infinisil
commented
3 months ago Multiple origins looks like a Webauthn 3 (which is still a draft) specific notion, see https://www.w3.org/TR/webauthn-3/#sctn-validating-origin, this doesn't seem to be documented in Webauthn 2.
This library currently only implements Webauthn 2, but this seems very benign, and since it's already used in practice, it sounds fine to add.
Please add some comments to the code/docs to explain this context.
arianvp
Android and iOS also support WebAuthn just like browsers.
The apps will use their AppStore/PlayStore AppID as the origin. This means we need to allow a list of origins instead of a single origin.
Apple uses https://developer.apple.com/documentation/xcode/supporting-associated-domains to link the app origin to the RpId
Google uses an assetlinks.json file: https://developers.google.com/identity/fido/android/native-apps#interoperability_with_your_website