15

  • I'm trying to develop website authentication using WebAuthn. Unfortunately I've run into a problem. When calling navigator.credentials.create I get the following error:

    SecurityError: The relying party ID 'https://localhost:7000' is not a registrable domain suffix of, nor equal to 'https://localhost:7000'.

Does this really mean I cannot develop WebAuthn from localhost? I'm using Chrome70 beta by the way. Seems kinda insane that I have to develop on a real domain, debugging and development would become a nightmare.

Any ideas about this? Is localhost really forbidden in WebAuthn?

Thanks

Spock
  • 2,482
  • 29
  • 27
  • Have you tried "http://localhost:7000", without https? – grzuy Nov 03 '18 at 01:41
  • 11
    Hi @grzuy - the solution was just to use "localhost" and not port number or protocol. – Spock Nov 04 '18 at 17:01
  • Cool, glad it worked. I think the browser still allows localhost with a specific port, if your server is listening on that port of course. – grzuy Nov 08 '18 at 06:10
  • @Spock were you able to get authentication to work on localhost? – johnnyodonnell Nov 14 '19 at 23:25
  • 1
    @johnnyodonnell yes! it's a long time ago now but I managed to get it to work.. I'm actually planning on dusting off my code (refactor etc) and I think the entire webauthn is much more stabile now.. we're using it in production – Spock Nov 15 '19 at 07:56

1 Answers1

10

There are two ways to get rid of this error message:

  • You don't set the RP ID in the options. In this case it will use the current domain, which is localhost
  • Or you set the RP ID to a valid domain as per the URL specification i.e. no scheme, no port, no user, no password, no path and in this case it is also localhost

More information about the RP ID in the Webauthn specification

Spomky-Labs
  • 15,473
  • 5
  • 40
  • 64