Cross-domain RP-ID for online.my-site.com and online.my-site2.com

[igorlogvin]

Hello, @emlun !
I have a question. I saw several variants of cross-domain rp-ids, like example: my-site.my-domain.com and my-site-2.my-domain.com. We could make rp-id like my-domain.com. Then ceremonies on subdomains would work correctly. But what if we have this option: online.my-domain.com and online.my-domain2.com? What rp-id can be set so that credentials are created for two domains at once?
Thanks

[emlun]

Hi! There is currently no way to do this, it's not supported by WebAuthn. There is some possibility there might be a way in the future, see: w3c/webauthn#1827 (comment) . But as of now the only solution is to use a redirect or iframe to perform the WebAuthn ceremonies on a single domain.

[igorlogvin]

I am using Java Spring. What if I recreate the RelyingParty bean at runtime like this

/**
* Recreate RelyingParty configuration
*/
public RelyingParty buildRPWithCurrentHost(WebauthnProperties.RelyingParty oldRpData,
                                 String actualHost,
                                 WebauthnCredentialService webauthnCredentialService) throws InvalidAppIdException {

        RelyingPartyIdentity newRelyingPartyIdentity = RelyingPartyIdentity.builder()
                .id(actualHost)
                .name(oldRpData.getName())
                .icon(oldRpData.getIcon())
                .build();

        return RelyingParty.builder()
                .identity(newRelyingPartyIdentity)
                .credentialRepository(webauthnCredentialService)
                .appId(new AppId(oldRpData.getProtocol() + "://" + newRelyingPartyIdentity.getId()))
                .origins(oldRpData.getOrigins())
                .build();
    }

And set result of this method like this in runtime:

try {
         RelyingParty newRelyingPartyIdentity = buildRPWithCurrentHost(properties.getRelyingParty(), "online.my-domain2.com" , webauthnCredentialService);
         relyingParty.toBuilder()
                 .identity(newRelyingPartyIdentity.getIdentity())
                 .appId(newRelyingPartyIdentity.getAppId())
                 .origins(newRelyingPartyIdentity.getOrigins())
                 .build();
      } catch (InvalidAppIdException invalidAppIdException) {
         throw new MyAuthException("Can't create new RP configuration. Reason: ", invalidAppIdException);
      }

Doesn't this create problems during further signature validation by the library?

[emlun]

Something like that should work only as long as you don't change the "online.my-domain2.com" argument. But yes, if you register credentials to one RP ID then you have to authenticate them on the same RP ID. You can use different RP IDs on different domains, of course, but those credentials won't interoperate between different RP IDs.

[igorlogvin]

Yes, I have a task: to make it so that two identical frontends with different domains can use one backend to create a signature and authenticate with it within their domain.
Thanks for answers! Helped a lot

[igorlogvin]

Hi @emlun ! Can you please tell me if there is any progress on this issue? w3c/webauthn#1827 (comment)

We are again considering the possibility of creating a signature for our different domains of the "online.my-site.com", "online.my-site-new.com" format, so we asked you to check with you on the progress in implementing this feature?

[emlun]

Hi! Sorry, there is no progress that I know of.

[emlun]

There is now progress on this in WebAuthn, but it will be a while yet before the spec is finished and even longer before the feature is available in browsers: w3c/webauthn#2040

Closing this for now, please let us know if there's more to discuss.