feat: Enable new identity attribute verified_email (#3640)

# Motivation

Verified emails help app developers by informing then whether particular
emails have actually been verified.

# Changes

<!-- List the changes that have been developed -->

# Tests

Added "with verified_email attribute" e2e test for the happy scenario.

Edge cases specific to verified emails were already tested in Rust.

---------

Co-authored-by: sea-snake <sea-snake@outlook.com>

Author: aterga

.github/workflows/canister-tests.yml

@@ -518,7 +518,7 @@ jobs:
           svg='<svg viewBox=\\\"0 0 24 24\\\"><path d=\\\"m14 2.8-2.6 1.8v16.6l2.6-1.4zm-3.3 5.4C1.9 9 2 14.7 2 14.7c0 5.6 8.7 6.5 8.7 6.5v-1.9c-6.3-1-5.5-4.5-5.5-4.5.3-4 5.5-4.3 5.5-4.3Zm4 0v2.1s1.6 0 3 1.2l-1.5.6 5.8 1.4V9l-2 1.1s-1.7-1.7-5.3-1.9z\\\" style=\\\"fill: currentColor;\\\"></path></svg>'
           configs=()
           for port in ${{ env.openid_providers }}; do
-            configs+=("record { name = \\\"Test OpenID $port\\\"; logo = \\\"$svg\\\"; issuer = \\\"http://localhost:$port\\\"; client_id = \\\"internet_identity\\\"; jwks_uri = \\\"http://localhost:$port/jwks\\\"; auth_uri = \\\"http://localhost:$port/auth\\\"; auth_scope = vec { \\\"openid\\\"; \\\"profile\\\"; \\\"email\\\" }; fedcm_uri = opt \\\"\\\"; }")
+            configs+=("record { name = \\\"Test OpenID $port\\\"; logo = \\\"$svg\\\"; issuer = \\\"http://localhost:$port\\\"; client_id = \\\"internet_identity\\\"; jwks_uri = \\\"http://localhost:$port/jwks\\\"; auth_uri = \\\"http://localhost:$port/auth\\\"; auth_scope = vec { \\\"openid\\\"; \\\"profile\\\"; \\\"email\\\" }; fedcm_uri = opt \\\"\\\"; email_verification = opt variant { Google }; }")
           done
           openid_configs="$(IFS='; '; echo "${configs[*]}")"
           echo "OPENID_CONFIGS=$openid_configs" >> "$GITHUB_OUTPUT"

src/frontend/src/lib/generated/internet_identity_idl.js

@@ -15,12 +15,18 @@ export const idlFactory = ({ IDL }) => {
       'api_host' : IDL.Opt(IDL.Text),
     }),
   });
+  const OpenIdEmailVerification = IDL.Variant({
+    'Google' : IDL.Null,
+    'Unknown' : IDL.Null,
+    'Microsoft' : IDL.Null,
+  });
   const OpenIdConfig = IDL.Record({
     'auth_uri' : IDL.Text,
     'jwks_uri' : IDL.Text,
     'logo' : IDL.Text,
     'name' : IDL.Text,
     'fedcm_uri' : IDL.Opt(IDL.Text),
+    'email_verification' : IDL.Opt(OpenIdEmailVerification),
     'issuer' : IDL.Text,
     'auth_scope' : IDL.Vec(IDL.Text),
     'client_id' : IDL.Text,
@@ -899,12 +905,18 @@ export const init = ({ IDL }) => {
       'api_host' : IDL.Opt(IDL.Text),
     }),
   });
+  const OpenIdEmailVerification = IDL.Variant({
+    'Google' : IDL.Null,
+    'Unknown' : IDL.Null,
+    'Microsoft' : IDL.Null,
+  });
   const OpenIdConfig = IDL.Record({
     'auth_uri' : IDL.Text,
     'jwks_uri' : IDL.Text,
     'logo' : IDL.Text,
     'name' : IDL.Text,
     'fedcm_uri' : IDL.Opt(IDL.Text),
+    'email_verification' : IDL.Opt(OpenIdEmailVerification),
     'issuer' : IDL.Text,
     'auth_scope' : IDL.Vec(IDL.Text),
     'client_id' : IDL.Text,

src/frontend/src/lib/generated/internet_identity_types.d.ts

@@ -812,6 +812,7 @@ export interface OpenIdConfig {
   'logo' : string,
   'name' : string,
   'fedcm_uri' : [] | [string],
+  'email_verification' : [] | [OpenIdEmailVerification],
   'issuer' : string,
   'auth_scope' : Array<string>,
   'client_id' : string,
@@ -838,6 +839,9 @@ export type OpenIdDelegationError = { 'NoSuchDelegation' : null } |
   { 'NoSuchAnchor' : null } |
   { 'JwtExpired' : null } |
   { 'JwtVerificationFailed' : null };
+export type OpenIdEmailVerification = { 'Google' : null } |
+  { 'Unknown' : null } |
+  { 'Microsoft' : null };
 export interface OpenIdPrepareDelegationResponse {
   'user_key' : UserKey,
   'expiration' : Timestamp,

