Unexpected RpIdHash

[raynirola]

I am implementing webauthn in chrome extension, registration works, authentication fails with Unexpected RpIdHash: foo vs bar

client:

async function authenticate() {
    const challenge = await ky
        .create({ prefixUrl: process.env.API_URL, credentials: 'include' })
        .post('auth/challenge', { json: { username: 'testuser' } })
        .json<{ challenge: string; id?: string }>();

    const authentication = await client.authenticate(challenge.id ? [challenge.id] : [], challenge.challenge, {
        authenticatorType: 'auto',
        userVerification: 'required',
        mediation: 'required',
        timeout: 60000,
        debug: false,
    });

    await ky
        .create({ prefixUrl: process.env.API_URL, credentials: 'include' })
        .post('auth/login', { json: { authentication } })
        .json<{ message: string }>();
}

server:

  const authentication = req.body.authentication as AuthenticationEncoded

  const credential = await db.credential.findUniqueOrThrow({ where: { credentialId: authentication.credentialId } })

  await server.verifyAuthentication(
    authentication,
    {
      id: credential.credentialId,
      algorithm: credential.algorithm,
      publicKey: credential.publicKey,
    },
    {
      challenge: req.signedCookies.challenge,
      origin: 'chrome-extension:https://id',
      userVerified: false,
      verbose: true,
    },
  )

[dagnelies]

I suspect the origin will not be chrome-extension:https://id but rather the domain name of the website being visited.

[raynirola]

No, this is all in context of popup panel, there's no website being visited. @dagnelies

[dagnelies]

Hmmm... I never tried it with browser extensions so far, so I'm not familiar with it.
The lib uses window.location.hostname as default RP ID. Perhaps that's an issue in the extension's context.
You can also enable the register(..., {debug: true}) flag to have the RP ID printed out in the console (in debug level).

[raynirola]

window.location.hostname

Is there a way to override this? For chrome extension this needs to be set to empty. This will also prevent authentication from iframes I guess.

[raynirola]

@dagnelies I found the issue, can I pr for extension support?

[dagnelies]

Sure, you're welcome! Ideally with a note in the readme too.

[dagnelies]

Solved in v1.6.0
You can now override rp:{id:..., name:...} in the registration options

[raynirola]

@dagnelies Thanks.

[dagnelies]

@raynirola ...wait a second ...it's incomplete ...further fix coming

[raynirola]

Still 1 issue, rp.id is optional by default (on browsers), and with chrome extension it needs to be set to undefined.

[dagnelies]

Well, according to the specs it is required: https://w3c.github.io/webauthn/#dom-publickeycredentialrpentity-id

EDIT: Nevermind... the name is required but not the id

[raynirola]

Well, according to the specs it is required: https://w3c.github.io/webauthn/#dom-publickeycredentialrpentity-id

EDIT: Nevermind... the name is required but not the id

https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/create#id_4

[raynirola]

I guess there's confusion between entity id and relying party id, or browsers not following specs

[dagnelies]

I guess there's confusion between entity id and relying party id, or browsers not following specs

In the specs too, the RP ID is always a domain and never ever anything else. Regarding "browsers not following specs" it's kind of commonplace with webauthn sadly 😓 ...and is still feels like a "moving target". I would be warry of seeing behavior changes regarding webauthn and chrome extensions.

Regarding your initial post, could you please try out the latest version and simply set domain to your "chrome-extension id"?
Since you had origin: 'chrome-extension:https://id', as origin in the authentication result, it may just work out. ...otherwise, yeah, it would need a flag to disable it ...but I wonder what value it would receive in practice. After all, verifying the rpId hash is part of the verification procedure.

[dagnelies]

So, in register(... {domain:id}) authenticate(... {domain:id}) and verifyAuthentication(... {domain:id})