RP ID should be optional #165
Comments
netanel-utila
added
status/needs-triage
|
We can definitely make this change since it's supported in the spec. I suspect it may not have been prior to level 1 (or was just missed when originally implemented) and it was definitely missed when I took over maintenance of the library. |
|
I've linked a fix to this. Would you mind trying it and see if it works? Reading the WDL it should be omitted I believe when this is intended. |
|
Thanks for the quick response. We'll try it, and let you know. We suspect that there are more places need to be changed. |
|
Yeah this is the exact reason I wanted it checked. I think this will be mostly sufficient but there may be a validation on the response which needs changing specifically this (see step 13) and this (see step 15). If so I suspect that either it MUST be in the config or it MUST be provided via a functional option. |
james-d-elliott
added
type/feature-request
|
Hi, it also fails here: webauthn/protocol/authenticator.go Line 366 in feda47a |
|
Yeah that's what I was expecting above. So question is where do you want to supply the RP-ID? We need to supply it to validate that portion there. It could be at config time or at the time of the flow with a functional option. |
|
I think it should be supported at the time of the flow, or maybe allow any RPID there if the RPID is empty (there is also the RPOrigins config that plays a part here). |
This allows the Relying Party ID and Name to be configured at runtime rather than at configuration time. Closes #165
Version
0.8.4
Description
Hi,
It seems like not passing RP ID is invalid, but it should be valid. In case we don't set the RP ID in the options, it will use the current domain. This will also make it usable in localhost, for example.
Reproduction
Try to not pass RP ID
Expectations
No response
Documentation
No response
The text was updated successfully, but these errors were encountered: