request for clarification: chrome.webAuthenticationProxy
75 views
Skip to first unread message
polyset
Jul 23, 2024, 4:45:30 AM (4 days ago) Jul 23
to blink-dev
we implemented the webAuthenticationProxy using wss, and get the attached secure origin error (see screenshot for details):
```
error: public key creds are only available to https origins with valid certs, http localhost, or pages served from extensions.
```
why would wss not be considered a secure origin in this case? chrome had the cert before it was upgraded
polyset
Jul 23, 2024, 6:39:35 PM (4 days ago) Jul 23
to blink-dev, polyset
upon further investigation, the origin is the extension (which makes sense since this is an extension api), but with webauthn if the origin is chrome-extension://, you have to drop the rp: id field, otherwise the navigator won't pop the enroll modal.
When we do drop the `rp: id`, the modal pops and we create a new pub key via the local chrome instance, but the remote chrome complains that the origin is wrong for the created key.
This lead us to discover y'all are using remoteDesktopClientOverride extension to webauthn, which isn't mentioned at all in the webAuthenticationProxy extension api.
At this point, I would guess zero other developers on the web have used this api -- but I think everyone would benefit if y'all added documentation / a simple explainer on how the chrome.webAuthenticationProxy api is supposed to work e2e: is it only to be used with ctap2 authenticators? what are the remoteDesktopClientOverride settings? How do you set the rp:id when the origin is chrome-extension://?
When we do drop the `rp: id`, the modal pops and we create a new pub key via the local chrome instance, but the remote chrome complains that the origin is wrong for the created key.
This lead us to discover y'all are using remoteDesktopClientOverride extension to webauthn, which isn't mentioned at all in the webAuthenticationProxy extension api.
At this point, I would guess zero other developers on the web have used this api -- but I think everyone would benefit if y'all added documentation / a simple explainer on how the chrome.webAuthenticationProxy api is supposed to work e2e: is it only to be used with ctap2 authenticators? what are the remoteDesktopClientOverride settings? How do you set the rp:id when the origin is chrome-extension://?
Reply all
Reply to author
Forward
0 new messages