Intent to Prototype: WebAuthn related origins

383 views
Skip to first unread message

Adam Langley

unread,
Oct 27, 2023, 6:15:39 PM10/27/23
to blink-dev
Contact emails
a...@chromium.org

Explainer
https://github.com/w3c/webauthn/wiki/Explainer:-Related-origin-requests

Summary
All WebAuthn credentials are associated with a single Relying Party ID (“RP ID”), which is essentially a domain name, and all WebAuthn requests are processed in the context of an RP ID. This RP ID system has existed since WebAuthn level one, but creates a number of challenges, most prominently for sites that have any country-specific domains. The related-origins facility is a well-known URL where an origin can list other origins that are authorized to use it as an RP ID.

Blink component
Blink>WebAuthentication

TAG review status
Pending

Risks
Interoperability and Compatibility: fragmentation risk if other browsers don't adopt it. We don't intend to have something that isn't commonly supported because that wouldn't be useful for sites.

WebKit / Mozilla: No signal yet

Web developers: Affected sites are keen in private conversations.

WebView application risks
There isn't support for WebAuthn in general WebViews.

Finch feature name
WebAuthenticationRelatedOrigin

Requires code in //chrome?
No. (Only tests.)

Chrome Platform Status
https://chromestatus.com/feature/4635336177352704

Mathieu Perreault

unread,
Apr 3, 2024, 10:26:56 AMApr 3
to blink-dev, Adam Langley
I wanted to provide support on behalf of Shopify. 

We own two different domain names that are both used for user-facing authentication into the same system and for various reasons that are hard to address, the user may be authenticating with Shopify while being on either domain. Before this proposal, we have been enrolling WebAuthn credentials on a singular RP ID and iframing our WebAuthn login code and UI elements (i.e. the input field if we're wanting to use Conditional UI). This complexity (and ensuing bugs -- iframing an input field and maintaining overall functionality is tricky) has prevented us from scaling our adoption of WebAuthn features more broadly.

Having the ability to associate RP IDs would solve a major headache and would be beneficial for our users.

Mathieu, on behalf of Shopify Engineering



Reply all
Reply to author
Forward
0 new messages