W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2019

Re: FacetID equivalent for WebAuthn?

From: Adam Langley <agl@google.com>
Date: Thu, 18 Jul 2019 15:59:01 -0700
Message-ID: <CAL9PXLwOerhBtPqAKL675-=bCajJmZjBKKU4VrUyqjwqwvB_Rg@mail.gmail.com>
To: Marius Scurtescu <marius.scurtescu@coinbase.com>
Cc: W3C Web Authn WG <public-webauthn@w3.org>
On Thu, Jul 18, 2019 at 3:08 PM Marius Scurtescu <
marius.scurtescu@coinbase.com> wrote:

> How is a multi-domain deployment supposed to work with WebAuthn? And by
> multi-domain I mean domains that don't match: example1.com and
> example2.com.
> One solution that was suggested is to always redirect to the IdP, so there
> is not need for multiple domains. That might work for login, but when
> WebAuthn is used as a re-authentication challenge then a full page redirect
> becomes very difficult to implement, especially for an existing application.

WebAuthn credentials are tied to an RP ID, which is a domain name. There is
not support for “groups” of domains being acceptable for a credential.

Redirecting (with suitable care) is possible, somewhat similar to OAuth.
There is also (currently) unimplemented spec for granting iframes WebAuthn
abilities, in which case postMessage can be used. Implementation priorities
are set by need and, currently, nobody is making a fuss about the lack of
iframe support so it's not on the roadmap.


Received on Thursday, 18 July 2019 22:59:38 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:38 UTC