request for clarification: chrome.webAuthenticationProxy

137 views
Skip to first unread message

polyset

unread,
Jul 23, 2024, 4:45:30 AMJul 23
to blink-dev
we implemented the webAuthenticationProxy using wss, and get the attached secure origin error (see screenshot for details):

```
error: public key creds are only available to https origins with valid certs, http localhost, or pages served from extensions.
```

why would wss not be considered a secure origin in this case? chrome had the cert before it was upgraded 



authproxy.png

polyset

unread,
Jul 23, 2024, 6:39:35 PMJul 23
to blink-dev, polyset
upon further investigation, the origin is the extension (which makes sense since this is an extension api), but with webauthn if the origin is chrome-extension://, you have to drop the rp: id field, otherwise the navigator won't pop the enroll modal.


When we do drop the `rp: id`, the modal pops and we create a new pub key via the local chrome instance, but the remote chrome complains that the origin is wrong for the created key.


This lead us to discover y'all are using remoteDesktopClientOverride extension to webauthn, which isn't mentioned at all in the webAuthenticationProxy extension api. 

At this point, I would guess zero other developers on the web have used this api -- but I think everyone would benefit if y'all added documentation / a simple explainer on how the chrome.webAuthenticationProxy api is supposed to work e2e: is it only to be used with ctap2 authenticators? what are the remoteDesktopClientOverride settings? How do you set the rp:id when the origin is chrome-extension://?
Reply all
Reply to author
Forward
0 new messages