Conditional Create for Related-Origin Requests
95 views
Skip to first unread message
Jack Chen
Jun 24, 2025, 10:53:32 AMJun 24
to FIDO Dev (fido-dev)
Hi Group,
I have been looking and experimenting around WebAuthN Conditional Create, particularly around requests for related origins.
Scenario:
1. Both a.example.com and b.example.com list each other as related origins in their respective .well-known/webauthn
2. User uses password manager to fill username and password on a.example.com
3. Browser redirects to b.example.com and tries to create a conditional passkey
4. On b.example.com
a). navigator.credentials.create({ mediation: 'conditional', rpID: a.example.com
b). navigator.credentials.create({ mediation: 'conditional', rpID: b.example.com
Observation:
a) and b) both result in a NotAllow error from the user agent (Chrome)
I might have missed it from the spec but I did not find any particular discussions on related origins for conditional create. I do see a one-liner on the explainer "The origin of the document where the authentication ceremony was mediated and the origin where navigator.credentials.create must be the same" but wasn't sure if that's a not allowed even for related origin scenario.
Question:
1. Is related origins not allowed for WebAuthN conditional create at all?
2. If this is not an allowed scenario, would we consider to support this scenario in the future? We allowed Conditional UI (get) for related origin requests, I think this is similar scenario just with create.
Thanks,
Jack
Tim Cappalli
Jun 24, 2025, 11:09:07 AMJun 24
to Jack Chen, FIDO Dev (fido-dev)
Conditional Create isn’t explicitly supported with Related Origins. There are additional considerations that would have to be accounted for. Create and Get has very different privacy considerations in the context of a conditionally mediated call.
Admittedly, this is not clear in the spec. I can at least get passkeys.dev updated quickly to call this out.
As an aside, for the example you provided, you should just use
example.com as your RP ID and it will work across both origins.--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/e54e8486-8ee6-4a0d-8455-ccd05f033789n%40fidoalliance.org.
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/e54e8486-8ee6-4a0d-8455-ccd05f033789n%40fidoalliance.org.
Jack Chen
Jun 24, 2025, 3:17:02 PMJun 24
to FIDO Dev (fido-dev), Tim Cappalli, Jack Chen
Thanks Tim, for the clarification.
(Yea, I meant to put endpoints from different TLD in the example
Reply all
Reply to author
Forward
0 new messages