feat(webauthn): add OriginValidation::Trust to bypass the rp.id check

AlfioEmanueleFresta · AlfioEmanueleFresta · commit fcfce6b4cbb4 · 2026-05-30T17:42:27.000+01:00
diff --git a/libwebauthn/examples/ceremony/webauthn_ble.rs b/libwebauthn/examples/ceremony/webauthn_ble.rs
@@ -2,7 +2,7 @@ use std::error::Error;
 
 use libwebauthn::ops::webauthn::{
     DatFilePublicSuffixList, GetAssertionRequest, JsonFormat, MakeCredentialRequest,
-    MaxRegistrableLabels, RelatedOrigins, RequestOrigin, RequestSettings,
+    MaxRegistrableLabels, OriginValidation, RelatedOrigins, RequestOrigin, RequestSettings,
     ReqwestRelatedOriginsSource, WebAuthnIDLResponse as _,
 };
 use libwebauthn::proto::ctap2::Ctap2PublicKeyCredentialDescriptor;
@@ -55,10 +55,12 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
                 "#;
         let related_origins = ReqwestRelatedOriginsSource::new()?;
         let settings = RequestSettings {
-            public_suffix_list: &psl,
-            related_origins: RelatedOrigins::Enabled {
-                source: &related_origins,
-                max_labels: MaxRegistrableLabels::default(),
+            origin: OriginValidation::Validate {
+                public_suffix_list: &psl,
+                related_origins: RelatedOrigins::Enabled {
+                    source: &related_origins,
+                    max_labels: MaxRegistrableLabels::default(),
+                },
             },
         };
         let make_credentials_request: MakeCredentialRequest =
diff --git a/libwebauthn/examples/ceremony/webauthn_cable.rs b/libwebauthn/examples/ceremony/webauthn_cable.rs
@@ -12,7 +12,7 @@ use qrcode::QrCode;
 
 use libwebauthn::ops::webauthn::{
     DatFilePublicSuffixList, JsonFormat, MakeCredentialRequest, MaxRegistrableLabels,
-    RelatedOrigins, RequestOrigin, RequestSettings, ReqwestRelatedOriginsSource,
+    OriginValidation, RelatedOrigins, RequestOrigin, RequestSettings, ReqwestRelatedOriginsSource,
     WebAuthnIDLResponse as _,
 };
 use libwebauthn::transport::{Channel as _, Device};
@@ -61,10 +61,12 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
     );
     let related_origins = ReqwestRelatedOriginsSource::new()?;
     let settings = RequestSettings {
-        public_suffix_list: &psl,
-        related_origins: RelatedOrigins::Enabled {
-            source: &related_origins,
-            max_labels: MaxRegistrableLabels::default(),
+        origin: OriginValidation::Validate {
+            public_suffix_list: &psl,
+            related_origins: RelatedOrigins::Enabled {
+                source: &related_origins,
+                max_labels: MaxRegistrableLabels::default(),
+            },
         },
     };
 
diff --git a/libwebauthn/examples/ceremony/webauthn_cable_wss.rs b/libwebauthn/examples/ceremony/webauthn_cable_wss.rs
@@ -14,8 +14,8 @@ use qrcode::QrCode;
 use tokio::time::sleep;
 
 use libwebauthn::ops::webauthn::{
-    GetAssertionRequest, JsonFormat, MakeCredentialRequest, RelatedOrigins, RequestOrigin,
-    RequestSettings, SystemPublicSuffixList, WebAuthnIDLResponse as _,
+    GetAssertionRequest, JsonFormat, MakeCredentialRequest, OriginValidation, RelatedOrigins,
+    RequestOrigin, RequestSettings, SystemPublicSuffixList, WebAuthnIDLResponse as _,
 };
 use libwebauthn::transport::cable::channel::CableChannel;
 use libwebauthn::transport::{Channel as _, Device};
@@ -99,8 +99,10 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
             &request_origin,
             MAKE_CREDENTIAL_REQUEST,
             &RequestSettings {
-                public_suffix_list: &psl,
-                related_origins: RelatedOrigins::Disabled,
+                origin: OriginValidation::Validate {
+                    public_suffix_list: &psl,
+                    related_origins: RelatedOrigins::Disabled,
+                },
             },
         )
         .await
@@ -166,8 +168,10 @@ async fn run_get_assertion(
         request_origin,
         GET_ASSERTION_REQUEST,
         &RequestSettings {
-            public_suffix_list: psl,
-            related_origins: RelatedOrigins::Disabled,
+            origin: OriginValidation::Validate {
+                public_suffix_list: psl,
+                related_origins: RelatedOrigins::Disabled,
+            },
         },
     )
     .await
diff --git a/libwebauthn/examples/ceremony/webauthn_hid.rs b/libwebauthn/examples/ceremony/webauthn_hid.rs
@@ -2,9 +2,9 @@ use std::error::Error;
 use std::time::Duration;
 