src/frontend/src/lib/utils/lastUsedIdentity.spec.ts

@@ -57,6 +57,7 @@ describe("lastUsedIdentityTypeName", () => {
             logo: "https://example.com/logo.png",
             fedcm_uri: [],
             auth_scope: ["openid"],
+            email_verification: [],
           },
         ],
       ],
@@ -88,6 +89,7 @@ describe("lastUsedIdentityTypeName", () => {
             logo: "https://other.example/logo.png",
             fedcm_uri: [],
             auth_scope: ["openid"],
+            email_verification: [],
           },
         ],
       ],

src/frontend/src/lib/utils/openID.test.ts

@@ -177,6 +177,7 @@ const createOpenIDConfig = (issuer: string): OpenIdConfig => ({
   issuer,
   auth_scope: ["test"],
   client_id: "test",
+  email_verification: [],
 });
 
 describe("findConfig", () => {

src/frontend/src/routes/(new-styling)/(resuming-channel)/resume-openid-authorize/+page.svelte

@@ -53,7 +53,8 @@
       const implicitConsentAttributeKeys = paramsResult.data.attributes.filter(
         (attribute) =>
           attribute === `openid:${issuer}:name` ||
-          attribute === `openid:${issuer}:email`,
+          attribute === `openid:${issuer}:email` ||
+          attribute === `openid:${issuer}:verified_email`,
       );
       try {
         const { attributes, issued_at_timestamp_ns } =
@@ -111,6 +112,7 @@
 
   onMount(async () => {
     const searchParams = new URLSearchParams(window.location.hash.slice(1));
+    console.log("Search params:", window.location.hash);
     window.history.replaceState(
       undefined,
       "",
@@ -143,8 +145,12 @@
       });
       directOpenIdFunnel.trigger(DirectOpenIdEvents.CallbackFromOpenId);
       const authFlowResult = await authFlow.continueWithOpenId(config, jwt);
+      const { name, email } = decodeJWT(jwt);
       if (authFlowResult.type === "signUp") {
-        await authFlow.completeOpenIdRegistration(authFlowResult.name!);
+        await authFlow.completeOpenIdRegistration(
+          // Prefer name, then email prefix, then fallback to a generic name
+          name ?? email?.split("@")[0] ?? $t`${config.name} user`,
+        );
       }
       if (
         dapp?.certifiedAttributes === true ||

src/frontend/tests/e2e-playwright/authorize/openid.spec.ts

@@ -143,4 +143,42 @@ test.describe("Authorize with direct OpenID", () => {
       await signInWithOpenId(authorizePage.page, openIdUsers[0].id);
     });
   });
+
+  test.describe("with verified_email attribute", () => {
+    const email = "john.doe@example.com";
+
+    test.use({
+      openIdConfig: {
+        defaultPort: DEFAULT_OPENID_PORT,
+        createUsers: [
+          {
+            claims: { email, email_verified: "true" },
+          },
+        ],
+      },
+      authorizeConfig: {
+        protocol: "icrc25",
+        openid: `http://localhost:${DEFAULT_OPENID_PORT}`,
+        attributes: [
+          `openid:http://localhost:${DEFAULT_OPENID_PORT}:verified_email`,
+        ],
+      },
+    });
+
+    test.afterEach(({ authorizedPrincipal, authorizedAttributes }) => {
+      expect(authorizedPrincipal?.isAnonymous()).toBe(false);
+      expect(authorizedAttributes).toEqual({
+        [`openid:http://localhost:${DEFAULT_OPENID_PORT}:verified_email`]:
+          email,
+      });
+    });
+
+    test("should return verified email", async ({
+      authorizePage,
+      signInWithOpenId,
+      openIdUsers,
+    }) => {
+      await signInWithOpenId(authorizePage.page, openIdUsers[0].id);
+    });
+  });
 });

src/internet_identity/internet_identity.did

@@ -367,6 +367,7 @@ type JWT = text;
 type Salt = blob;
 
 type OpenIdEmailVerification = variant {
+    Unknown;
     Google;
     Microsoft;
 };

src/internet_identity/src/openid.rs

@@ -222,6 +222,7 @@ impl OpenIdCredential {
             let verification_scheme = provider.email_verification_scheme()?;
 
             match verification_scheme {
+                Unknown => None,
                 Google => self.get_google_verified_email(),
                 Microsoft => self.get_microsoft_verified_email(),
             }

src/internet_identity_interface/src/internet_identity/types.rs

@@ -393,6 +393,7 @@ pub enum DeployArchiveResult {
 
 #[derive(Clone, Copy, Debug, CandidType, Serialize, Deserialize, Eq, PartialEq)]
 pub enum OpenIdEmailVerificationScheme {
+    Unknown,
     Google,
     Microsoft,
 }