I wanted to provide support on behalf of Shopify. We own two different domain names that are both used for user-facing authentication into the same system and for various reasons that are hard to address, the user may be authenticating with Shopify while being on either domain. Before this proposal, we have been enrolling WebAuthn credentials on a singular RP ID and iframing our WebAuthn login code and UI elements (i.e. the input field if we're wanting to use Conditional UI). This complexity (and ensuing bugs -- iframing an input field and maintaining overall functionality is tricky) has prevented us from scaling our adoption of WebAuthn features more broadly.
Having the ability to associate RP IDs would solve a major headache and would be beneficial for our users. Mathieu, on behalf of Shopify Engineering On Friday, October 27, 2023 at 6:15:39 PM UTC-4 Adam Langley wrote: > *Contact emails* > a...@chromium.org > > *Explainer* > https://github.com/w3c/webauthn/wiki/Explainer:-Related-origin-requests > > *Summary* > All WebAuthn credentials are associated with a single Relying Party ID > (“RP ID”), which is essentially a domain name, and all WebAuthn requests > are processed in the context of an RP ID. This RP ID system has existed > since WebAuthn level one, but creates a number of challenges, most > prominently for sites that have any country-specific domains. The > related-origins facility is a well-known URL where an origin can list other > origins that are authorized to use it as an RP ID. > > *Blink component* > Blink>WebAuthentication > > *TAG review status* > Pending > > *Risks* > > Interoperability and Compatibility: fragmentation risk if other browsers > don't adopt it. We don't intend to have something that isn't commonly > supported because that wouldn't be useful for sites. > > WebKit / Mozilla: No signal yet > > > Web developers: Affected sites are keen in private conversations. > > > *WebView application risks* > There isn't support for WebAuthn in general WebViews. > > *Finch feature name* > WebAuthenticationRelatedOrigin > > *Requires code in //chrome?* > No. (Only tests.) > > *Chrome Platform Status* > https://chromestatus.com/feature/4635336177352704 > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bbe249bd-8cb7-4f2a-900f-9ea708e67269n%40chromium.org.
