search

passkeydeveloper / passkeys.dev

source for the passkeys.dev developer site
https://passkeys.dev
Other
159 stars 45 forks source link

Nit: Is rpId really needed from server options? #365

Closed sbweeden closed 1 day ago

sbweeden commented 5 months ago

Issue with existing content

Link to content

https://passkeys.dev/docs/use-cases/bootstrapping/

What is the issue?

Current text:

Retrieve the authentication options from your server. Return at least a random challenge and rpId to be associated with this authentication request.

Proposed changes

Is the rpId really required? My understanding is that rpId is optional in WebAuthn calls, so strictly speaking what's really required is the challenge.

Any other notes

timcappalli commented 5 months ago

While it's optional in the spec, it doesn't hurt to be more explicit about it in the request. Especially if you prefer top level over subdomain.

sbweeden commented 5 months ago

It would be better as something like:

Retrieve the authentication options from your server. Return at least a random challenge to be associated with this authentication request. Other parameters such as rpId, [fill in any others here] are also recommended to be returned from the server.