 use libwebauthn::ops::webauthn::{
-    GetAssertionRequest, JsonFormat, MakeCredentialRequest, MaxRegistrableLabels, RelatedOrigins,
-    RequestOrigin, RequestSettings, ReqwestRelatedOriginsSource, SystemPublicSuffixList,
-    WebAuthnIDLResponse as _,
+    GetAssertionRequest, JsonFormat, MakeCredentialRequest, MaxRegistrableLabels, OriginValidation,
+    RelatedOrigins, RequestOrigin, RequestSettings, ReqwestRelatedOriginsSource,
+    SystemPublicSuffixList, WebAuthnIDLResponse as _,
 };
 use libwebauthn::proto::ctap2::Ctap2PublicKeyCredentialDescriptor;
 use libwebauthn::transport::hid::list_devices;
@@ -35,10 +35,12 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
         );
         let related_origins = ReqwestRelatedOriginsSource::new()?;
         let settings = RequestSettings {
-            public_suffix_list: &psl,
-            related_origins: RelatedOrigins::Enabled {
-                source: &related_origins,
-                max_labels: MaxRegistrableLabels::default(),
+            origin: OriginValidation::Validate {
+                public_suffix_list: &psl,
+                related_origins: RelatedOrigins::Enabled {
+                    source: &related_origins,
+                    max_labels: MaxRegistrableLabels::default(),
+                },
             },
         };
         let request_json = r#"
diff --git a/libwebauthn/examples/ceremony/webauthn_nfc.rs b/libwebauthn/examples/ceremony/webauthn_nfc.rs
@@ -1,9 +1,9 @@
 use std::error::Error;
 
 use libwebauthn::ops::webauthn::{
-    GetAssertionRequest, JsonFormat, MakeCredentialRequest, MaxRegistrableLabels, RelatedOrigins,
-    RequestOrigin, RequestSettings, ReqwestRelatedOriginsSource, SystemPublicSuffixList,
-    WebAuthnIDLResponse as _,
+    GetAssertionRequest, JsonFormat, MakeCredentialRequest, MaxRegistrableLabels, OriginValidation,
+    RelatedOrigins, RequestOrigin, RequestSettings, ReqwestRelatedOriginsSource,
+    SystemPublicSuffixList, WebAuthnIDLResponse as _,
 };
 use libwebauthn::transport::nfc::{get_nfc_device, is_nfc_available};
 use libwebauthn::transport::{Channel as _, Device};
@@ -33,10 +33,12 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
     );
     let related_origins = ReqwestRelatedOriginsSource::new()?;
     let settings = RequestSettings {
-        public_suffix_list: &psl,
-        related_origins: RelatedOrigins::Enabled {
-            source: &related_origins,
-            max_labels: MaxRegistrableLabels::default(),
+        origin: OriginValidation::Validate {
+            public_suffix_list: &psl,
+            related_origins: RelatedOrigins::Enabled {
+                source: &related_origins,
+                max_labels: MaxRegistrableLabels::default(),
+            },
         },
     };
     let make_credentials_request = MakeCredentialRequest::prepare(
diff --git a/libwebauthn/src/lib.rs b/libwebauthn/src/lib.rs
@@ -32,7 +32,7 @@
 //!
 //! ```no_run
 //! use libwebauthn::ops::webauthn::{
-//!     MakeCredentialRequest, RelatedOrigins, RequestOrigin, RequestSettings,
+//!     MakeCredentialRequest, OriginValidation, RelatedOrigins, RequestOrigin, RequestSettings,
 //!     SystemPublicSuffixList,
 //! };
 //! use libwebauthn::transport::hid::list_devices;
@@ -51,8 +51,10 @@
 //!     let origin: RequestOrigin = "https://example.org".try_into().expect("invalid origin");
 //!     let psl = SystemPublicSuffixList::auto().expect("public suffix list unavailable");
 //!     let settings = RequestSettings {
-//!         public_suffix_list: &psl,
-//!         related_origins: RelatedOrigins::Disabled,
+//!         origin: OriginValidation::Validate {
+//!             public_suffix_list: &psl,
+//!             related_origins: RelatedOrigins::Disabled,
+//!         },
 //!     };
 //!     let request_json = r#"{ "rp": { "id": "example.org", "name": "Example" } }"#; // abbreviated
 //!     let request =
diff --git a/libwebauthn/src/ops/webauthn/get_assertion.rs b/libwebauthn/src/ops/webauthn/get_assertion.rs
@@ -663,7 +663,7 @@ mod tests {
         HttpClientError, MaxRegistrableLabels, RelatedOrigins, RelatedOriginsError,
         RelatedOriginsSource,
     };
-    use crate::ops::webauthn::{GetAssertionRequest, RequestOrigin};
+    use crate::ops::webauthn::{GetAssertionRequest, OriginValidation, RequestOrigin};
     use crate::proto::ctap2::Ctap2PublicKeyCredentialType;
 
     use super::*;
@@ -715,8 +715,10 @@ mod tests {
             origin,
             json,
             &RequestSettings {
-                public_suffix_list: psl,
-                related_origins,
+                origin: OriginValidation::Validate {
+                    public_suffix_list: psl,
+                    related_origins,
+                },
             },
         )
         .await
@@ -834,6 +836,22 @@ mod tests {
         ));
     }
 
