Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Custom handler for expectedOrigin and expectedRPID

See original GitHub issue

Hello,

As a followup of #90, when using a browser extension, having multiple origin/rpID possible was really cool but we got into facing another issue which is that some browsers like Firefox are using random IDs for their extensions that means it’s impossible to maintain a hard-coded list of origins/rpID.

For instance here is the way to validate a FF origin:

    const originIsMozillaExtension = origin.match(
        /^moz-extension:\/\/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/
    );

I know it’s yet another addition but would you allow to have a custom function handler to validate origins and rpIDs? Let me know if you have a better solution but I guess anyone using SWA with browser extension will face this issue.

Issue Analytics

State:
Created 3 years ago
Comments:11 (5 by maintainers)

Top GitHub Comments

1reaction

Mikescopscommented, Feb 23, 2021

The debugger is a rich idea you had 👍 hopes we make webauthn a great standard everywhere 😄

1reaction

Mikescopscommented, Feb 19, 2021

So here is a reply from Google team:

RP IDs are defined to be a domain name, but extensions don't have a domain name. In order to avoid collisions with domain names, different identifier spaces are distinguished by representing them as URLs. See this note in the spec: https://www.w3.org/TR/webauthn-2/#ref-for-webauthn-client%E2%91%A4:~:text=Other%20specifications%20mimicking%20the%20WebAuthn%20API%20to%20enable%20WebAuthn
Chrome extensions are not intended to specify an RP ID in the WebAuthn call at all although it does happen to work if you specify the extension ID.