Intent to Prototype: WebAuthn related origins
344 views
Skip to first unread message
Adam Langley
Oct 27, 2023, 6:15:39 PM10/27/23
to blink-dev
Contact emails
a...@chromium.org
Explainer
https://github.com/w3c/webauthn/wiki/Explainer:-Related-origin-requests
Summary
All WebAuthn credentials are associated with a single Relying Party ID (“RP ID”), which is essentially a domain name, and all WebAuthn requests are processed in the context of an RP ID. This RP ID system has existed since WebAuthn level one, but creates a number of challenges, most prominently for sites that have any country-specific domains. The related-origins facility is a well-known URL where an origin can list other origins that are authorized to use it as an RP ID.
Blink component
Blink>WebAuthentication
TAG review status
Pending
Risks
WebView application risks
Finch feature name
WebAuthenticationRelatedOrigin
Requires code in //chrome?
No. (Only tests.)
Chrome Platform Status
https://chromestatus.com/feature/4635336177352704
a...@chromium.org
Explainer
https://github.com/w3c/webauthn/wiki/Explainer:-Related-origin-requests
Summary
All WebAuthn credentials are associated with a single Relying Party ID (“RP ID”), which is essentially a domain name, and all WebAuthn requests are processed in the context of an RP ID. This RP ID system has existed since WebAuthn level one, but creates a number of challenges, most prominently for sites that have any country-specific domains. The related-origins facility is a well-known URL where an origin can list other origins that are authorized to use it as an RP ID.
Blink component
Blink>WebAuthentication
TAG review status
Pending
Risks
Interoperability and Compatibility: fragmentation risk if other browsers don't adopt it. We don't intend to have something that isn't commonly supported because that wouldn't be useful for sites.
WebKit / Mozilla: No signal yet
Web developers: Affected sites are keen in private conversations.
WebView application risks
There isn't support for WebAuthn in general WebViews.
Finch feature name
WebAuthenticationRelatedOrigin
Requires code in //chrome?
No. (Only tests.)
Chrome Platform Status
https://chromestatus.com/feature/4635336177352704
Mathieu Perreault
Apr 3, 2024, 10:26:56 AMApr 3
to blink-dev, Adam Langley
I wanted to provide support on behalf of Shopify.
We own two different domain names that are both used for user-facing authentication into the same system and for various reasons that are hard to address, the user may be authenticating with Shopify while being on either domain. Before this proposal, we have been enrolling WebAuthn credentials on a singular RP ID and iframing our WebAuthn login code and UI elements (i.e. the input field if we're wanting to use Conditional UI). This complexity (and ensuing bugs -- iframing an input field and maintaining overall functionality is tricky) has prevented us from scaling our adoption of WebAuthn features more broadly.
Having the ability to associate RP IDs would solve a major headache and would be beneficial for our users.
Having the ability to associate RP IDs would solve a major headache and would be beneficial for our users.
Mathieu, on behalf of Shopify Engineering
Reply all
Reply to author
Forward
0 new messages