID flow callback
+    return callbackFlow();
   } else {
     // The default flow
     return authFlowManage(connection);
diff --git a/src/frontend/src/styles/main.css b/src/frontend/src/styles/main.css
index 0993d197b2..9a274ef524 100644
--- a/src/frontend/src/styles/main.css
+++ b/src/frontend/src/styles/main.css
@@ -284,7 +284,7 @@
 
   --rs-list-item-stack: calc(var(--vs-stack) * 1.5);
   --rs-list-parcel-bezel: var(--vs-bezel);
-  --rs-list-gutter: var(--vs-gutter);
+  --rs-list-gutter: calc(var(--vs-gutter) * 2);
 
   --rs-footer-stack: var(--vs-stack);
   --rs-footer-gutter: calc(var(--vs-gutter) * 3.5);
@@ -603,6 +603,10 @@ body {
   hyphens: auto;
 }
 
+.t-nowrap {
+  white-space: nowrap;
+}
+
 a,
 .t-link {
   display: inline;
@@ -2724,6 +2728,39 @@ a.c-action-list__item {
   transform: translateY(-50%);
 }
 
+.c-action-list__avatar {
+  height: 4rem;
+  width: 4rem;
+  position: relative;
+}
+
+.c-action-list__avatar img {
+  width: 100%;
+  height: 100%;
+  border-radius: 50%;
+  object-fit: cover;
+}
+
+.c-action-list__avatar--badge {
+  width: 2rem;
+  height: 2rem;
+  position: absolute;
+  bottom: -0.2rem;
+  right: -0.2rem;
+  background: var(--rc-light);
+  border-radius: 50%;
+  overflow: hidden;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  border: 1px solid var(--rc-line);
+}
+
+.c-action-list__avatar--badge svg {
+  width: 1.6rem;
+  height: 1.6rem;
+}
+
 .c-action-list__item + .c-action-list__item::before {
   content: "";
   display: block;
diff --git a/src/frontend/src/utils/i18n.ts b/src/frontend/src/utils/i18n.ts
index 523af76b5c..a904742ed6 100644
--- a/src/frontend/src/utils/i18n.ts
+++ b/src/frontend/src/utils/i18n.ts
@@ -46,6 +46,11 @@ export class I18n<Lang extends string> {
       });
 
       acc[k] = asyncReplace(value);
+
+      // Implement `toString` to return plain text translation label,
+      // to be used outside of lit html renders e.g. native confirm modal
+      acc[k].toString = () => copy[this.lang][k];
+
       return acc;
     }, {} as DynamicCopy<Keys>);
 
diff --git a/src/frontend/src/utils/iiConnection.ts b/src/frontend/src/utils/iiConnection.ts
index d84ec06af9..032b10c10d 100644
--- a/src/frontend/src/utils/iiConnection.ts
+++ b/src/frontend/src/utils/iiConnection.ts
@@ -918,17 +918,11 @@ export class AuthenticatedConnection extends Connection {
   };
 
   addJWT = async (jwt: JWT, salt: Salt): Promise<void> => {
-    const result = await this._mockOpenID.add_jwt(this.userNumber, jwt, salt);
-    if ("Err" in result) {
-      throw new Error(result.Err);
-    }
+    await this._mockOpenID.add_jwt(this.userNumber, jwt, salt);
   };
 
   removeJWT = async (iss: string, sub: string): Promise<void> => {
-    const result = await this._mockOpenID.remove_jwt(this.userNumber, iss, sub);
-    if ("Err" in result) {
-      throw new Error(result.Err);
-    }
+    await this._mockOpenID.remove_jwt(this.userNumber, iss, sub);
   };
 }
 
diff --git a/src/frontend/src/utils/mockOpenID.ts b/src/frontend/src/utils/mockOpenID.ts
index 9e698d1e77..878ec0aec2 100644
--- a/src/frontend/src/utils/mockOpenID.ts
+++ b/src/frontend/src/utils/mockOpenID.ts
@@ -17,20 +17,9 @@ export interface OpenIDCredential {
 export class MockOpenID {
   #credentials: OpenIDCredential[] = [];
 
-  add_jwt(
-    _userNumber: UserNumber,
-    jwt: JWT,
-    _salt: Salt
-  ): Promise<{ Ok: null } | { Err: string }> {
+  add_jwt(_userNumber: UserNumber, jwt: JWT, _salt: Salt): Promise<void> {
     const [_header, body, _signature] = jwt.split(".");
     const { iss, sub, aud, email, name, picture } = JSON.parse(atob(body));
-    if (
-      this.#credentials.find(
-        (credential) => credential.iss === iss && credential.sub === sub
-      )
-    ) {
-      return Promise.resolve({ Err: "This account has already been linked" });
-    }
     this.#credentials.push({
       iss,
       sub,
@@ -43,19 +32,15 @@ export class MockOpenID {
         ["picture", { String: picture }],
       ],
     });
-    return Promise.resolve({ Ok: null });
+    return Promise.resolve();
   }
 
-  remove_jwt(
-    _userNumber: UserNumber,
-    iss: string,
-    sub: string
-  ): Promise<{ Ok: null } | { Err: string }> {
+  remove_jwt(_userNumber: UserNumber, iss: string, sub: string): Promise<void> {
     const index = this.#credentials.findIndex(
       (credential) => credential.iss === iss && credential.sub === sub
     );
     this.#credentials.splice(index, 1);
-    return Promise.resolve({ Ok: null });
+    return Promise.resolve();
   }
 
   get_anchor_info(_userNumber: UserNumber): Promise<{
diff --git a/src/frontend/src/utils/openID.ts b/src/frontend/src/utils/openID.ts
new file mode 100644
index 0000000000..9c190ce216
--- /dev/null
+++ b/src/frontend/src/utils/openID.ts
@@ -0,0 +1,192 @@
+import { MetadataMapV2 } from "$generated/internet_identity_types";
+import { II_OPENID_GOOGLE_CLIENT_ID } from "$src/environment";
+import { REDIRECT_CALLBACK_PATH, redirectInPopup } from "$src/flows/redirect";
+import { Principal } from "@dfinity/principal";
+import { isNullish, nonNullish } from "@dfinity/utils";
+
+export interface RequestConfig {
+  // OAuth client ID
+  clientId: string;
+  // OAuth authentication URL
+  authURL: string;
+  // Optional, FedCM config URL
+  configURL?: string;
+}
+
+export interface RequestOptions {
+  // Nonce created from a principal with `createAnonymousNonce`
+  nonce: string;
+  // Optional, account identifier (e.g. email) used as login hint
+  loginHint?: string;
+  // Optional, see: https://developers.google.com/privacy-sandbox/blog/fedcm-auto-reauthn#mediation-options
+  mediation?: CredentialMediationRequirement;
+}
+
+export const GOOGLE_REQUEST_CONFIG: RequestConfig = {
+  clientId: II_OPENID_GOOGLE_CLIENT_ID,
+  authURL: "https://accounts.google.com/o/oauth2/v2/auth",
+  configURL: "https://accounts.google.com/gsi/fedcm.json",
+};
+
+/**
+ * Request JWT with the FedCM API
+ * @param config of the OpenID provider
+ * @param options for the JWT request
+ */
+const requestWithCredentials = async (
+  config: Omit<RequestConfig, "authURL">,
+  options: RequestOptions
+): Promise<string> => {
+  const identityCredential = await navigator.credentials.get({
+    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+    // @ts-ignore
+    identity: {
+      providers: [
+        {
+          configURL: config.configURL,
