Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome  |  Blog  |  Chrome for Developers (2024)

Table of Contents
Hints JSON serialization Learn more

Chrome 128 and 129 introduces exciting new features for WebAuthn—theunderlying API to build passkey-based authentication systems.

Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (1)

Eiji Kitamura

  • Hints: Hints give relying parties (RPs) better control over WebAuthnUI in the browser. They are especially helpful for enterprise users who wantto use security keys.
  • Related origin requests: With related originrequests, RPs can make passkeys valid on multiple domains. If you own multiplesites, you can now enable your users to reuse their passkey across your sites,eliminating login friction.
  • JSON serialization: JSON serialization APIs let you simplify an RP's frontend code by encoding and decoding options andcredentials passed to and from WebAuthn API.

Hints

With hints, relying parties (RP) can now specify UI preferences for creating apasskey or authenticating with a passkey.

Previously, when an RP wanted to restrict the authenticator the user can use tocreate a passkey or to authenticate with, they could useauthenticatorSelection.authenticatorAttachment to specify "platform" or"cross-platform". They respectively limit the authenticator to a platformauthenticatoror a roamingauthenticator.With hints, this specification can be more flexible.

The RP can use optional hints in the PublicKeyCredentialCreationOptions orPublicKeyCredentialRequestOptions to specify "security-key","client-device" and "hybrid" in a preference order in an array.

The following is an example credential creation request that prefers"cross-platform" authenticators with "security-key" as a hint. This tellsChrome to show a security key focused UI for enterprise users.

const credential = await navigator.credentials.create({ publicKey: { challenge: *****, hints: ['security-key'], authenticatorSelection: { authenticatorAttachment: 'cross-platform' } }});
Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (2)

When an RP wants to prioritize a cross-device verification scenario, they cansend an authentication request that prefers "cross-platform" authenticatorswith "hybrid" as a hint.

const credential = await navigator.credentials.create({ publicKey: { challenge: *****, residentKey: true, hints: ['hybrid'] authenticatorSelection: { authenticatorAttachment: 'cross-platform' } }});
Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (3)

With Related OriginRequests, RPs canmake passkeys usable from multiple domains. Building a centralized loginexperience and using federation protocols remains the recommended solution formost sites. But if you own multiple domains and federation isn't possible,related origins may be a solution.

All WebAuthn requests must specify a relying party ID (RP ID), and all passkeysare associated with a single RP ID. Traditionally, an origin could only specifyan RP ID based on its domain, so in that case www.example.co.uk could specifyan RP ID of example.co.uk, but not example.com. With Related OriginRequests, a claimed RP ID can be validated by fetching a well-known JSON filelocated at /.well-known/webauthn from the target domain. So example.co.uk(and example.in, example.de, and so on) could all use an RP ID ofexample.com if example.com specifies them in the following format:

URL: https://example.com/.well-known/webauthn

{ "origins": [ "https://example.co.uk", "https://example.de", "https://example.sg", "https://example.net", "https://exampledelivery.com", "https://exampledelivery.co.uk", "https://exampledelivery.de", "https://exampledelivery.sg", "https://myexamplerewards.com", "https://examplecars.com" ]}

Learn how to set up Related Origin Requests at Allow passkey reuse across yoursites with Related OriginRequests.

JSON serialization

WebAuthn request and response objects have multiple fields that contain rawbinary data in an ArrayBuffer, such as the credential ID, user ID, or challenge.If a website wants to use JSON to exchange this data with its server, the binarydata must first be encoded, for example with Base64URL. This adds unnecessarycomplexity for developers that want to start using passkeys on their websites.

WebAuthn now offers APIs to parsePublicKeyCredentialCreationOptionsandPublicKeyCredentialRequestOptionsWebAuthn request objects directly from JSON, and serialize thePublicKeyCredentialresponse directly into JSON. All ArrayBuffer-valued fields that carry raw binarydata are automatically converted from or to their Base64URL-encoded values.These APIs are available from Chrome 129.

Before creating a passkey, fetch a JSON encodedPublicKeyCredentialCreationOptions object from the server and decode it usingPublicKeyCredential.parseCreationOptionsFromJSON().

Browser Support

  • Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (4) 129
  • Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (5) 129
  • Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (6) 119
  • Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (7) x

Source

export async function registerCredential() { // Fetch encoded `PublicKeyCredentialCreationOptions` // and JSON decode it. const options = await fetch('/auth/registerRequest').json(); // Decode `PublicKeyCredentialCreationOptions` JSON object const decodedOptions = PublicKeyCredential.parseCreationOptionsFromJSON(options); // Invoke the WebAuthn create() function. const cred = await navigator.credentials.create({ publicKey: decodedOptions, }); ...

After creating a passkey, encode the resulting credential using toJSON() sothat it can be sent to the server.

Browser Support

  • Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (8) 129
  • Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (9) 129
  • Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (10) 119
  • Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (11) x

Source

 ... const cred = await navigator.credentials.create({ publicKey: options, }); // Encode the credential to JSON and stringify const credential = JSON.stringify(cred.toJSON()); // Send the encoded credential to the server await fetch('/auth/registerResponse', credential); ...

Before authenticating with a passkey, fetch a JSON encodedPublicKeyRequestCreationOptions from the server and decode it usingPublicKeyCredential.parseRequestOptionsFromJSON().

Browser Support

  • Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (12) 129
  • Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (13) 129
  • Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (14) 119
  • Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (15) x

Source

export async function authenticate() { // Fetch encoded `PublicKeyCredentialRequestOptions` // and JSON decode it. const options = await fetch('/auth/signinRequest').json(); // Decode `PublicKeyCredentialRequestOptions` JSON object const decodedOptions = PublicKeyCredential.parseRequestOptionsFromJSON(options); // Invoke the WebAuthn get() function. const cred = await navigator.credentials.get({ publicKey: options }); ...

After authenticating with a passkey, encode the resulting credential usingtoJSON() method so that it can be sent to the server.

Browser Support

  • Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (16) 129
  • Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (17) 129
  • Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (18) 119
  • Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome | Blog | Chrome for Developers (19) x

Source

 ... const cred = await navigator.credentials.get({ publicKey: options }); // Encode the credential to JSON and stringify const credential = JSON.stringify(cred.toJSON()); // Send the encoded credential to the server await fetch(`/auth/signinResponse`, credential); ...

Learn more

To learn more about WebAuthn and passkeys, check out the following resources:

Introducing hints, Related Origin Requests and JSON serialization for WebAuthn in Chrome  |  Blog  |  Chrome for Developers (2024)
Top Articles
Easy Haupia Recipe aka Hawaiian Coconut Pudding
Sourdough Danish Pastries: Step by Step Recipe - Aberle Home
LOST JEEPS • View forum
Zuercher Portal Inmates Clinton Iowa
Nerdwallet Chase
Myra's Floral Princeton Wv
Why Does It Say I Have 0 Followers on TikTok?
Episode 163 – Succession and Legacy • History of the Germans Podcast
104 Whiley Road Lancaster Ohio
Pollen Levels Richmond
Cheap Boats For Sale Craigslist
Nazir Afzal on the BBC: ‘Powerful predators were allowed to behave terribly on an industrial level’
Pooch Parlor Covington Tn
Champion Enchant Skyblock
FREE Houses! All You Have to Do Is Move Them. - CIRCA Old Houses
Dbd Wesker Build
Tammi Light Obituary
Craigslist Tools Las Cruces Nm
Brianna Aerial Forum
When modern Eurasia was born: Genetics yield clues to origins of Eurasians
Huniepop Jessie Questions And Answers
COUNTRY VOL 1 EICHBAUM COLLECTION (2024) WEB [FLAC] 16BITS 44 1KHZ
Covenant Funeral Service Stafford Obituaries
Mylaheychart Login
Walgreens Shopper Says Staff “Threatened” And “Stalked” Her After She Violated The “Dress Code”
Dumb Money, la recensione: Paul Dano e quel film biografico sul caso GameStop
Eotech Eflx Torque Specs
Loss Payee And Lienholder Addresses And Contact Information Updated Daily Free List Bank Of America
Milf Lingerie Caption
Ekaterina Lisina Wiki
Fox News Live Stream USA HD - USNewsON
The Quiet Girl Showtimes Near Landmark Plaza Frontenac
Sun Commercial Obituaries
Fto Kewanee
Korslien Auction
Alex Galindo And Leslie Quezada Net Worth 2022
Leccion 4 Lesson Test
Bakkesmod Preset
Rbgfe
Xdefiant turn off crossplay ps5 cмотреть на RuClips.ru
Witchwood Icon
Mvsu Canvas
Www.craiglist.com San Antonio
Dicks: The Musical Showtimes Near Regal Galleria Mall
Ihop Ralph Ave
Booknet.com Contract Marriage 2
Craigslist In Killeen Tx
Jesus Calling December 1 2022
Duxa.io Reviews
Lhhouston Photos
The Enchanted Library - FiMFetch.net
Latest Posts
Article information

Author: Stevie Stamm

Last Updated:

Views: 6454

Rating: 5 / 5 (60 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Stevie Stamm

Birthday: 1996-06-22

Address: Apt. 419 4200 Sipes Estate, East Delmerview, WY 05617

Phone: +342332224300

Job: Future Advertising Analyst

Hobby: Leather crafting, Puzzles, Leather crafting, scrapbook, Urban exploration, Cabaret, Skateboarding

Introduction: My name is Stevie Stamm, I am a colorful, sparkling, splendid, vast, open, hilarious, tender person who loves writing and wants to share my knowledge and understanding with you.