Re: [webauthn] Update Credential Record to suggest storing RP ID as well for better Related Origins support (#2257) from Emil Lundberg via GitHub on 2025-02-12 (public-webauthn@w3.org from February 2025)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 12 Feb 2025 12:41:44 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2653603564-1739364101-sysbot+gh@w3.org>

I think I get the idea, but on further thought this might be a bit of a trap.

The idea is that an RP might use two (or more) different RP IDs, but wants to merge them into one logical application? Say that `acme.com` and `example.com` have both rolled out WebAuthn and have thousands of credentials registered to each RP ID already, then `acme.com` acquires `example.com` and wants to merge both user bases, so they set up related origins to allow users of each site to use their existing credential to log in at the other domain. It makes sense that if they also merge their databases, they'll want to tag each credential with which RP ID it was registered to. So far so good.

But this might still become a problem when it's time for a user to log in to the merged site, because in that call you can only specify one RP ID at a time. Let's consider only discoverable credentials (empty `allowCredentials`) first. If `acme.com` requests an assertion with RP ID `acme.com` and the user only has a credential for `example.com`, then they won't be able to log in despite the related origins. You'd have to ask the user which site they registered at before you can set the RP ID correctly.

Non-discoverable credentials (non-empty `allowCredentials`) aren't as affected, because the RP will look up the credentials first and set the RP ID to the correct one for the user. But as soon as the user registers a new credential for the other RP ID, the problem returns. This would be addressed by continuing to register each user's credentials only to the RP ID they already have credentials for, though. But the problem remains that the discoverable flow wouldn't be available to users registered to the other RP ID.

So while I like the proposal on one level, I'm not sure this is the right way. This would imply that storing the RP ID tags is enough to solve any issues that come up with related origins, but it isn't. It wouldn't hurt, but it's not enough. So I rather feel like this use case would need much deeper consideration than this simple recommendation.

--
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2257#issuecomment-2653603564 using your GitHub account

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 12 February 2025 12:41:45 UTC