[webauthn] Cross origin and Conditional UI (#1671)

akshayku has just created a new issue for https://github.com/w3c/webauthn:

== Cross origin and Conditional UI ==
We at Microsoft have web pages for authentication at different origins. For consumers (MSA), it lives at login.live.com and for enterprises (AAD), it lives at login.microsoftonline.com. When we adopted webauthn, we consolidated all webauthn related operations at single login.microsoft.com. But the initial landing pages are still at login.live.com/login.microsoftonline.com where we have a link like "Sign in with Windows Hello or Security Key" which redirects to login.microsoft.com to do the webauthn operation. 

Our intention was to move everything to login.microsoft.com, but there are non-WebAuthn related challenges in doing so. These challenges are technical and we are trying to figure out what we want to do here. 

When we redirected to the login.microsoft.com for webauthn operation, things all work. However, conditional UI is supposed to work on the webpage that you are on. And for our case, these pages are not at webauthn origin at the moment. Hence, browser will see two different origins and will not allow conditional UI in that scenario. Meaning, browser cannot query credentials for login.microsoft.com from login.live.com webpage. 

We think this is not a one off instance for our RP. It may be an issue for a many RPs. 

One obvious solution is to move everything to login.microsoft.com. But as I said above, there are non-webauthn related challenges in doing so. 

Another solution, I was thinking was similar to Cross-origin solution I was thinking for payment/general case as I mentioned at #1667. Potentially, an RP can define policy at well-known location at an origin where it can specify a set of RPs which can ask for WebAuthn operation on behalf of. Like we can define login.live.com to be one of such RPs at login.microsoft.com? And browser in conditional UI can check for these policies when origins in the request don't match the top level origin.


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1671 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 22 September 2021 16:37:50 UTC