时间戳

首页 > 解决方案 > WebAuthn Relaying Party ID for various Setups

javascript - WebAuthn Relaying Party ID for various Setups

问题描述

I have an Angular 11 Project, which implements a WebAuthn registration. The backend is SpringBoot 2.4

WebAuthn Login should work in two parts of the project, the "main" and the "viewer" The domain setup is rather complicated:

Main Project

Urls

Viewer Project

Urls

Code

environment.ts

prodUrls: ['company-project.com'],
webauthn: {
  name: "Company DEV",
  rpId: "localhost"
}

environment.prod.ts (replace in build)

prodUrls: ['company-project.com'],
webauthn: {
  name: "Company Prod",
  rpId: "plattform.intra.company.com" // gets overridden by values in "prodUrls"
}

webauthn.service.ts

private _getRelyingPartyInfo(): RelyingParty {

  let rpId = environment.webauthn.rpId;

  /**
   * Check if the Hostname matches one of our Prod Hostnames
   * and use this instead
   */
  environment.prodUrls.forEach((url, index) => {
    if (location.hostname.indexOf(url) > -1) {
      rpId = environment.prodUrls[index];
    }
  });

  const rp = {
    id: rpId,
    name: environment.webauthn.name
  };

  return rp;
}

The Issues

WebAuthnException message: rpIdHash doesn't match the hash of preconfigured rpId.

What I tried

For staging, I changed the rpId to develop.plattform.intra.company.com and I can register and login in "main". Logging in on "viewer" throws an error as well

The spec is not very specific about what should work: https://www.w3.org/TR/webauthn/#relying-party-identifier, it only says what shouldn't work. I assume, that the multiple subdomains complicate things on staging?

What would be the correct rpId for staging and is the assumption that company-project.com as rpId should work on prod correct?

标签: javascriptangularspring-bootwebauthn

解决方案

对于暂存,我将 rpId 更改为develop.plattform.intra.company.com,我可以在“main”中注册和登录。登录“查看器”也会引发错误

你得到断言的代码是什么?您可能还会遇到其他问题。您需要将获取断言 RP ID 设置为用于注册的相同 RP ID。如果您不这样做,它将默认为原点,这对于您的子域会有所不同。

推荐阅读