+          clientId: config.clientId,
+          nonce: options.nonce,
+          loginHint: options.loginHint,
+        },
+      ],
+    },
+    mediation: options.mediation,
+  });
+
+  if (
+    identityCredential?.type !== "identity" ||
+    !("token" in identityCredential) ||
+    typeof identityCredential.token !== "string"
+  ) {
+    // This should be unreachable in FedCM spec compliant browsers
+    throw new Error("Invalid credential received from FedCM API");
+  }
+
+  return identityCredential.token;
+};
+
+/**
+ * @param error to check whether it is a FedCM not supported error
+ */
+export const isNotSupportedError = (error: unknown) =>
+  error instanceof Error && error.name === "NotSupportedError";
+
+/**
+ * @param error to check whether it is a FedCM no permission error
+ */
+export const isPermissionError = (error: unknown) =>
+  error instanceof Error && error.name === "NetworkError";
+
+const toBase64 = (bytes: ArrayBuffer): string =>
+  btoa(String.fromCharCode(...new Uint8Array(bytes)));
+
+const toBase64URL = (bytes: ArrayBuffer): string =>
+  toBase64(bytes).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+
+/**
+ * Request JWT through redirect flow in a popup
+ * @param config of the OpenID provider
+ * @param options for the JWT request
+ */
+const requestWithRedirect = async (
+  config: Omit<RequestConfig, "configURL">,
+  options: RequestOptions
+): Promise<string> => {
+  const state = toBase64URL(window.crypto.getRandomValues(new Uint8Array(12)));
+  const redirectURL = new URL(REDIRECT_CALLBACK_PATH, window.location.origin);
+  const authURL = new URL(config.authURL);
+  authURL.searchParams.set("response_type", "id_token");
+  authURL.searchParams.set("client_id", config.clientId);
+  authURL.searchParams.set("redirect_uri", redirectURL.href);
+  authURL.searchParams.set("scope", "openid profile email");
+  authURL.searchParams.set("state", state);
+  authURL.searchParams.set("nonce", options.nonce);
+  if (options.mediation === "required") {
+    authURL.searchParams.set(
+      "prompt",
+      isNullish(options.loginHint) ? "select_account" : "login"
+    );
+  }
+  if (options.mediation === "silent") {
+    authURL.searchParams.set("prompt", "silent");
+  }
+  if (nonNullish(options.loginHint)) {
+    authURL.searchParams.set("login_hint", options.loginHint);
+  }
+
+  const callback = await redirectInPopup(authURL.href);
+  const callbackURL = new URL(callback);
+  const searchParams = new URLSearchParams(callbackURL.hash);
+  const id_token = searchParams.get("id_token");
+  if (searchParams.get("state") === state) {
+    throw new Error("Invalid state");
+  }
+  if (isNullish(id_token)) {
+    throw new Error("No token received");
+  }
+
+  return id_token;
+};
+
+/**
+ * Create a salt and use it to anonymize the principal before using it as a
+ * nonce to make sure the principal identity and JWT are bound together.
+ *
+ * The II canister will not accept incoming JWT tokens calls where the caller
+ * is not equal to the principal that has been bound to the JWT token.
+ * @param principal to anonymize with a salt
+ */
+export const createAnonymousNonce = async (
+  principal: Principal
