Javascript Question posted in
A very good W3school tutorial can be found here.

Javascript – Is it allowed to use an IPv4 as rp_id in webauthn credential creation options?

I am writing a webauthn demonstrator following https://webauthn.guide, and it works well when I host my frontend on https://localhost:4200.’

However, if I host the angular frontend to my local network, and replace rp_id='localhost' with the ip address I can open the frontend with, say, rp_id='198.168.99.99', navigator.credentials.create always gives DOMException: The operation is insecure..

I expected the credential creation to succeed since the ip is part of the URL I open the website with. How can I successfully create the credentials on a website served on my local network?

Tags:

2

Answers


  1. 0

    (Posting as an answer because I can’t comment yet.)

    It sounds like you’re running into a security issue. Browsers often treat local IP addresses differently due to security policies. To tackle this, try serving your site using HTTPS on your local network, and make sure the rp_id matches the SSL certificate. Also, double-check that the IP address is listed in your WebAuthn server’s allowed origins. This should help you get past the "operation is insecure" hiccup.

    Login or Signup to reply.
  2. 0

    IP addresses cannot be RP IDs. Note the following from the WebAuthn spec:

    Note: An effective domain may resolve to a host, which can be represented in various manners, such as domain, ipv4 address, ipv6 address, opaque host, or empty host. Only the domain format of host is allowed here. This is for simplification and also is in recognition of various issues with using direct IP address identification in concert with PKI-based security.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search