Replies: 1 comment
-
|
Hey there, we have not yet tested multi origin passkey support, but from ROR it looks like the original ley is the right one |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi there! Humble apologies in advance if this discussion reopens a zombie debate. I really only have a focused question, but I'd like to put it in context for the sake of the next person searching as I just did.
(
eTLD+1) × 3I have several
.orgdomains affiliated with one umbrella non-profit. Naturally we're also non-budget, and so I've self-deployed Kratos. (THANK YOU Ory team 💖 for your consistent open source leadership!)I've done most development in just one domain; now we're hoping to expand to the others while sharing a common roster and active sessions. We want our members to freely move between those constituent sites, after a single sign-in.
session cookies
I'm familiar with request #662, which I had been observing at the time. Support for multi-origin session cookies was officially declined, at least for self-hosted deployments. But supported or not, crafty people can do it anyway.
relying parties
Separate from distributing the session cookies: I'd been concerned about registering and using passkeys from different points of entry. I've now found Related Origin Requests (ROR) which I believe neatly addresses this case for up to five "eTLD+1" origins. [Aside: that sets a modest, industry-wide cap on how "scalable" redirects would be to support.]
I began to search ory.sh and GitHub to satisfy myself that Kratos is out ahead of this.
The most direct reference I found was this blog entry which shows where to configure WebAuthn related origins. This gave me search terms to find code references, but little else. Also we know that the
webauthnmethod is deprecated in favor ofpasskey.my question
selfservice.methods.passkeys.config.rp.originslist; is that what I was looking for? And if so is it a stub, or is it supported?If
rp.originsis what I need, it felt undocumented during my search. I did find one example populating that key. But even its own comment wasn't updated fromorigintoorigins, and nothing in the text addresses anything other than a single entry. Multiple entries can be a surprisingly complex topic worthy of at least an external link.general optimism
I mostly asked this as an excuse to organize breadcrumbs for anyone behind me with a similar interest in this topic.
I'll assume that I'm on the right track, but if I'm wrong please clue me in. Thanks!
Beta Was this translation helpful? Give feedback.
All reactions