fix: provide domain in session, passkey and u2f (#6097)

This fix provides a possibility to pass a domain on the session, which will be used (as rpID) to create a passkey / u2f assertion and attestation. This is useful in cases where the login UI is served under a different domain / origin than the ZITADEL API.
2025-08-12 11:27:33 +00:00 · 2023-06-27 14:36:07 +02:00
parent d0cda1b479
commit bd5defa96a
32 changed files with 287 additions and 123 deletions
--- a/internal/webauthn/webauthn_test.go
+++ b/internal/webauthn/webauthn_test.go
@@ -14,7 +14,9 @@ import (

 func TestConfig_serverFromContext(t *testing.T) {
 	type args struct {
-		ctx context.Context
+		ctx    context.Context
+		id     string
+		origin string
 	}
 	tests := []struct {
 		name    string
@@ -24,12 +26,12 @@ func TestConfig_serverFromContext(t *testing.T) {
 	}{
 		{
 			name:    "webauthn error",
-			args:    args{context.Background()},
+			args:    args{context.Background(), "", ""},
 			wantErr: caos_errs.ThrowInternal(nil, "WEBAU-UX9ta", "Errors.User.WebAuthN.ServerConfig"),
 		},
 		{
-			name: "success",
-			args: args{authz.WithRequestedDomain(context.Background(), "example.com")},
+			name: "success from ctx",
+			args: args{authz.WithRequestedDomain(context.Background(), "example.com"), "", ""},
 			want: &webauthn.WebAuthn{
 				Config: &webauthn.Config{
 					RPDisplayName: "DisplayName",
@@ -38,6 +40,17 @@ func TestConfig_serverFromContext(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "success from id",
+			args: args{authz.WithRequestedDomain(context.Background(), "example.com"), "external.com", "https://external.com"},
+			want: &webauthn.WebAuthn{
+				Config: &webauthn.Config{
+					RPDisplayName: "DisplayName",
+					RPID:          "external.com",
+					RPOrigins:     []string{"https://external.com"},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -45,7 +58,7 @@ func TestConfig_serverFromContext(t *testing.T) {
 				DisplayName:    "DisplayName",
 				ExternalSecure: true,
 			}
-			got, err := w.serverFromContext(tt.args.ctx)
+			got, err := w.serverFromContext(tt.args.ctx, tt.args.id, tt.args.origin)
 			require.ErrorIs(t, err, tt.wantErr)
 			if tt.want != nil {
 				require.NotNil(t, got)