Public key credentials are not accessible among subdomains during web authentication

Question

I was able to create public-private key pair using web authentication in the browser for a domain "www.exxample.ba" but i am not able to access the credentials using get() from "www.example.co.in".

Is there any way to get past this limitation like using an extension or something.

score 3 · Accepted Answer · answered Feb 14 '22 at 00:44

The simple answer to your question is no, the API itself fundamentally prevents your use case from being possible.

Digging into it a bit, WebAuthn credentials are bound to an RP ID that is the "effective domain" of a single website. The rules are fairly straightforward:

Credentials bound to RP ID "example.com" can be used to authenticate on https://example.com and https://subdomain.example.com
Credentials bound to "subdomain.example.com" can be used on https://subdomain.example.com but NOT on https://example.com/
Credentials bound to "example.com" CANNOT be used on https://example.org

Public key credentials are not accessible among subdomains during web authentication

1 Answers1