FIDO2 rpId for https server NOT on port 443

[Shane Weeden]

I have a FIDO2 relying-party web server that is NOT running on port 443.

When calling navigator.credentials.create I need to pass in a publicKey.rp.id value. Typically this is just the hostname of the relying-party, such as www.myrp.com, however when this RP does not run on port 443 it's not clear what the rpId should be. I have tried hostname:port and this works fine with Firefox and the Windows Insider version of Edge, but Chrome (Version 67.0.3396.87 (Official Build) (64-bit)) reports:

DOMException: The relying party ID 'www.myrp.com:444' is not a registrable domain suffix of, nor equal to 'https://www.myrp.com:444'.


Setting the rpId to the complete string https://www.myrp.com:444 doesn't work either. In that case you get this error, which is just plain misleading:

DOMException: The relying party ID 'https://www.myrp.com:444' is not a registrable domain suffix of, nor equal to 'https://www.myrp.com:444'.

Is this a Chrome issue, or should the rpId be set to something else?

[Kim Paulhamus]

Hi Shane,

Port number is not part of the rpID in WebAuthN. In fact, if you're setting rpID, it should just be a domain name. Try setting rpID to "www.myrp.com" only. 

You can also leave rpID unset, and the browser will default it to the domain of your origin, which should work just as well in your case.

Regards,

Kim

Kim Paulhamus |

Software Engineer |

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/e39ffe31-29b2-4f2e-80a6-e838018a6669%40fidoalliance.org.

[Christiaan Brand]

I'm curious why other browsers don't error out.

Adding JC and Akshay for their expert opinion.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAKQBCKFRO3bFhHW470xVEzrmJ8rn75-_2V%3Dqvt13REY2r_cV4w%40mail.gmail.com.

[Adam Powers]

That's a good point. Maybe this needs to be added to the Web Platform Tests.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAE1XR1%3DgqAHH9Y9Ud5qaKcgKbcE8LuhyB4_8BuvkcdRAQW03Bw%40mail.gmail.com.

[Antonio Sanso]

FWIW I have already reported this behavior to Mozilla Firefox team.

On Mon, Jun 25, 2018 at 7:50 PM, 'Christiaan Brand' via FIDO Dev (fido-dev) <fido...@fidoalliance.org> wrote:

I'm curious why other browsers don't error out.

Adding JC and Akshay for their expert opinion.

On Mon, Jun 25, 2018 at 1:45 PM 'Kim Paulhamus' via FIDO Dev (fido-dev) <fido...@fidoalliance.org> wrote:

Hi Shane,

Port number is not part of the rpID in WebAuthN. In fact, if you're setting rpID, it should just be a domain name. Try setting rpID to "www.myrp.com" only. 

You can also leave rpID unset, and the browser will default it to the domain of your origin, which should work just as well in your case.

Regards,

Kim

Kim Paulhamus |

Software Engineer |

On Mon, Jun 25, 2018 at 12:17 AM Shane Weeden <shane....@gmail.com> wrote:

I have a FIDO2 relying-party web server that is NOT running on port 443.

When calling navigator.credentials.create I need to pass in a publicKey.rp.id value. Typically this is just the hostname of the relying-party, such as www.myrp.com, however when this RP does not run on port 443 it's not clear what the rpId should be. I have tried hostname:port and this works fine with Firefox and the Windows Insider version of Edge, but Chrome (Version 67.0.3396.87 (Official Build) (64-bit)) reports:

DOMException: The relying party ID 'www.myrp.com:444' is not a registrable domain suffix of, nor equal to 'https://www.myrp.com:444'.


Setting the rpId to the complete string https://www.myrp.com:444 doesn't work either. In that case you get this error, which is just plain misleading:

DOMException: The relying party ID 'https://www.myrp.com:444' is not a registrable domain suffix of, nor equal to 'https://www.myrp.com:444'.

Is this a Chrome issue, or should the rpId be set to something else?

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+unsubscribe@fidoalliance.org.

To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/e39ffe31-29b2-4f2e-80a6-e838018a6669%40fidoalliance.org.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+unsubscribe@fidoalliance.org.

To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAKQBCKFRO3bFhHW470xVEzrmJ8rn75-_2V%3Dqvt13REY2r_cV4w%40mail.gmail.com.

--

You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+unsubscribe@fidoalliance.org.

To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAE1XR1%3DgqAHH9Y9Ud5qaKcgKbcE8LuhyB4_8BuvkcdRAQW03Bw%40mail.gmail.com.

[Shane Weeden]

Thanks for the advice thus far. Sending just www.myrp.com as the rpId works, however I'm not clear on the rules for validating C.origin in step 5 of https://www.w3.org/TR/webauthn/#registering-a-new-credential

The returned C.origin is "https://www.myrp.ibm.com:444". This is not the same server as "https://www.myrp.com". 

Is this step in the validation "up to the RP's implementation", or is there specific guidance on what is supposed to be acceptable?

Thanks,
Shane.

[Kim Paulhamus]

Hi Shane, just double checking - are you certain that the domain in the origin returned for "www.myrp.com" is "www.myrp.ibm.com"?

Kim

Kim Paulhamus |

Software Engineer

--

You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.

To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/bb6288f3-42dc-4cc9-b315-ca60e33d7ef5%40fidoalliance.org.

