RPID in non-web scenarios

My1

unread,

Mar 4, 2021, 3:47:27 PM3/4/21

to FIDO Dev (fido-dev)

are there any things set on how non-web applications should do RPIDs? as there are many things that can use CTAP2 without being on the actual web.

nuno sung

unread,

Mar 5, 2021, 12:35:10 AM3/5/21

to FIDO Dev (fido-dev), My1

https://w3c.github.io/webauthn/#ref-for-webauthn-client%E2%91%A4:~:text=on%20non%2DWeb%20platforms

As you can see chrome uses ".dummy" for checking user presence

https://chromium.googlesource.com/chromium/src/+/master/device/fido/fido_constants.h#327

My1 在 2021年3月5日星期五上午4:47:27 [UTC+8] 的信中寫道：

hetin k

unread,

Dec 29, 2022, 1:29:00 AM12/29/22

to FIDO Dev (fido-dev), nuno sung, My1

Hi all,

In web, browser validate rpid with url.

How rp id is validated in android and ios app?

Anders Rundgren

unread,

Dec 29, 2022, 2:11:13 AM12/29/22

to hetin k, FIDO Dev (fido-dev), nuno sung, My1

On 2022-12-29 7:29, hetin k wrote:
> Hi all,
>
> In web, browser validate rpid with url.
>
> How rp id is validated in android and ios app?

If I understood the (pretty miserable) Android documentation, you need a manifest file at the RP site.

>
>
> On Friday, 5 March 2021 at 11:05:10 UTC+5:30 nuno sung wrote:
>
>

> https://w3c.github.io/webauthn/#ref-for-webauthn-client%E2%91%A4:~:text=on%20non%2DWeb%20platforms <https://w3c.github.io/webauthn/#ref-for-webauthn-client%E2%91%A4:~:text=on%20non%2DWeb%20platforms>

> As you can see chrome uses ".dummy" for checking user presence

> https://chromium.googlesource.com/chromium/src/+/master/device/fido/fido_constants.h#327 <https://chromium.googlesource.com/chromium/src/+/master/device/fido/fido_constants.h#327>

>
> My1 在 2021年3月5日星期五上午4:47:27 [UTC+8] 的信中寫道：
>
> are there any things set on how non-web applications should do RPIDs? as there are many things that can use CTAP2 without being on the actual web.
>

> --
> You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/abec4743-146c-4623-94f0-47e30d3f4497n%40fidoalliance.org <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/abec4743-146c-4623-94f0-47e30d3f4497n%40fidoalliance.org?utm_medium=email&utm_source=footer>.

nuno sung

unread,

Dec 29, 2022, 2:48:25 AM12/29/22

to FIDO Dev (fido-dev), het...@gmail.com, nuno sung, My1

https://developers.google.com/identity/fido/android/native-apps

https://developer.apple.com/documentation/authenticationservices/connecting_to_a_service_with_passkeys

het...@gmail.com 在 2022年12月29日星期四下午2:29:00 [UTC+8] 的信中寫道：

Adam Langley

unread,

Dec 29, 2022, 9:43:18 AM12/29/22

to FIDO Dev (fido-dev), My1

On Thursday, March 4, 2021 at 12:47:27 PM UTC-8 My1 wrote:

are there any things set on how non-web applications should do RPIDs? as there are many things that can use CTAP2 without being on the actual web.

From the WebAuthn spec:

Other specifications mimicking the WebAuthn API to enable WebAuthn public key credentials on non-Web platforms (e.g. native mobile applications), MAY define different rules for binding a caller to a Relying Party Identifier. Though, the RP ID syntaxes MUST conform to either valid domain strings or URIs [RFC3986] [URL].

So non-web contexts should use a valid URI, either with a custom scheme, or with a suitable scheme for the context in question.