[webauthn] Does Related Origins introduce a need for "Related RP IDs" support in `.get()`? (#2099) from Matthew Miller via GitHub on 2024-07-17 (public-webauthn@w3.org from July 2024)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Wed, 17 Jul 2024 18:45:30 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-2414322247-1721241928-sysbot+gh@w3.org>

MasterKale has just created a new issue for https://github.com/w3c/webauthn:

== Does Related Origins introduce a need for "Related RP IDs" support in `.get()`? ==
## Proposed Change

The Related Origins feature being added in #2040 allows a company handling auth on multiple domains to use a single RP ID. However, for an RP that wants to rebrand completely such that their RP ID would move from **example.com** to **example.net**, they have to support existing credentials bound to `"example.com"`. In addition, there is no path forward for them to ever start using `"example.net"` as an RP ID without forcing all users to re-register passkeys to ones bound to `"example.net"`.

Should we consider adding support for multiple RP IDs in calls to `.get()`? I can see Related Origins being a natural restriction on _which_ RP IDs could appear in such a list, but haven't sat down to fully think this through.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2099 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 17 July 2024 18:45:31 UTC