+): Promise<{ nonce: string; salt: Uint8Array }> => {
+  const salt = window.crypto.getRandomValues(new Uint8Array(32));
+  const bytes = new Uint8Array(32 + principal.toUint8Array().byteLength);
+  bytes.set(salt);
+  bytes.set(principal.toUint8Array(), 32);
+  const nonce = toBase64URL(
+    await window.crypto.subtle.digest("SHA-256", bytes)
+  );
+  return { nonce, salt };
+};
+
+/**
+ * Request JWT token through FedCM with redirect in a popup as fallback
+ * @param config of the OpenID provider
+ * @param options for the JWT request
+ */
+export const requestJWT = (
+  config: RequestConfig,
+  options: RequestOptions
+): Promise<string> => {
+  if (isNullish(config.configURL)) {
+    // FedCM is not supported for this OpenID Provider
+    return requestWithRedirect(config, options);
+  }
+  try {
+    return requestWithCredentials(config, options);
+  } catch (error) {
+    if (isNotSupportedError(error)) {
+      // FedCM is not supported in this browser
+      return requestWithRedirect(config, options);
+    }
+    throw error;
+  }
+};
+
+/**
+ * Decode a JWT token so it can be compared with others
+ * @param token to decode
+ * @returns common claims
+ */
+export const decodeJWT = (
+  token: string
+): { iss: string; sub: string; aud: string } => {
+  const [_header, body, _signature] = token.split(".");
+  const { iss, sub, aud } = JSON.parse(atob(body));
+  return { iss, sub, aud };
+};
+
+export const getMetadataString = (metadata: MetadataMapV2, key: string) => {
+  const value = metadata.find((entry) => entry[0] === key)?.[1];
+  return value && "String" in value ? value.String : undefined;
+};
diff --git a/src/frontend/test-setup.ts b/src/frontend/test-setup.ts
index c9a6669be8..8bd9878d08 100644
--- a/src/frontend/test-setup.ts
+++ b/src/frontend/test-setup.ts
@@ -7,6 +7,7 @@ vi.mock("./src/environment.ts", () => ({
   DUMMY_AUTH: false,
   DUMMY_CAPTCHA: false,
   VERSION: ",,clean",
+  II_OPENID_GOOGLE_CLIENT_ID: "",
 }));
 
 export type WebAuthnCredential = {
diff --git a/src/internet_identity/src/http.rs b/src/internet_identity/src/http.rs
index 2c3f0e73e0..3301f24974 100644
--- a/src/internet_identity/src/http.rs
+++ b/src/internet_identity/src/http.rs
@@ -189,7 +189,7 @@ fn content_security_policy_header(integrity_hashes: Vec<String>) -> String {
     let csp = format!(
         "default-src 'none';\
          connect-src {connect_src};\
-         img-src 'self' data:;\
+         img-src 'self' data: https://*.googleusercontent.com;\
          script-src {strict_dynamic} 'unsafe-inline' 'unsafe-eval' https:;\
          base-uri 'none';\
          form-action 'none';\
diff --git a/src/showcase/src/constants.ts b/src/showcase/src/constants.ts
index f8ecace4fc..db778a7bee 100644
--- a/src/showcase/src/constants.ts
+++ b/src/showcase/src/constants.ts
@@ -29,3 +29,6 @@ export const dummyChallenge: Challenge = {
