- From: Adam Langley <agl@google.com>
- Date: Thu, 18 Jul 2019 15:59:01 -0700
- To: Marius Scurtescu <marius.scurtescu@coinbase.com>
- Cc: W3C Web Authn WG <public-webauthn@w3.org>
Received on Thursday, 18 July 2019 22:59:38 UTC
On Thu, Jul 18, 2019 at 3:08 PM Marius Scurtescu < marius.scurtescu@coinbase.com> wrote: > How is a multi-domain deployment supposed to work with WebAuthn? And by > multi-domain I mean domains that don't match: example1.com and > example2.com. > > One solution that was suggested is to always redirect to the IdP, so there > is not need for multiple domains. That might work for login, but when > WebAuthn is used as a re-authentication challenge then a full page redirect > becomes very difficult to implement, especially for an existing application. > WebAuthn credentials are tied to an RP ID, which is a domain name. There is not support for “groups” of domains being acceptable for a credential. Redirecting (with suitable care) is possible, somewhat similar to OAuth. There is also (currently) unimplemented spec for granting iframes WebAuthn abilities, in which case postMessage can be used. Implementation priorities are set by need and, currently, nobody is making a fuss about the lack of iframe support so it's not on the roadmap. Cheers AGL
Received on Thursday, 18 July 2019 22:59:38 UTC