Associated Domain and Related Origins
60 views
Skip to first unread message
Jack Chen
Oct 28, 2025, 11:08:28 PM (3 days ago) Oct 28
to FIDO Dev (fido-dev)
Hi Group,
Wondering if anyone has an answer for this or if anyone has experimented with this setup.
Setup
Question
1. Can App_C uses passkey from a.com with the current setup?
2. If the answer is no, then setup a.com/.well-known/apple-app-site-association to include App_C should now allow App_C to to use passkey from a.com, but can App_C uses a.com passkey while visiting b.com (taking advantage of related origins) in embedded browser?
Any clarification on RP ID binding rules between native apps and web origins would be greatly appreciated!
Thanks,
Jack
Tim Cappalli
Oct 29, 2025, 9:29:11 AM (2 days ago) Oct 29
to Jack Chen, FIDO Dev (fido-dev)
Recommend using passkeys.dev/discuss for passkey developer related questions but will answer here as well.
App platform-based association methods (digital asset links, app association, etc) are not directly related to the Web Platform's WebAuthn Related Origin Requests and they do not affect each other.
The full answer depends on what the RP ID is for the passkey. What is the RP ID?
From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of Jack Chen <jcjack...@gmail.com>
Sent: Tuesday, October 28, 2025 11:08:36 PM
To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: [FIDO-DEV] Associated Domain and Related Origins
Sent: Tuesday, October 28, 2025 11:08:36 PM
To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: [FIDO-DEV] Associated Domain and Related Origins
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4051e996-1a8b-48b6-bd51-214aff2c1228n%40fidoalliance.org.
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4051e996-1a8b-48b6-bd51-214aff2c1228n%40fidoalliance.org.
Jack C
Oct 29, 2025, 2:26:05 PM (2 days ago) Oct 29
to FIDO Dev (fido-dev), Tim Cappalli, Jack Chen
I see, let me reiterate the setup and question:
RPID would be a.com
a.com/.well-known/apple-app-site-association includes App_C
b.com/.well-known/apple-app-site-association includes App_CApp_C renders b.com in embedded browser for authentication requests, could we use a.com passkey here?
Reply all
Reply to author
Forward
0 new messages