From bbacb4a7d448b0ecf7df2fb443106980d8607c74 Mon Sep 17 00:00:00 2001 From: Marco Walz Date: Mon, 13 Jul 2026 21:17:24 +0200 Subject: [PATCH 1/2] fix: update unity_ii_deeplink code references in IAM security guide The example was migrated from dfx to icp-cli (dfinity/examples#1440). The ii-bridge frontend moved from ii_integration_dapp/src/greet_frontend/src/index.js to ii-bridge/src/main.js Update all five bullet-point references: - Middle key generation: main.js#L84 - Auth with middle key: main.js#L88-L89 - Delegation chain creation: main.js#L102-L108 - URI fragment callback: main.js#L130-L133 (clarify it uses a custom URL scheme by default, with a link to the README for upgrading to Android App Links / iOS Universal Links) - Delegation chain verification: DeepLinkPlugin.cs#L92-L98 (now implemented; replaces the stale "currently being improved" note) Co-Authored-By: Claude Sonnet 4.6 --- .../security/identity-and-access-management.mdx | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/docs/guides/security/identity-and-access-management.mdx b/docs/guides/security/identity-and-access-management.mdx index 4cbf20d1..c0500328 100644 --- a/docs/guides/security/identity-and-access-management.mdx +++ b/docs/guides/security/identity-and-access-management.mdx @@ -241,11 +241,10 @@ and [Android](https://developer.android.com/training/app-links/verify-android-ap For more information, view an [example implementation in the form of a Unity app](https://github.com/dfinity/examples/tree/master/native-apps/unity_ii_deeplink). The following pieces of that codebase are most important: -* Generation of the intermediate session key [in index.js](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii_integration_dapp/src/greet_frontend/src/index.js#L25). -* [Authentication using the intermediate session key](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii_integration_dapp/src/greet_frontend/src/index.js#L26-L36) instead of the mobile app public key. -* [Generating the delegation chain](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii_integration_dapp/src/greet_frontend/src/index.js#L48-L57) by combining the delegation obtained from II with a delegation created by the frontend. -* [Returning the delegation chain using an applink/universal link](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii_integration_dapp/src/greet_frontend/src/index.js#L71). -* Returning the delegation chain [using a URI fragment](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii_integration_dapp/src/greet_frontend/src/index.js#L73). -* The example is currently being improved whereby the delegation chain will also be verified in the mobile app before using it. +* [Generating the intermediate (middle) key](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii-bridge/src/main.js#L84) (`ECDSAKeyIdentity.generate()`) — the private key stays in the browser via the WebCrypto API and is never extractable. +* [Authenticating with the intermediate key](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii-bridge/src/main.js#L88-L89) (passing `middleKeyIdentity` to `AuthClient`) instead of the mobile app's public key, so II can never issue a delegation directly usable by the app. +* [Generating the delegation chain](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii-bridge/src/main.js#L102-L108) by combining the II-issued delegation with a second, short-lived delegation from the middle key to the app's Ed25519 session key. +* [Returning the delegation chain using a URI fragment](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii-bridge/src/main.js#L130-L133) (`#delegation=…`) so the chain is not included in any HTTP request if the deep link falls through to the browser. The example uses a custom URL scheme (`org.dfinity.unity-ii://`) by default; see the [README](https://github.com/dfinity/examples/tree/master/native-apps/unity_ii_deeplink#upgrading-to-https-deep-links-for-production) for upgrading to Android App Links or iOS Universal Links for production. +* [Verifying the delegation chain](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/unity_project/Assets/Scripts/DeepLinkPlugin.cs#L92-L98) in the mobile app before constructing the identity — the last delegation's `pubkey` is compared against the session key generated in step 2 to prevent a session-fixation attack where a delegation intended for a different session is replayed. {/* Upstream: sync from dfinity/portal building-apps/security/iam.mdx */} From 6a49f7ae2f199b3cca148094a84fa271b286c861 Mon Sep 17 00:00:00 2001 From: Marco Walz Date: Mon, 13 Jul 2026 21:26:58 +0200 Subject: [PATCH 2/2] fix: replace em-dashes and correct DeepLinkPlugin.cs line reference - Replace two em-dashes with colons per writing guidelines - Update DeepLinkPlugin.cs line reference from L92-L98 to L105-L111; the verification block shifted after the null guard was added to Start() in a subsequent commit --- docs/guides/security/identity-and-access-management.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/guides/security/identity-and-access-management.mdx b/docs/guides/security/identity-and-access-management.mdx index c0500328..646d7bff 100644 --- a/docs/guides/security/identity-and-access-management.mdx +++ b/docs/guides/security/identity-and-access-management.mdx @@ -241,10 +241,10 @@ and [Android](https://developer.android.com/training/app-links/verify-android-ap For more information, view an [example implementation in the form of a Unity app](https://github.com/dfinity/examples/tree/master/native-apps/unity_ii_deeplink). The following pieces of that codebase are most important: -* [Generating the intermediate (middle) key](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii-bridge/src/main.js#L84) (`ECDSAKeyIdentity.generate()`) — the private key stays in the browser via the WebCrypto API and is never extractable. +* [Generating the intermediate (middle) key](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii-bridge/src/main.js#L84) (`ECDSAKeyIdentity.generate()`): the private key stays in the browser via the WebCrypto API and is never extractable. * [Authenticating with the intermediate key](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii-bridge/src/main.js#L88-L89) (passing `middleKeyIdentity` to `AuthClient`) instead of the mobile app's public key, so II can never issue a delegation directly usable by the app. * [Generating the delegation chain](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii-bridge/src/main.js#L102-L108) by combining the II-issued delegation with a second, short-lived delegation from the middle key to the app's Ed25519 session key. * [Returning the delegation chain using a URI fragment](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/ii-bridge/src/main.js#L130-L133) (`#delegation=…`) so the chain is not included in any HTTP request if the deep link falls through to the browser. The example uses a custom URL scheme (`org.dfinity.unity-ii://`) by default; see the [README](https://github.com/dfinity/examples/tree/master/native-apps/unity_ii_deeplink#upgrading-to-https-deep-links-for-production) for upgrading to Android App Links or iOS Universal Links for production. -* [Verifying the delegation chain](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/unity_project/Assets/Scripts/DeepLinkPlugin.cs#L92-L98) in the mobile app before constructing the identity — the last delegation's `pubkey` is compared against the session key generated in step 2 to prevent a session-fixation attack where a delegation intended for a different session is replayed. +* [Verifying the delegation chain](https://github.com/dfinity/examples/blob/master/native-apps/unity_ii_deeplink/unity_project/Assets/Scripts/DeepLinkPlugin.cs#L105-L111) in the mobile app before constructing the identity: the last delegation's `pubkey` is compared against the session key generated in step 2 to prevent a session-fixation attack where a delegation intended for a different session is replayed. {/* Upstream: sync from dfinity/portal building-apps/security/iam.mdx */}