Thanks for the information.
Post
Replies
Boosts
Views
Activity
If the origin is same with the one from the web context, RP backend server has no way to verify the api caller's origin. Since the native API is triggered by the native app, I'm thinking that it's better returning application specific information in the origin rather than just "https://" + rpID. Android native FIDO2 API returns apk certificate hash and Apple app attest also returns bundle id.
I was thinking that it would be good to have this features in WebAuthn API, so I file the issue in the WebaAuthn github.
Please refer this:
https://github.com/w3c/webauthn/issues/1823
If you need for me to file this through Feedback assistant, please let me know.
Thanks for your interest.