Skip to content

Fix documentation for rpId #42361

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sideshowbarker merged 2 commits into from
Dec 12, 2025
Merged

Fix documentation for rpId #42361

sideshowbarker merged 2 commits into from
Dec 12, 2025

Conversation

@wbamberg
Copy link
Collaborator

@wbamberg wbamberg commented Dec 12, 2025
edited
Loading

The page for PublicKeyCredentialRequestOptions describes rpId as follows:

A string that specifies the relying party's identifier (for example "login.example.org"). For security purposes:

  • The calling web app verifies that rpId matches the relying party's origin.
  • The authenticator verifies that rpId matches the rpId of the credential used for the authentication ceremony.

This value defaults to the current origin's domain.

It's not "the calling web app" that does this, it's the browser[1]. AIUI this is important because the whole point of this is to defend against phishing. If it's left up to the caller to do the verifying, there's nothing to stop a phishing site from asking for credentials for any other RP.

Also it doesn't make sense that rpId must "match the relying party's origin" and that it "defaults to the current origin's domain". If the first is true, why have an option at all?

I think there is a concept of "scope" in which a page at, say, "login.example.org" is allowed to get a credential for "example.org" (https://w3c.github.io/webauthn/#rp-id, although this is hard to understand and I'm not sure of the exact rules.

We should cover scope properly in the WebAuthn docs. I'm intending to talk about it in my passkey guide, but I unfortunately don't have the time to overhaul the WebAuthn docs right now. But the first issue, about who does the verifying, really should be fixed.

[1] See https://w3c.github.io/webauthn/#dom-publickeycredentialrequestoptions-rpid: "The client MUST verify that the Relying Party’s origin matches the scope of this RP ID." and "client" is defined at https://w3c.github.io/webauthn/#client as "A WebAuthn Client is an intermediary entity typically implemented in the user agent (in whole, or in part).".

@wbamberg wbamberg marked this pull request as ready for review December 12, 2025 03:54
@wbamberg wbamberg requested a review from a team as a code owner December 12, 2025 03:54
@wbamberg wbamberg requested review from sideshowbarker and removed request for a team December 12, 2025 03:54
@github-actions github-actions bot added Content:WebAPI Web API docs size/xs [PR only] 0-5 LoC changed labels Dec 12, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 12, 2025
edited
Loading

Preview URLs

Flaws (1)

URL: /en-US/docs/Web/API/PublicKeyCredentialRequestOptions
Title: PublicKeyCredentialRequestOptions
Flaw count: 1

  • broken_links:
    • Link /en-US/docs/Web/Security/Secure_Contexts is a redirect

(comment last updated: 2025-12-12 04:35:31)

wbamberg
wbamberg commented Dec 12, 2025
View reviewed changes
@sideshowbarker sideshowbarker merged commit d8b4253 into mdn:main Dec 12, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sideshowbarker sideshowbarker sideshowbarker approved these changes

Assignees

No one assigned

Labels

Content:WebAPI Web API docs size/xs [PR only] 0-5 LoC changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wbamberg @sideshowbarker