javascript - WebAuthn Relaying Party ID for various Setups
问题描述
I have an Angular 11 Project, which implements a WebAuthn registration. The backend is SpringBoot 2.4
WebAuthn Login should work in two parts of the project, the "main" and the "viewer" The domain setup is rather complicated:
Main Project
Urls
- Local: https://localhost:4202
- Staging: https://company.com (local Kubernetes Server)
- Prod: https://company-project.com
Viewer Project
Urls
- Local: https://localhost:4200
- Staging: https://viewer.develop.plattform.intra.company.com (local Kubernetes Server)
- Prod: https://viewer.company-project.com
Code
environment.ts
prodUrls: ['company-project.com'],
webauthn: {
name: "Company DEV",
rpId: "localhost"
}
environment.prod.ts (replace in build)
prodUrls: ['company-project.com'],
webauthn: {
name: "Company Prod",
rpId: "plattform.intra.company.com" // gets overridden by values in "prodUrls"
}
webauthn.service.ts
private _getRelyingPartyInfo(): RelyingParty {
let rpId = environment.webauthn.rpId;
/**
* Check if the Hostname matches one of our Prod Hostnames
* and use this instead
*/
environment.prodUrls.forEach((url, index) => {
if (location.hostname.indexOf(url) > -1) {
rpId = environment.prodUrls[index];
}
});
const rp = {
id: rpId,
name: environment.webauthn.name
};
return rp;
}
The Issues
- It works locally, using the rpId
localhost
(both Backend and Frontend locally) - It does NOT work on staging --> Backend throws
WebAuthnException message: rpIdHash doesn't match the hash of preconfigured rpId.
- It should work on Prod using
company-project.com
as rpId (scared to deploy as it does not work on staging)
What I tried
For staging, I changed the rpId to develop.plattform.intra.company.com
and I can register and login in "main". Logging in on "viewer" throws an error as well
The spec is not very specific about what should work: https://www.w3.org/TR/webauthn/#relying-party-identifier, it only says what shouldn't work. I assume, that the multiple subdomains complicate things on staging?
What would be the correct rpId for staging and is the assumption that company-project.com
as rpId should work on prod correct?
解决方案
对于暂存,我将 rpId 更改为develop.plattform.intra.company.com,我可以在“main”中注册和登录。登录“查看器”也会引发错误
你得到断言的代码是什么?您可能还会遇到其他问题。您需要将获取断言 RP ID 设置为用于注册的相同 RP ID。如果您不这样做,它将默认为原点,这对于您的子域会有所不同。
推荐阅读
- php - laravel 与自定义外键的多对多多态关系
- spring - 已修复:在邮递员中找不到 spring mvc 查询,因为它不在同一个 paquage 中
- c# - 如何缩短 C# 中的特定代码?
- setuptools - 我可以在 setup.cfg 的元数据描述字段中使用 attr: 吗?
- reactjs - 如何获取点击事件的关键
- python - Pymongo - 查找查询后更新记录集
- python - 如何卸载 Python 3.9.1rc1
- php - PHPWord 如何返回一个单词响应对象
- linux-kernel - Linux 编译 | 入口点无效
- javascript - 如何使用 JavaScript 显示国际虚拟会议程序的当地时间