WebAuthn Relaying Party ID for various Setups

Question

I have an Angular 11 Project, which implements a WebAuthn registration. The backend is SpringBoot 2.4

WebAuthn Login should work in two parts of the project, the "main" and the "viewer" The domain setup is rather complicated:

Main Project

Urls

Local: https://localhost:4202
Staging: https://company.com (local Kubernetes Server)
Prod: https://company-project.com

Viewer Project

Urls

Local: https://localhost:4200
Staging: https://viewer.develop.plattform.intra.company.com (local Kubernetes Server)
Prod: https://viewer.company-project.com

Code

environment.ts

prodUrls: ['company-project.com'],
webauthn: {
  name: "Company DEV",
  rpId: "localhost"
}

environment.prod.ts (replace in build)

prodUrls: ['company-project.com'],
webauthn: {
  name: "Company Prod",
  rpId: "plattform.intra.company.com" // gets overridden by values in "prodUrls"
}

webauthn.service.ts

private _getRelyingPartyInfo(): RelyingParty {

  let rpId = environment.webauthn.rpId;

  /**
   * Check if the Hostname matches one of our Prod Hostnames
   * and use this instead
   */
  environment.prodUrls.forEach((url, index) => {
    if (location.hostname.indexOf(url) > -1) {
      rpId = environment.prodUrls[index];
    }
  });

  const rp = {
    id: rpId,
    name: environment.webauthn.name
  };

  return rp;
}

The Issues

It works locally, using the rpId localhost (both Backend and Frontend locally)
It does NOT work on staging --> Backend throws

WebAuthnException message: rpIdHash doesn't match the hash of preconfigured rpId.

It should work on Prod using company-project.com as rpId (scared to deploy as it does not work on staging)

What I tried

For staging, I changed the rpId to develop.plattform.intra.company.com and I can register and login in "main". Logging in on "viewer" throws an error as well

The spec is not very specific about what should work: https://www.w3.org/TR/webauthn/#relying-party-identifier, it only says what shouldn't work. I assume, that the multiple subdomains complicate things on staging?

What would be the correct rpId for staging and is the assumption that company-project.com as rpId should work on prod correct?

score 1 · Answer 1 · answered Feb 18 '21 at 20:39

For staging, I changed the rpId to develop.plattform.intra.company.com and I can register and login in "main". Logging in on "viewer" throws an error as well

What's your code to get the assertion? You might also be running into this other question. You need to set the get assertion RP ID to the same RP ID used for registration. If you don't, it will default to the origin, which for your subdomain will be different.