Conditional Create for Related-Origin Requests

141 views
Skip to first unread message

Jack Chen

unread,
Jun 24, 2025, 10:53:32 AM 6/24/25
to FIDO Dev (fido-dev)
Hi Group,

I have been looking and experimenting around WebAuthN Conditional Create, particularly around requests for related origins.

Scenario :
1. Both a.example.com and b.example.com list each other as related origins in their respective .well-known/webauthn
2. User uses password manager to fill username and password on a.example.com
3. Browser redirects to b.example.com and tries to create a conditional passkey
     a). navigator.credentials.create({ mediation: 'conditional', rpID: a.example.com
     b) navigator.credentials.create({ mediation: 'conditional', rpID: b.example.com

Observation :
a) and b) both result in a NotAllow error from the user agent (Chrome)

I might have missed it from the  spec  but I did not find any particular discussions on related origins for conditional create. I do see a one-liner on the  explainer  " The origin of the document where the authentication ceremony was mediated and the origin where navigator.credentials.create must be the same " but wasn't sure if that's a not allowed even for related origin scenario.

Question :
1. Is related origins not allowed for WebAuthN conditional create at all?
2. If this is not an allowed scenario, would we consider to support this scenario in the future? We allowed Conditional UI (get) for related origin requests, I think this is similar scenario just with create.


Thanks,
Jack

Tim Cappalli

unread,
Jun 24, 2025, 11:09:07 AM 6/24/25
to Jack Chen, FIDO Dev (fido-dev)
Conditional Create isn’t explicitly supported with Related Origins. There are additional considerations that would have to be accounted for. Create and Get has very different privacy considerations in the context of a conditionally mediated call.

Admittedly, this is not clear in the spec. I can at least get passkeys.dev updated quickly to call this out.

As an aside, for the example you provided, you should just use example.com ​ as your RP ID and it will work across both origins.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org .
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/e54e8486-8ee6-4a0d-8455-ccd05f033789n%40fidoalliance.org .

Jack Chen

unread,
Jun 24, 2025, 3:17:02 PM 6/24/25
to FIDO Dev (fido-dev), Tim Cappalli, Jack Chen
Thanks Tim, for the clarification.

(Yea, I meant to put endpoints from different TLD in the example

Reply all
Reply to author
Forward
0 new messages