You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As I mention in the title, We have two different subdomains, one hosted in the US ( us.domain.com ) and one in the EU ( domain.com ).
The two subdomains, being part of the same website, share a central database that has the table containing our credentials, so we'd naturally like to be able to register a security key in one place, and be able to use it to login on the other one as well.
What I'm mainly looking for is if this scenario is even valid under the Webauthn specification, and if it is, the syntax to get Verify, Get and Create statements to accept it. I've already scoured most of the issues, and seen #236, and the Advanced Configuration with it's instance system.
I've gotten so far as getting the Create options to contain my specified rp id and name (though it could get it from a relaying party through the Advanced Configuration Instance system ? not entirely clear on that part):
@create_options = WebAuthn::Credential.options_for_create(
user: {
id: @user.webauthn_id,
name: @user.fullname,
},
### This part forces the use of CTAP2 standard (unique PIN for the key)
### This is *NOT* compatible with Firefox yet (As of 9 June 2021)
### Default options is "preferred", and will allow firefox to treat it as a normal U2F Key (no PIN, just a tap to unlock)
authenticator_selection: {
user_verification: userVerification,
},
rp: {
id: request.domain(1),
name: "Company A/S"
},
# extensions: {
# uvm: true,
# },
exclude: @user.credentials.pluck(:external_id)
)
I've tried a few different syntaxes and methods, but credential.verify(challenge) ( where credential = WebAuthn::Credential.from_create(params[:publicKeyCredentials])) doesn't accept any extra arguments, and the version from the instance configuration, relying_party.verify_registration(publickey, challenge) doesn't either.
I attempted to use the full Instance-Based version system as described here, but verification still errors out, always using the complete domain (Testing locally, that would be "http://localhost:port", where I was trying to get it to verify against "localhost"), ending in an OriginVerificationError when I use the above options_for_create settings.
Our current implementation uses webauthn-ruby 3.0.0 and WebAuthnJSON on the JS side.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
As I mention in the title, We have two different subdomains, one hosted in the US ( us.domain.com ) and one in the EU ( domain.com ).
The two subdomains, being part of the same website, share a central database that has the table containing our credentials, so we'd naturally like to be able to register a security key in one place, and be able to use it to login on the other one as well.
What I'm mainly looking for is if this scenario is even valid under the Webauthn specification, and if it is, the syntax to get Verify, Get and Create statements to accept it. I've already scoured most of the issues, and seen #236, and the Advanced Configuration with it's instance system.
I've gotten so far as getting the Create options to contain my specified rp id and name (though it could get it from a relaying party through the Advanced Configuration Instance system ? not entirely clear on that part):
I've tried a few different syntaxes and methods, but credential.verify(challenge) ( where credential = WebAuthn::Credential.from_create(params[:publicKeyCredentials])) doesn't accept any extra arguments, and the version from the instance configuration, relying_party.verify_registration(publickey, challenge) doesn't either.
I attempted to use the full Instance-Based version system as described here, but verification still errors out, always using the complete domain (Testing locally, that would be "http://localhost:port", where I was trying to get it to verify against "localhost"), ending in an OriginVerificationError when I use the above options_for_create settings.
Our current implementation uses webauthn-ruby 3.0.0 and WebAuthnJSON on the JS side.
Thank you for your time,
Peter.
Beta Was this translation helpful? Give feedback.
All reactions