WebAuthn API returns fully qualified origin of the API requester in the clientDataJSON. In case of passkey native api, which information is returned and how does it look like? I cannot find such information in anywhere.
Thanks in advance.
The origin is considered to be "https://" + , where <rpID> is the relyingPartyIdentifier passed to the API (and validated against the app's Associated Domains).
So, RP is not in charge of validating the origin with given RPID in case of the response is coming from the native application? Instead, the platform validates associated domain and calling application?
Do I understand it correctly?
If the origin is same with the one from the web context, RP backend server has no way to verify the api caller's origin. Since the native API is triggered by the native app, I'm thinking that it's better returning application specific information in the origin rather than just "https://" + rpID. Android native FIDO2 API returns apk certificate hash and Apple app attest also returns bundle id.
