Set the WebAuthN rpId to the COOKIE_DOMAIN if set #457
Conversation
|
Thank you, I will test this today. My concern here is whether it is going to work with U2F. |
|
I'm not sure what impact this will have upon existing registered keys either, although, I think it should be fine if it matches the default assumed value by browsers. |
By default the WebAuthN Passkey is scoped to the origin domain, for example, example.org If a Multisite install however shares it's cookies with subdomains, attempting to login via subdomain.example.org will fail to match as the origin doesn't match the keys ID. On single-site, COOKIE_DOMAIN is normally false. On Multisite, it's usually set to either a) The domain, or b) on subdomains, the parent domain. The ltrim() is used for sites that support older browsers which needed the leading `.`. This allows for the WebAuthN Passkey to be setup via a subdomain or the parent domain, and used on all of it's subdomains or parent domain.
|
I have merged this into a local branch to make it easier for me to test. |
| $builder->setRelyingParty( new RelyingParty( get_bloginfo( 'name' ), self::get_u2f_app_id() ) ); | ||
| $relay = new RelyingParty( get_bloginfo( 'name' ), self::get_u2f_app_id() ); | ||
| if ( \COOKIE_DOMAIN ) { | ||
| $relay->setId( ltrim( \COOKIE_DOMAIN, '.' ) ); |
There was a problem hiding this comment.
What do you think about adding a filter on this value?
There was a problem hiding this comment.
@iandunn if you think it makes sense to use a filter here, I can add it, no problem.
But setting the relying party ID to anything else than the top level domain will break login.
There was a problem hiding this comment.
But setting the relying party ID to anything else than the top level domain will break login.
To be clear, subdomain.example.org IS fine, but only if it should be scoped to the subdomain and subdomains-of-the-subdomain.
adding a filter
FWIW I think a filter on the return value from the entire function might be the best option, to allow 100% overriding and custommization of all options.
By default the WebAuthN Passkey is scoped to the origin domain, for example, example.org
If a Multisite install however shares it's cookies with subdomains, attempting to login via subdomain.example.org will fail to match as the origin doesn't match the keys ID.
On single-site, COOKIE_DOMAIN is normally false. On Multisite, it's usually set to either a) The domain, or b) on subdomains, the parent domain. The ltrim() is used for sites that support older browsers which needed the leading
..This allows for the WebAuthN Passkey to be setup via a subdomain or the parent domain, and used on all of it's subdomains or parent domain.
Minimal testing has been done, and further testing is required.
Fixes #456