WebAuthn icon indicating copy to clipboard operation
WebAuthn copied to clipboard
verified publisher icon lbuchs

Multi domain rpID

Open Draghmar opened this issue 5 months ago • 2 comments

Hey. I'm was looking at your library to use it in my projects but there's one thing that I can't find info about: multi domain registration. I've seen that the domain is used not only for being an ID but also to prevent login in case of data leakage. From what I've seen it takes domain, hash it and check against said hash if needed, right? Would it be possible to use a list of domains for that? The way I see it, if I have a few entry points (eg. example.com, sub1.example.com, sub666.example.com) I don't need to register user on each of them but rather have one to rule them all. ;) Is it possible to achieve with your code?

Draghmar avatar Jul 03 '25 13:07 Draghmar

its not implemented at the moment because browser support is not there. check https://web.dev/articles/webauthn-related-origin-requests

its better to do a login subdomain (login.example.com) and redirect all logins to there. this is how it's usually done (for example google is using accounts.google.com or Microsoft is at login.microsoftonline.com )

lbuchs avatar Jul 03 '25 15:07 lbuchs

also if all your domains are subdomains you can technically iirc set example.tld as the relying party id and any subdomain of that can use it, so that could help.

My1 avatar Jul 11 '25 22:07 My1