rpid should be rpId - Githubissues

davidearl / webauthn

An implementation of webauthn in PHP on the server side (e.g Yubico 2 and Google Titan keys)

https://webauthn.davidearl.uk

MIT License

129 stars 24 forks source link

rpid should be rpId #12

Closed vixducis closed 4 years ago

vixducis commented 5 years ago

In webauthn.php, there's following code: $publickey->rpid = str_replace('https://', '', $this->appid);

This rpid key is directly used for the challenge in the authentication request. However, at least a few browsers treat the json key case-sensitively and the authenticator will not be able to find any of the IDs that were provided. This should fix the issue: $publickey->rpId = str_replace('https://', '', $this->appid);

benjamindoe commented 4 years ago

Do you have an example of where this causes issues? Or do you have a link to the spec where it specifies rpId to be uppercase?

To my understanding rp would be an object anyway and therefore would be need to be accessed by rp.id.

This does mean though that the package would need to change rpid to rp->id

EDIT

I found the piece of info on Moz: https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions/rpId

vixducis commented 4 years ago

Indeed, the moz article is correct. This library currently contains the lowercase rpid, while it should be rpId.