Comments (5)
I got the same issue too
from webauthn.
Would it be possible for you to set your RPID to domain.com
when initating the flow on auth.domain.com
? then sub.domain.com
will be able to verify the assertion just fine as sub.domain.com
is a valid origin for the domain.com
rpId
By default, the RP ID for a WebAuthn operation is set to the caller’s origin's effective domain. This default MAY be overridden by the caller, as long as the caller-specified RP ID value is a registrable domain suffix of or is equal to the caller’s origin's effective domain.
Note: An RP ID is based on a host's domain name. It does not itself include a scheme or port, as an origin does. The RP ID of a public key credential determines its scope. I.e., it determines the set of origins on which the public key credential may be exercised, as follows:
The RP ID must be equal to the origin's effective domain, or a registrable domain suffix of the origin's effective domain.
The origin's scheme must be https.
The origin's port is unrestricted.
For example, given a Relying Party whose origin is https://login.example.com:1337, then the following RP IDs are valid: login.example.com (default) and example.com, but not m.login.example.com and not com.
This is done in order to match the behavior of pervasively deployed ambient credentials (e.g., cookies, [RFC6265]). Please note that this is a greater relaxation of "same-origin" restrictions than what document.domain's setter provides.
These restrictions on origin values apply to WebAuthn Clients.
Basically if you set the rpId
manually in your navigator.credentials.get
call like this :
{ rp : { id : "domain.com" }}
Then the clientDataOrigin
will report domain.com
instead of auth.domain.com
If you then set relyingPartyOrigin
to domain.com
too the check will succeed.
from webauthn.
webauthn-rs also takes a list of origins. So it might be indeed the more ergonomic API to adapt:
from webauthn.
Support for multiple origins is also in the two libraries I wrote:
- MasterKale/SimpleWebAuthn#91
- https://github.com/duo-labs/py_webauthn/blob/master/webauthn/authentication/verify_authentication_response.py#L48
It's a common enough scenario in more complex RPs that I think this library should implement similar functionality.
from webauthn.
yeah scoping roprigin to a general domain would work for some use cases. I was also looking into supporting the list of unrelated domains.
from webauthn.
Related Issues (20)
- Implement MDS v3? HOT 1
- Test data shouldn't have execute bit set
- appid extension: u2f registered keys compat HOT 10
- Project maintained? HOT 4
- Challenge: urlsafe vs standard base64
- Webauthn Spec: Level 2 HOT 5
- "Critical" severity shows up from Dependency Scan HOT 7
- Extraneous if err block in master
- Possible nil pointer dereference problem
- Error with error conversion
- README needs to be updated HOT 2
- Inquiry regarding the use of test data. HOT 2
- Bazel build fails after webauthn went to Go 1.18 HOT 1
- Project Future HOT 17
- Invalid certificate HOT 2
- webauthn/metadata/metadata_test broken HOT 5
- Not update Authenticator.SignCount when cloned authenticator is detected HOT 3
- Verify "alg" parameter HOT 2
- AAGUID is always zero'd out during registration and authentication HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn.