Skip to content

Implement Related Origins support (WebAuthn L3 § 5.11) #160

New issue
New issue
Open
Open
Implement Related Origins support (WebAuthn L3 § 5.11)#160
Labels
enhancementNew feature or request
@AlfioEmanueleFresta

Description

@AlfioEmanueleFresta
AlfioEmanueleFresta
opened on Dec 26, 2025

Summary

WebAuthn Level 3 introduces Related Origins (§ 5.11), allowing credentials to be used across unrelated domains. The RP hosts a JSON document at https://{rpId}/.well-known/webauthn listing allowed origins.

Proposed Implementation

  1. New module: ops/webauthn/related_origins.rs

    • RelatedOriginsDocument struct for parsing the well-known JSON
    • RelatedOriginsHttpClient trait for fetching (pluggable, testable)
    • validate_related_origins() implementing the validation procedure from § 5.11.1

  2. Enhance RelyingPartyId (addresses Relying Party ID (RPID) validation #137)

    • Add validate_for_origin() to check if RP ID is a registrable suffix
    • Return whether related origins validation is required

  3. Dependencies

    • url for origin parsing
    • publicsuffix for registrable domain detection

Feature Flags

[features]
related-origins = []
related-origins-client = ["related-origins", "reqwest"]
  • related-origins: Core validation logic with trait-based HTTP client
  • related-origins-client: Optional embedded HTTP client for testing/convenience

Future Consideration

The existing WebSocket/Noise implementation for caBLE could be refactored to follow the same pattern (trait + optional default implementation behind a feature flag) for consistency.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions