Implement Google JWT verification and OpenID Google client id init pa…

…rameter. (#2780) * Implement Google JWT verification and build time environment variables. * 🤖 cargo-fmt auto-update * Make env variable optional * Make env variable optional * Make env variable optional * Fix clippy complaints. * 🤖 cargo-fmt auto-update * Rewrite Google OpenIdProvider as trait implementation and add more extensive test coverage. * 🤖 cargo-fmt auto-update * Rewrite Google OpenIdProvider as trait implementation and add more extensive test coverage. * Fix integration tests * Simplify initialize * Add OpenID to config integration tests * 🤖 cargo-fmt auto-update * 🤖 npm run generate auto-update * Fix clippy * 🤖 cargo-fmt auto-update * Fix integration test --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
dfinity · Jan 15, 2025 · 760f271 · 760f271
1 parent bd8ac9a
commit 760f271
Show file tree

Hide file tree

Showing 16 changed files with 656 additions and 36 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -48,3 +48,4 @@ serde = "1"
 serde_bytes = "0.11"
 serde_cbor = "0.11"
 sha2 = "0.10"
+rsa = "0.9.7"
diff --git a/dfx.json b/dfx.json
@@ -6,7 +6,7 @@
       "wasm": "internet_identity.wasm.gz",
       "build": "bash -c 'II_DEV_CSP=1 II_FETCH_ROOT_KEY=1 II_DUMMY_CAPTCHA=${II_DUMMY_CAPTCHA:-1} scripts/build'",
       "init_arg": "(opt record { captcha_config = opt record { max_unsolved_captchas= 50:nat64; captcha_trigger = variant {Static = variant {CaptchaDisabled}}}})",
-      "shrink" : false
+      "shrink": false
     },
     "test_app": {
       "type": "custom",
@@ -20,7 +20,7 @@
       "wasm": "demos/vc_issuer/vc_demo_issuer.wasm.gz",
       "build": "demos/vc_issuer/build.sh",
       "post_install": "bash -c 'demos/vc_issuer/provision'",
-      "dependencies": [ "internet_identity" ]
+      "dependencies": ["internet_identity"]
     }
   },
   "defaults": {

diff --git a/package.json b/package.json
@@ -7,8 +7,8 @@
   "private": true,
   "license": "SEE LICENSE IN LICENSE.md",
   "scripts": {
-    "dev": "II_FETCH_ROOT_KEY=1 II_DUMMY_CAPTCHA=1 II_OPENID_GOOGLE_CLIENT_ID=45431994619-cbbfgtn7o0pp0dpfcg2l66bc4rcg7qbu.apps.googleusercontent.com vite",
-    "host": "II_FETCH_ROOT_KEY=1 II_DUMMY_CAPTCHA=1 II_OPENID_GOOGLE_CLIENT_ID=45431994619-cbbfgtn7o0pp0dpfcg2l66bc4rcg7qbu.apps.googleusercontent.com vite --host",
+    "dev": "II_FETCH_ROOT_KEY=1 II_DUMMY_CAPTCHA=1 II_OPENID_GOOGLE_CLIENT_ID=\"45431994619-cbbfgtn7o0pp0dpfcg2l66bc4rcg7qbu.apps.googleusercontent.com\" vite",
+    "host": "II_FETCH_ROOT_KEY=1 II_DUMMY_CAPTCHA=1 II_OPENID_GOOGLE_CLIENT_ID=\"45431994619-cbbfgtn7o0pp0dpfcg2l66bc4rcg7qbu.apps.googleusercontent.com\" vite --host",
     "showcase": "astro dev --root ./src/showcase",
     "build": "tsc --noEmit && vite build",
     "check": "tsc --project ./tsconfig.all.json --noEmit",

