fix: provide domain in session, passkey and u2f (#6097)

This fix provides a possibility to pass a domain on the session, which will be used (as rpID) to create a passkey / u2f assertion and attestation. This is useful in cases where the login UI is served under a different domain / origin than the ZITADEL API.
2025-08-12 05:07:31 +00:00 · 2023-06-27 14:36:07 +02:00
parent d0cda1b479
commit bd5defa96a
32 changed files with 287 additions and 123 deletions
--- a/internal/repository/user/human_mfa_web_auth_n.go
+++ b/internal/repository/user/human_mfa_web_auth_n.go
@@ -14,6 +14,7 @@ type HumanWebAuthNAddedEvent struct {

 	WebAuthNTokenID string `json:"webAuthNTokenId"`
 	Challenge       string `json:"challenge"`
+	RPID            string `json:"rpID,omitempty"`
 }

 func (e *HumanWebAuthNAddedEvent) Data() interface{} {
@@ -28,11 +29,13 @@ func NewHumanWebAuthNAddedEvent(
 	base *eventstore.BaseEvent,
 	webAuthNTokenID,
 	challenge string,
+	rpID string,
 ) *HumanWebAuthNAddedEvent {
 	return &HumanWebAuthNAddedEvent{
 		BaseEvent:       *base,
 		WebAuthNTokenID: webAuthNTokenID,
 		Challenge:       challenge,
+		RPID:            rpID,
 	}
 }