     "iVBORw0KGgoAAAANSUhEUgAAANwAAAB4CAAAAAC8vMOlAAALq0lEQVR4nO1cCVgURxZ+g9yHcikiEg+8QERUNBI8CMFoMB4RlWg4NDFCXDVxV11XE4MblSgx7kKMoLuK4onAGhWVBEHxVogKAmvERBRBEeQWEGZmq6pnenqgB6V7hnX4+n3263p10X9X9av3XtUokkLHJZEATgAngBPACeAEcNBxSQAngBPACeAEcAI4AZwATgAngFMX6YBW0fLDZZ6Hm5JesbZWjZxVd/tk0JHAwDvBEfqvUF+LwHUyqENMTAneR41ePum0Z1p2NayD6LVvloWZTkBSium0v7+0idaM3HsPcyC14gOcLLaYnozvejedOgS4uIxw2N7VVy7Wj8rGtxkJHQJcmTUMn7iRkXE59Gf89Hf6t9ZKO745z24gymRiA/dPMZfGgNaDawyWwIrHynkzaw0Q39jqV6cV03LAXdBvaJHrlYZ5oZ3qdloxct8BDLnbIjd1OeY9fwLtBjcN4BcWzeFMeDZoNbiGBQDvsOQHpWP+1QKVDXXh9afJZ8Amma3AlvAilQ21YeSOATw5zVbQrxTzUx6gveCk/ojNZS0yI7wOtBecCI/MANYifQnmN4aBVoJ7jtlX6JrPXi4SYW4K2gjuGja5HuBp9wF7hSap1oJbmrXhS4A3FoJ8TWtButWYn56johReV+rTxSqVSu1BV3cVtcoJ76dd4PRMK+jnx2blCBX1yGIAg9gLX9dpaVYBi0aIFgGalxbbkZy0ir3esETM/bNYC3mMXJ0RiDuBRuijjPI9VYuhyCgK6/pjOKu3iqrEoO4+RM3gJHPE72/44ez3oHaqOnwANgWiRA9w/dUXms7jTFsVlW9i9p6ItYy7PyfeTZxheOsiqJtMa41n7qGSK53mQe5gnEofy1651wPEfp7AVsR95K6uo+6X3qioArXSilootJClQ/oC3KYQs1fOwdiGsmLjoVDSCjE3iPd6WK3fFdRINd/BZ3JsgLDBA5JSEWLej9lqUDM4gs08zPdM5MnG0oGgNrrqCN//qJRT3NqT7kTXlNnsZTxiKLOPIOa3F7/RlOJA39HLQT1kXAfNHurTf2F+y4Wtdg32DIrY1Q2PpYDMExfCvSFtd8KsXsCPqBd9vK6Ff1PP4M0pDF02KlQpj0W8J2Zys2iXITjMBD4kEhF1eN0P4MdmRcSxkVlazSh5M4DlL6B2cO6YmcilvMHihIfcO0O+iwUJifjWgXmXZoUGhD9laZYyvQl6pwxRP7hJmL2QS71RlMPlJMeusFtW+AynatAL+qx5MfUGC1gaTq6H2TdV+ap8wBlYIlZJi3adoYLbxCQe53AquLoGPdKS5hVsCM9v0bBmFXq3h7uABsARD/m/CvFPyNy81OZORJQzLQuH4M/NjVYPy3fd90xfv4H6uuFmZbOmKwdsAq8LrfTNx+VZevUQnFOIM5HiCszTa1MXMfNH3qmakUjLBU3IUJSlZxtjE8xTqjvBkcjZKb7Mpk0XwxH/xKOV3vmMnM5euWlEyBnhure7bV24+F+rLGLYN1vQNYZKLjxCzEspNK13Js6HeP/vjJa9TD3x7ZPrhZoBB3qTARRmMzHCEtvWw/BYJXu/AeMh43RgNTI95lEzNsnEjdyP/42u+M7IB9TOSP00nwrNgIMTEhgziN5beoSMsGQjMG9rL1HBiJ3zRMxgH8jWzxFojpcGSRLxmElEV4iR3hQn2rkXrQin6+3LMyCCeinF2RbuVZoAVw1RXaCcDm/0uYNYzcFKURu7CYlGbPxZxBZOBeiM7JS+okHQKLXyhIvEaJHek80PnZB083WiqUaF0zdIRz6Tt2+o2tGgbnANT8bMGzYMSsLlGWR+PJsT7CzXgG0mrGz7IDX4B9yvJKpuxUiS7xA6j9wlkn9XboPGyG/XrobR0XJf4IZrcFcPb+97LbrjoS03nczKwt/ISp/eZJUtIuBKu0aBjhREABxM8jx0WUJu+PaBMjvVxvUqubs7nq+kYkGu2VcKKK0ZJC3YT9Uqg+pLeB6pD1xteA2560icob7EHiQpWOqEDWnfeMRM246vGhuRFlOS5ofQWQ6yu/kJmDgqJHRb3Po6IzdZnmh3peVekjKxc3LzGqpGcEcJtomSyIDrYAgHP1xBTEMX/Jn7Y3Axm52dQ0NVNGYHToI9JRf671Jk0ebHILhhiXbpXMBIUaiXoD921Zqk3NIa9r/CHRwxDXSieupeW2IdCnMiKeNkrjFiPlZlAIfQhLrTolWNzBIZ68bSJbEeL+Q7MLJMFEnLlg30YcGsLstUPiJ3cL9h5tkbsUjQLdtKsOl2I0av3mwUajyBEi0ddKN9Obm59yQj09m6JOvxu0xs0Piyx+jSShl3cER9jKfSa+DGWQCPzIPm1JsOQODqq83ouvlXYBblt3T6CK1X3cvYg/tEJfRVyqoFHsR9KSCvhT4GkmYIZn4Z0z0pyR0H748q6n4dEHBCIaWVgR9rl2QXUXms0PwGY+BI3MFZYWZNiw+WVC/tQ0tofOAQLdUgnLGKlvGg04O1S7IUP1fKwjomEDgS5wBR8A7ErjPUggh67XhXls7vj0b2sZVMikE7h3rFcknco+TtVGZPtIGyGsdD3j/OLHPOAf0szqE1ziM3jjwoI2MrFPjI03hWNsXLJbwWNcbJpfQSULGdRr7KUqWsHGQrcA8bcgbnjR035vryxXgQ75QLo9F1UJZ+SHw+eloeAT1f9i6JxV3cxMjBa8PnwJk4g7P5GJodAUGeeIg8iBKArvOPqPQ+Ery6LIsSSP4DkyzZuyQfcCEzmrAV2dIczVRMnL+5IhTzWLmJkYGXZ1sZ2jJbpPO2/JmknfIscFDu61AipY+HA8qzkv7kiNMDhxSK9IzPC+B17o7zyPVAUZtTzAxsSxbL5qkVDhVQ0/J6Hmw3RPd9VEk8GE9V0aMD2SBQxEQ2TnlhuBn4EPelIMkMspXsDGxZbJOl8bmYDJKKBduZGA7lkEgTYaqJig57EtVLv7CyNXWQvwL4EHdw5tXQbxxDHos+Fqe/Uul6vHWHl6jGbpF/KUrGmpK4m5d0Hh07qNwNmZWeZxH7lgSOZV7MEF1r28VSO+BF3ME5uEM+U6F0RleuLG2IA5h4ET/1FOmWidhXj8Xh23iwmMjWF563MIUkt6T9hnYFvG6LbxdFAk/i4Ymjr8MtSiEyVTjRlmiIKmLBZSixJyEOK9JE8GXdZiNW6GBXzOPnjN5p7Z72w6HBwJt4bGGd3PETVNBG+VuXQeGjSfE7u+US/XlDONrYysZ7TzMS4NqbcMarWSdkVi4jG+u7w/Ll7devAXUQj5HzOWqs8LGeKkXyRW8AHrnYBjJoQ/CQnChHk9LWk7Un6tSa/zbyxVrDns3qwcYv+lWVJXGSOT0Jykc6ieGMYlbeJP4WhK4XcZAAfux/juwXgd6EjQv/afzFk8xAfjpSQfxOpx/+EN5+dsWwUTyM7BnQfeVhV2jSadiHQUKJHfoePSJGwNVRzTvAs9K+QGGEFPYENRK/41F+5ZWrwDzuG0eCTWHhOg7/FeA0mFJn7bpNQs7cxc3gMIq1E3+GgaVWbLx/VxBmJt9wMlikOG+zlVheQTGUFD+L3L78pkXrQGROP7YBTRH/H03sDdIhlvG6jxWv/YkdcobsY2SqscGW7PjmtPz1hlcamNSAxoj/wbY+VU6bjCMCpGsZUyoIYVt1X672l2FsLlIa2wW5G2iWBhEaxKamn7uUdJMqeSb7kW2Z6yiXrmBtGEYfu7vlepOKn9Ybwbw2bnn9P8A1o+cmMCKD8TfQvz/ocxxumdELSeIfy0Cs2RORGund2FQpqIO0qDvzjAoJ/9dGrBQt1/BpT82clFXak9h4FyIX05Jb5oDo1LF6umKVx/DUR+3wE7OH9kzJLRPGpet2fgbjzoGmqb1/P4ewYdrvwfcs1atQux/g7iSG8Hr9udAe1M7g5qfe+j0I2ouE/1VDACeAE8AJ4ARwAjgBnABOACeAE8BBxyUBnABOACeAE8AJ4DoyuP8B9QJKpv91V+kAAAAASUVORK5CYII=",
   challenge_key: "unimportant",
 };
+
+export const exampleAvatar =
+  "data:image/webp;base64,UklGRnABAABXRUJQVlA4IGQBAACwCwCdASqAAIAAPm02mkkkIyKhIQiogA2JZW7hdJvb34B+Kurt9jfIBuAOgBvAG8nERUEP8APjYPjYPjVf/KwUt4BdrOFJL6/VvEUNM5GTPUy+BVfbF/pd1qWpuzjYPs2xUYrwpIAA/v6436Y+y3P7tcVc9/uv3fAAg7le+4nQdl51f/nyO6S7f6Hb9U/AeMqLsuGr2a67A+Bzl2s/xLqetLmTe192XIN3ZZZbIfZT0MX+vwO8I7+9AUoy5vdAj0kn0i8YmPl+fteLtz5ogsAVR3n6UFlMF/DyrYjxGLECNiFjeAV/Y5+IpGO3rvTnVCucWoZpSrO4O+vlG3/CQIOXkNy7fVW7OfdomVKK1wIpJ/KxRqkVQRfuDFX4HV9dDxosEMvfq7LU8rcD+pEPYx8CTicwYbwHIK5dkVt68D1UIyvXeFKbwPMjrcHO7nEaFjfiPbVJ9vdmSiNvO4mVy2Mu+AAAAA==";
diff --git a/src/showcase/src/pages/displayManage.astro b/src/showcase/src/pages/displayManage.astro
index 210fd80655..691f69d1e0 100644
--- a/src/showcase/src/pages/displayManage.astro
+++ b/src/showcase/src/pages/displayManage.astro
@@ -57,6 +57,13 @@ import Screen from "../layouts/Screen.astro";
       addRecoveryKey: () => {
         toast.info("add recovery key");
       },
+      credentials: [],
+      onLinkAccount: () => {
+        toast.info("link account");
+      },
+      onUnlinkAccount: () => {
+        toast.info("unlink account");
+      },
       dapps,
       exploreDapps: () => {
         toast.info("explore dapps");
diff --git a/src/showcase/src/pages/displayManageCredentialsMultiple.astro b/src/showcase/src/pages/displayManageCredentialsMultiple.astro
new file mode 100644
index 0000000000..88d670fb81
--- /dev/null
+++ b/src/showcase/src/pages/displayManageCredentialsMultiple.astro
@@ -0,0 +1,88 @@
+---
+import Screen from "../layouts/Screen.astro";
+---
+
+<Screen title="Display Manage" pageName="displayManage">
+  <script>
+    import { toast } from "$src/components/toast";
+    import { exampleAvatar, userNumber } from "../constants";
+    import { dapps } from "../constants";
+    import { displayManagePage } from "$src/flows/manage";
+    import { html } from "lit-html";
+    import identityCardBackground from "$src/assets/identityCardBackground.png";
+    import { PreLoadImage } from "$src/utils/preLoadImage";
+    import { Principal } from "@dfinity/principal";
+    import { OPENID_AUTHENTICATION } from "../../../frontend/src/featureFlags";
+
+    OPENID_AUTHENTICATION.set(true);
+    const identityBackground = new PreLoadImage(identityCardBackground.src);
+
+    displayManagePage({
+      identityBackground,
+      userNumber,
+      devices: {
+        authenticators: [
+          {
+            alias: "Chrome on iPhone",
+            remove: () => toast.info("remove"),
+            rename: () => toast.info("rename"),
