Associated Domain and Related Origins

204 views
Skip to first unread message

Jack Chen

unread,
Oct 28, 2025, 11:08:28 PM 10/28/25
to FIDO Dev (fido-dev)
Hi Group,

Wondering if anyone has an answer for this or if anyone has experimented with this setup.

Setup
1. I have two domains a.com  and  b.com and  an iOS app App_C
2. b.com /.well-known/apple-app-site-association lists  App_C   so App_C can use passkey from b.com
3.  a.com /.well-known/ webauthn lists b.com so user visiting  b.com can use passkeys from a.com

Question
1. Can App_C uses passkey from a.com with the current setup?
2. If the answer is no, then setup  a.com /.well-known/apple-app-site-association to include  App_C should now allow  App_C to to use passkey from a.com , but can  App_C  uses  a.com  passkey while visiting b.com (taking advantage of related origins) in embedded browser?

Any clarification on RP ID binding rules between native apps and web origins would be greatly appreciated! 

Thanks,
Jack

Tim Cappalli

unread,
Oct 29, 2025, 9:29:11 AM 10/29/25
to Jack Chen, FIDO Dev (fido-dev)
Recommend using passkeys.dev/discuss for passkey developer related questions but will answer here as well.

App platform-based association methods (digital asset links, app association, etc) are not directly related to the Web Platform's WebAuthn Related Origin Requests and they do not affect each other. 

The full answer depends on what the RP ID is for the passkey. What is the RP ID?



From: fido...@fidoalliance.org < fido...@fidoalliance.org > on behalf of Jack Chen < jcjack...@gmail.com >
Sent:  Tuesday, October 28, 2025 11:08:36 PM
To:  FIDO Dev (fido-dev) < fido...@fidoalliance.org >
Subject:  [FIDO-DEV] Associated Domain and Related Origins
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org .
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4051e996-1a8b-48b6-bd51-214aff2c1228n%40fidoalliance.org .

Jack C

unread,
Oct 29, 2025, 2:26:05 PM 10/29/25
to FIDO Dev (fido-dev), Tim Cappalli, Jack Chen
I see, let me reiterate the setup and question:

RPID would be a.com
a.com /.well-known/apple-app-site-association includes  App_C
b.com /.well-known/apple-app-site-association includes  App_C
a.com /.well-known/webauthn includes b.com

App_C renders b.com  in embedded browser for authentication requests, could we use a.com passkey here?

Tim Cappalli

unread,
Nov 2, 2025, 10:52:59 AM 11/2/25
to Jack C, FIDO Dev (fido-dev), Jack Chen
Embedded web views run in the hosting app's context, so it would not use WebAuthn Related Origin Requests, it would use the platform association method. You have those defined, so it should work.

tim
Reply all
Reply to author
Forward
0 new messages