Closed vixducis closed 4 years ago
Do you have an example of where this causes issues? Or do you have a link to the spec where it specifies rpId
to be uppercase?
To my understanding rp
would be an object anyway and therefore would be need to be accessed by rp.id
.
This does mean though that the package would need to change rpid
to rp->id
I found the piece of info on Moz: https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions/rpId
Indeed, the moz article is correct. This library currently contains the lowercase rpid
, while it should be rpId
.
In webauthn.php, there's following code:
$publickey->rpid = str_replace('https://', '', $this->appid);
This rpid key is directly used for the challenge in the authentication request. However, at least a few browsers treat the json key case-sensitively and the authenticator will not be able to find any of the IDs that were provided. This should fix the issue:
$publickey->rpId = str_replace('https://', '', $this->appid);