Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Clarification on FIDO2 Credentials Usage across subdomains
86 views
Skip to first unread message
mansi budhiraja
Aug 30, 2024, 6:29:30 PM8/30/24
to FIDO Dev (fido-dev)
Hi All,
Needed some clarification regarding the use of FIDO2-based authenticators with different subdomains. If the Relying Party ID (rp.id) is set to higher level domain (eg. "login.com"), can credentials registered for "login.com" be used for its subdomains, such as "fido.login.com" or "dev.fido.login.com" ? I understand that credentials cannot be used across completely different domains (e.g., `random.TLD`), but I want to confirm the behavior for subdomains
EXAMPLE 1:
rp.id set to "login.com"
fido.login.com : Can be used
dev.fido.login.com: Can be used
random.example.com: Not allowed
EXAMPLE 2:
rp.id set to "fido.login.com"
login.com: Cannot be used unless explicitly registered for this domain.
fido.login.com: Can be used
dev.fido.login.com: Can be used
random.example.com: Not allowed
EXAMPLE 1:
rp.id set to "login.com"
fido.login.com : Can be used
dev.fido.login.com: Can be used
random.example.com: Not allowed
EXAMPLE 2:
rp.id set to "fido.login.com"
login.com: Cannot be used unless explicitly registered for this domain.
fido.login.com: Can be used
dev.fido.login.com: Can be used
random.example.com: Not allowed
Thanks
Message has been deleted
Tim Cappalli
Aug 30, 2024, 6:45:28 PM8/30/24
to mansi budhiraja, FIDO Dev (fido-dev)
Yes, anything to the left.
There's also a new capability that allows you to use them across origins in some cases: https://passkeys.dev/docs/advanced/related-origins/
tim
On Fri, Aug 30, 2024, 18:29 mansi budhiraja <mansi.b...@gmail.com> wrote:
Hi All,Needed some clarification regarding the use of FIDO2-based authenticators with different subdomains. If the Relying Party ID (rp.id) is set to higher level domain (eg. "login.com"), can credentials registered for "login.com" be used for its subdomains?I understand that credentials cannot be used across completely different domains (e.g., `random.TLD`), but I want to confirm if my understanding is correct regarding the behavior for subdomains
EXAMPLE 1:
rp.id set to "login.com"
fido.login.com : Can be used
dev.fido.login.com: Can be used
random.example.com: Not allowed
EXAMPLE 2:
rp.id set to "fido.login.com"
login.com: Cannot be used unless explicitly registered for this domain.
fido.login.com: Can be used
dev.fido.login.com: Can be used
random.example.com: Not allowed
Thanks--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/0926a477-3844-47e8-b64a-43dc360bf6f0n%40fidoalliance.org.
Shane Weeden
Aug 30, 2024, 6:57:55 PM8/30/24
to mansi budhiraja, FIDO Dev (fido-dev)
Yes they can be exercised for subdomains like your example.
Sent from my iPhone
On 31 Aug 2024, at 8:29 AM, mansi budhiraja <mansi.b...@gmail.com> wrote:
Hi All,
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4dfe9342-226d-49dc-8edf-c9021e851c89n%40fidoalliance.org.
Reply all
Reply to author
Forward
0 new messages