[webauthn] Consider allowing cross-domain credential use (#1372) from Shane Weeden via GitHub on 2020-02-11 (public-webauthn@w3.org from February 2020)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Tue, 11 Feb 2020 00:41:46 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-562913692-1581381705-sysbot+gh@w3.org>

sbweeden has just created a new issue for https://github.com/w3c/webauthn:

== Consider allowing cross-domain credential use ==
This issue is to capture discussion / decision making related to a discussion opened on the mailing list:

https://lists.w3.org/Archives/Public/public-webauthn/2020Feb/0001.html

The summary of the request is to allow an RP to advertise an allowed list of other web origins at which a credential issued to the RPID controlled by the RP may be used.

For example a credential is via WebAuthn at a site login.a.com, using RPID a.com.

The authority in control of a.com would like to permit use of this credential at other web origins such as b.com and c.com, without having to have separate credentials registered at those web domains.

This is similar in principal to the facet list feature of FIDO U2F. It has application within a company that controls different web domains (perhaps brands, or mergers and acquisitions).

Alternatives in this field require browser redirects or iframes that access both a.com (for authentication) and then perform federated SSO to b.com. This is an undersirable user experience in many cases.

A proposed solution could allow (via some form of web discovery including via DNS, or a hosted page) a.com to control the list of RPIDs or web origins that are permitted to use a.com's RPID in calls to navigator.credentials.get(). The solution requires the user-agent to understand and discover this trust relationship, something that is already done for other web access control protocols today. I don't plan to prescribe a particular method here, just ask that one be considered.

This is already done for Android native apps today to permit sharing of a credential with a WebAuthn RPID via the assetlinks.json hosted discovery document. Clearly non-browser and browser clients want to be able to do this - they same *should* be able to apply for cross-domain browser-based use of credentials. Preferably the trust model is sharable across different client types so that we don't end up with every client type building their own bespoke model.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1372 using your GitHub account

Received on Tuesday, 11 February 2020 00:41:48 UTC