+            last_usage: [BigInt(Date.now() * 1000000)]
+          }
+        ],
+        recoveries: {
+          recoveryPhrase: {
+            isProtected: true,
+            unprotect: () => toast.info("unprotect"),
+            reset: () => toast.info("reset")
+          }
+        },
+        pinAuthenticators: [],
+      },
+      onAddDevice: () => {
+        toast.info("add device requested");
+      },
+      addRecoveryPhrase: () => {
+        toast.info("add recovery phrase");
+      },
+      addRecoveryKey: () => {
+        toast.info("add recovery key");
+      },
+      credentials: [
+        {
+          iss: "accounts.google.com",
+          sub: "2342987923",
+          aud: "example.com",
+          principal: Principal.anonymous(),
+          last_usage_timestamp: BigInt(1735825231139) * BigInt(1000000),
+          metadata: [
+            ["email", { String: "john.doe@gmail.com" }],
+            ["name", { String: "John Doe" }],
+            ["picture", { String: exampleAvatar }]
+          ]
+        },
+        {
+          iss: "accounts.google.com",
+          sub: "9238749827",
+          aud: "example.com",
+          principal: Principal.anonymous(),
+          last_usage_timestamp: BigInt(1735825231139) * BigInt(1000000),
+          metadata: [
+            ["email", { String: "jane.doe@gmail.com" }],
+            ["name", { String: "Jane Doe" }],
+            ["picture", { String: exampleAvatar }]
+          ]
+        }
+      ],
+      onLinkAccount: () => {
+        toast.info("link account");
+      },
+      onUnlinkAccount: () => {
+        toast.info("unlink account");
+      },
+      dapps,
+      exploreDapps: () => {
+        toast.info("explore dapps");
+      }
+    });
+  </script>
+</Screen>
\ No newline at end of file
diff --git a/src/showcase/src/pages/displayManageCredentialsSingle.astro b/src/showcase/src/pages/displayManageCredentialsSingle.astro
new file mode 100644
index 0000000000..ea8a60bc6d
--- /dev/null
+++ b/src/showcase/src/pages/displayManageCredentialsSingle.astro
@@ -0,0 +1,76 @@
+---
+import Screen from "../layouts/Screen.astro";
+---
+
+<Screen title="Display Manage" pageName="displayManage">
+  <script>
+    import { toast } from "$src/components/toast";
+    import { exampleAvatar, userNumber } from "../constants";
+    import { dapps } from "../constants";
+    import { displayManagePage } from "$src/flows/manage";
+    import { html } from "lit-html";
+    import identityCardBackground from "$src/assets/identityCardBackground.png";
+    import { PreLoadImage } from "$src/utils/preLoadImage";
+    import { Principal } from "@dfinity/principal";
+    import { OPENID_AUTHENTICATION } from "../../../frontend/src/featureFlags";
+
+    OPENID_AUTHENTICATION.set(true);
+    const identityBackground = new PreLoadImage(identityCardBackground.src);
+
+    displayManagePage({
+      identityBackground,
+      userNumber,
+      devices: {
+        authenticators: [
+          {
+            alias: "Chrome on iPhone",
+            remove: () => toast.info("remove"),
+            rename: () => toast.info("rename"),
+            last_usage: [BigInt(Date.now() * 1000000)]
+          }
