- From: Marius Scurtescu <marius.scurtescu@coinbase.com>
- Date: Thu, 18 Jul 2019 17:49:12 -0700
- To: Adam Langley <agl@google.com>
- Cc: W3C Web Authn WG <public-webauthn@w3.org>
- Message-ID: <CABpvcNv6GZqZ4C793+0G_fD_htiuX0EBEmRPewXWnR-h37ju3A@mail.gmail.com>
Thanks again Adam. Is this the iframe spec you are referring to: https://www.w3.org/TR/webauthn-2/#sctn-iframe-guidance The situation looks pretty bleak from where I stand. I am surprised that this is not coming up as an issue. Was there a concrete reason to stop supporting FacetID? Lack of interest? On Thu, Jul 18, 2019 at 3:59 PM Adam Langley <agl@google.com> wrote: > On Thu, Jul 18, 2019 at 3:08 PM Marius Scurtescu < > marius.scurtescu@coinbase.com> wrote: > >> How is a multi-domain deployment supposed to work with WebAuthn? And by >> multi-domain I mean domains that don't match: example1.com and >> example2.com. >> >> One solution that was suggested is to always redirect to the IdP, so >> there is not need for multiple domains. That might work for login, but when >> WebAuthn is used as a re-authentication challenge then a full page redirect >> becomes very difficult to implement, especially for an existing application. >> > > WebAuthn credentials are tied to an RP ID, which is a domain name. There > is not support for “groups” of domains being acceptable for a credential. > > Redirecting (with suitable care) is possible, somewhat similar to OAuth. > There is also (currently) unimplemented spec for granting iframes WebAuthn > abilities, in which case postMessage can be used. Implementation priorities > are set by need and, currently, nobody is making a fuss about the lack of > iframe support so it's not on the roadmap. > > > Cheers > > AGL >
Received on Friday, 19 July 2019 00:49:48 UTC