[Shane Weeden]

Sorry - definitely a typo on that one. What I meant to say is that the returned C.origin contains a scheme-qualified URL, including the port number, whereas the RP-ID is only the hostname. It's not a big deal, I've move past it :)

Thanks, Shane.

[Kim Paulhamus]

Got it, thanks for letting me know it was just a typo :-)

[Lars Rye Jeppesen]

I am getting the same issue for a site I'm developing on my local machine.

Is it really true that "localhost" is not a valid origin for webauthn?

Really stuck on how to proceed as I can't develop on a publically registered domain.

Cheers,

Lars Jeppesen

[Lukas Buchs]

localhost is a secure context for firefox, see https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts. webauthn is working on localhost, i've tested it with my php library: https://github.com/lbuchs/WebAuthn

[Ackermann Yuriy]

Works in Chrome as well.

Yuriy Ackermann

FIDO, Identity, Standards

skype: ackermann.yuriy

github: @herrjemand

twitter: @herrjemand

medium: @herrjemand

пн, 22 окт. 2018 г. в 21:31, Lukas Buchs <lukas...@gmail.com>:

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/9043e036-a2e7-4190-bcf1-1f54cf2b0610%40fidoalliance.org.

[Lars Rye Jeppesen]

Weird, thank you guys for your answers.

Just wondering why I'm getting this error when calling navigator.credentials.get: (chrome 70)

"SecurityError: The relying party ID 'https://localhost:7000' is not a registrable domain suffix of, nor equal to 'https://localhost:7000'."

The weird thing is that I don't get this error on registration, ie. calls to navigator.credentials.create.

[Lukas Buchs]

read the docs, rpId is just the host, not including the protocol or port. Just "localhost".

[Ackermann Yuriy]

So okay, lets clear some things. There are two different things we are talking about here:

rpId and origin.

rpId is used when you are delegate of some RP, within its domain scope. So if you register.example.com, and your RP is actually example.com. In this case you need to set rpId to "example.com". As you can see rpId is effective domain, so no protocol, port or any other parts included.

Though when server is getting authenticator response, it will contain as an origin the origin of the call. So if your rpId set to example.com, but call was made from https://register.example.com:513/index.html, then CollectedCredentialData will have origin set "https://register.example.com:513" because origin is a collection of the protocol, server auth arguments, effective domain name and port.

┌─────────────────────────────────────────────────────────────────────────────────────────────┐
│                                            href                                             │
├──────────┬──┬─────────────────────┬─────────────────────┬───────────────────────────┬───────┤
│ protocol │  │        auth         │        host         │           path            │ hash  │
│          │  │                     ├──────────────┬──────┼──────────┬────────────────┤       │
│          │  │                     │   hostname   │ port │ pathname │     search     │       │
│          │  │                     │              │      │          ├─┬──────────────┤       │
│          │  │                     │              │      │          │ │    query     │       │
"  https:   //    user   :   pass   @ sub.host.com : 8080   /p/a/t/h  ?  query=string   #hash "
│          │  │          │          │   hostname   │ port │          │                │       │
│          │  │          │          ├──────────────┴──────┤          │                │       │
│ protocol │  │ username │ password │        host         │          │                │       │
├──────────┴──┼──────────┴──────────┼─────────────────────┤          │                │       │
│   origin..............origin..............origin        │ pathname │     search     │ hash  │
├─────────────┴─────────────────────┴─────────────────────┴──────────┴────────────────┴───────┤
│                                            href                                             │
└─────────────────────────────────────────────────────────────────────────────────────────────┘

Diagram from NodeJS docs https://nodejs.org/docs/latest/api/url.html

Regards. Yuriy

вторник, 23 октября 2018 г., 0:01:01 UTC+9 пользователь Lukas Buchs написал:

[Алексей]

понедельник, 25 июня 2018 г., 3:17:00 UTC+5 пользователь Shane Weeden написал:

У меня есть веб-сервер, поддерживающий FIDO2, который НЕ работает на порту 443.

При вызове navigator.credentials.create мне нужно передать значение publicKey.rp.id . Обычно это просто имя хоста полагающейся стороны, например www.myrp.com , однако, когда этот RP не запускается на порту 443, неясно, что должен делать rpId. Я пробовал имя хоста: порт, и это отлично работает с Firefox и версией Edge для Windows Insider, но Chrome (версия 67.0.3396.87 (Official Build) (64-разрядная версия)) сообщает:

DOMException: идентификатор полагающейся стороны « www.myrp.com:444 » не является зарегистрированным суффиксом домена, равным « https://www.myrp.com:444 ».


Установка rpId в полную строку https://www.myrp.com:444 тоже не работает. В этом случае вы получаете эту ошибку, которая просто вводит в заблуждение:

DOMException: идентификатор полагающейся стороны « https://www.myrp.com:444 » не является зарегистрированным суффиксом домена, равным « https://www.myrp.com:444 ».

Это проблема Chrome, или нужно установить rpId на что-то еще?

[Alexei Czeskis]

Hi

We do accept other ports, as long as it's https.

We believe what's happening is the rpID should be just the domain since it's not an origin anymore. Try "myrp.com" or perhaps "www.myrp.com". No port in the rpID itself.

Thanks!

-Alexei

(SLO: go/alexei-email-slo)

________________

            . Alexei Czeskis .:. Securineer .

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/a89ba2e8-5635-40c4-a184-10f457f98645%40fidoalliance.org.