+        ],
+        recoveries: {
+          recoveryPhrase: {
+            isProtected: true,
+            unprotect: () => toast.info("unprotect"),
+            reset: () => toast.info("reset")
+          }
+        },
+        pinAuthenticators: [],
+      },
+      onAddDevice: () => {
+        toast.info("add device requested");
+      },
+      addRecoveryPhrase: () => {
+        toast.info("add recovery phrase");
+      },
+      addRecoveryKey: () => {
+        toast.info("add recovery key");
+      },
+      credentials: [
+        {
+          iss: "accounts.google.com",
+          sub: "2342987923",
+          aud: "example.com",
+          principal: Principal.anonymous(),
+          last_usage_timestamp: BigInt(1735825231139) * BigInt(1000000),
+          metadata: [
+            ["email", { String: "john.doe@gmail.com" }],
+            ["name", { String: "John Doe" }],
+            ["picture", { String: exampleAvatar }]
+          ]
+        }
+      ],
+      onLinkAccount: () => {
+        toast.info("link account");
+      },
+      onUnlinkAccount: () => {
+        toast.info("unlink account");
+      },
+      dapps,
+      exploreDapps: () => {
+        toast.info("explore dapps");
+      }
+    });
+  </script>
+</Screen>
\ No newline at end of file
diff --git a/src/showcase/src/pages/displayManageSingle.astro b/src/showcase/src/pages/displayManageSingle.astro
index 7cded001a9..774f8123e1 100644
--- a/src/showcase/src/pages/displayManageSingle.astro
+++ b/src/showcase/src/pages/displayManageSingle.astro
@@ -36,6 +36,13 @@ import Screen from "../layouts/Screen.astro";
       addRecoveryKey: () => {
         toast.info("add recovery key");
       },
+      credentials: [],
+      onLinkAccount: () => {
+        toast.info("link account");
+      },
+      onUnlinkAccount: () => {
+        toast.info("unlink account");
+      },
       dapps,
       exploreDapps: () => {
         toast.info("explore dapps");
diff --git a/src/showcase/src/pages/displayManageTempKey.astro b/src/showcase/src/pages/displayManageTempKey.astro
index 10a20ceeae..b62921fbec 100644
--- a/src/showcase/src/pages/displayManageTempKey.astro
+++ b/src/showcase/src/pages/displayManageTempKey.astro
@@ -36,6 +36,13 @@ import Screen from "../layouts/Screen.astro";
       addRecoveryKey: () => {
         toast.info("add recovery key");
       },
+      credentials: [],
+      onLinkAccount: () => {
+        toast.info("link account");
+      },
+      onUnlinkAccount: () => {
+        toast.info("unlink account");
+      },
       dapps,
       exploreDapps: () => {
         toast.info("explore dapps");
diff --git a/vite.config.ts b/vite.config.ts
index 60f1e5fb59..d3bf7b2578 100644
--- a/vite.config.ts
+++ b/vite.config.ts
@@ -27,6 +27,9 @@ export default defineConfig(({ command, mode }): UserConfig => {
     II_DUMMY_AUTH: `${process.env.II_DUMMY_AUTH ?? "0"}`,
     II_DUMMY_CAPTCHA: `${process.env.II_DUMMY_CAPTCHA ?? "0"}`,
     II_VERSION: `${process.env.II_VERSION ?? ""}`,
+    II_OPENID_GOOGLE_CLIENT_ID: `${
+      process.env.II_OPENID_GOOGLE_CLIENT_ID ?? ""
+    }`,
   };
 
   // Path "../../" have to be expressed relative to the "root".