diff --git a/src/frontend/generated/internet_identity_idl.js b/src/frontend/generated/internet_identity_idl.js
@@ -31,6 +31,7 @@ export const idlFactory = ({ IDL }) => {
     'canister_creation_cycles_cost' : IDL.Opt(IDL.Nat64),
     'related_origins' : IDL.Opt(IDL.Vec(IDL.Text)),
     'captcha_config' : IDL.Opt(CaptchaConfig),
+    'openid_google_client_id' : IDL.Opt(IDL.Text),
     'register_rate_limit' : IDL.Opt(RateLimitConfig),
   });
   const UserNumber = IDL.Nat64;
@@ -561,6 +562,7 @@ export const init = ({ IDL }) => {
     'canister_creation_cycles_cost' : IDL.Opt(IDL.Nat64),
     'related_origins' : IDL.Opt(IDL.Vec(IDL.Text)),
     'captcha_config' : IDL.Opt(CaptchaConfig),
+    'openid_google_client_id' : IDL.Opt(IDL.Text),
     'register_rate_limit' : IDL.Opt(RateLimitConfig),
   });
   return [IDL.Opt(InternetIdentityInit)];

diff --git a/src/frontend/generated/internet_identity_types.d.ts b/src/frontend/generated/internet_identity_types.d.ts
@@ -205,6 +205,7 @@ export interface InternetIdentityInit {
   'canister_creation_cycles_cost' : [] | [bigint],
   'related_origins' : [] | [Array<string>],
   'captcha_config' : [] | [CaptchaConfig],
+  'openid_google_client_id' : [] | [string],
   'register_rate_limit' : [] | [RateLimitConfig],
 }
 export interface InternetIdentityStats {

diff --git a/src/internet_identity/Cargo.toml b/src/internet_identity/Cargo.toml
@@ -14,8 +14,9 @@ serde.workspace = true
 serde_bytes.workspace = true
 serde_cbor.workspace = true
 serde_json = { version = "1.0", default-features = false, features = ["std"] }
-sha2.workspace = true
+sha2 = { workspace = true, features = ["oid"]}
 base64.workspace = true
+rsa.workspace = true
 
 # Captcha deps
 lodepng = "*"

diff --git a/src/internet_identity/internet_identity.did b/src/internet_identity/internet_identity.did
@@ -259,6 +259,8 @@ type InternetIdentityInit = record {
     captcha_config: opt CaptchaConfig;
     // Configuration for Related Origins Requests
     related_origins: opt vec text;
+    // Configuration for OpenID Google client
+    openid_google_client_id: opt text;
 };
 
 type ChallengeKey = text;

diff --git a/src/internet_identity/src/main.rs b/src/internet_identity/src/main.rs
@@ -348,6 +348,7 @@ fn config() -> InternetIdentityInit {
         register_rate_limit: Some(persistent_state.registration_rate_limit.clone()),
         captcha_config: Some(persistent_state.captcha_config.clone()),
         related_origins: persistent_state.related_origins.clone(),
+        openid_google_client_id: persistent_state.openid_google_client_id.clone(),
     })
 }
 
@@ -387,15 +388,20 @@ fn post_upgrade(maybe_arg: Option<InternetIdentityInit>) {
 }
 
 fn initialize(maybe_arg: Option<InternetIdentityInit>) {
-    let state_related_origins = state::persistent_state(|storage| storage.related_origins.clone());
-    let related_origins = maybe_arg
-        .clone()
-        .map(|arg| arg.related_origins)
-        .unwrap_or(state_related_origins);
+    let related_origins = maybe_arg.as_ref().map_or_else(
+        || persistent_state(|storage| storage.related_origins.clone()),
+        |arg| arg.related_origins.clone(),
+    );
+    let openid_google_client_id = maybe_arg.as_ref().map_or_else(
+        || persistent_state(|storage| storage.openid_google_client_id.clone()),
+        |arg| arg.openid_google_client_id.clone(),
+    );
     init_assets(related_origins);
     apply_install_arg(maybe_arg);
     update_root_hash();
-    openid::setup_timers();
+    if let Some(client_id) = openid_google_client_id {
+        openid::setup_google(client_id);
+    }
 }
 
 fn apply_install_arg(maybe_arg: Option<InternetIdentityInit>) {
@@ -428,6 +434,11 @@ fn apply_install_arg(maybe_arg: Option<InternetIdentityInit>) {
                 persistent_state.related_origins = Some(related_origins);
             })
         }
+        if let Some(openid_google_client_id) = arg.openid_google_client_id {
+            state::persistent_state_mut(|persistent_state| {
+                persistent_state.openid_google_client_id = Some(openid_google_client_id);
+            })
+        }
     }
 }