WebAuthn API returns fully qualified origin of the API requester in the clientDataJSON. In case of passkey native api, which information is returned and how does it look like? I cannot find such information in anywhere.
Thanks in advance.
While running passkey with native api, what type (or format) of origin information returned in ClientDataJSON?
The origin is considered to be "https://" + , where <rpID> is the relyingPartyIdentifier passed to the API (and validated against the app's Associated Domains).
If the origin is same with the one from the web context, RP backend server has no way to verify the api caller's origin. Since the native API is triggered by the native app, I'm thinking that it's better returning application specific information in the origin rather than just "https://" + rpID. Android native FIDO2 API returns apk certificate hash and Apple app attest also returns bundle id.