+    #[tokio::test]
+    async fn origin_trust_accepts_mismatching_rp_id() {
+        let request_origin: RequestOrigin = "https://app.example.org".parse().unwrap();
+        let req_json = json_field_add(REQUEST_BASE_JSON, "rpId", r#""example.com""#);
+        let req = GetAssertionRequest::prepare(
+            &request_origin,
+            &req_json,
+            &RequestSettings {
+                origin: OriginValidation::Trust,
+            },
+        )
+        .await
+        .unwrap();
+        assert_eq!(req.relying_party_id, "example.com");
+    }
+
     #[tokio::test]
     async fn test_request_from_json_rp_id_is_parent_registrable_suffix() {
         // origin = login.example.org, rp.id = example.org -> accepted.
diff --git a/libwebauthn/src/ops/webauthn/idl/mod.rs b/libwebauthn/src/ops/webauthn/idl/mod.rs
@@ -26,11 +26,23 @@ use super::related_origins::{validate_related_origins, RelatedOrigins};
 
 pub type JsonError = serde_json::Error;
 
-/// Dependencies for origin validation: the Public Suffix List (rp.id suffix
-/// check and related-origins matching) and the related-origins policy.
+/// Per-request settings (currently just the origin-validation policy).
 pub struct RequestSettings<'a> {
-    pub public_suffix_list: &'a dyn PublicSuffixList,
-    pub related_origins: RelatedOrigins<'a>,
+    pub origin: OriginValidation<'a>,
+}
+
+/// How the caller origin is validated against the request rp.id.
+pub enum OriginValidation<'a> {
+    /// Trust the caller's origin to rp.id binding with no check, for callers
+    /// that have already validated it (e.g. a browser). Misuse defeats phishing
+    /// resistance, so the caller owns that decision.
+    Trust,
+    /// Validate rp.id against the caller origin: a registrable suffix of the
+    /// effective domain, then related origins on mismatch.
+    Validate {
+        public_suffix_list: &'a dyn PublicSuffixList,
+        related_origins: RelatedOrigins<'a>,
+    },
 }
 
 /// Builds a request from its parsed IDL model, validating origin against rp.id.
@@ -48,19 +60,26 @@ where
     ) -> Result<Self, Self::Error>;
 }
 
-/// Whether `request_origin` may act for `rp_id`: a registrable suffix of the
-/// caller's effective domain, or a matching related origin when enabled.
+/// Whether `request_origin` may act for `rp_id`. `Trust` accepts any rp.id;
+/// `Validate` requires a registrable suffix of the caller's effective domain or
+/// a matching related origin.
 pub(crate) async fn rp_id_authorised(
     request_origin: &RequestOrigin,
     rp_id: &RelyingPartyId,
     settings: &RequestSettings<'_>,
 ) -> bool {
+    let (public_suffix_list, related_origins) = match &settings.origin {
+        OriginValidation::Trust => return true,
+        OriginValidation::Validate {
+            public_suffix_list,
+            related_origins,
+        } => (*public_suffix_list, related_origins),
+    };
     let effective_rp_id = request_origin.origin.host.as_str();
-    if is_registrable_domain_suffix_or_equal(&rp_id.0, effective_rp_id, settings.public_suffix_list)
-    {
+    if is_registrable_domain_suffix_or_equal(&rp_id.0, effective_rp_id, public_suffix_list) {
         return true;
     }
-    match &settings.related_origins {
+    match related_origins {
         RelatedOrigins::Disabled => false,
         RelatedOrigins::Enabled { source, max_labels } => {
             match source.allowed_origins(rp_id).await {
@@ -71,7 +90,7 @@ pub(crate) async fn rp_id_authorised(
                 Ok(origins) => match validate_related_origins(
                     &request_origin.origin,
                     &origins,
-                    settings.public_suffix_list,
+                    public_suffix_list,
                     *max_labels,
                 ) {
                     Ok(()) => true,
diff --git a/libwebauthn/src/ops/webauthn/make_credential.rs b/libwebauthn/src/ops/webauthn/make_credential.rs
@@ -702,7 +702,7 @@ mod tests {
         HttpClientError, MaxRegistrableLabels, RelatedOrigins, RelatedOriginsError,
         RelatedOriginsSource,
     };
-    use crate::ops::webauthn::{MakeCredentialRequest, RequestOrigin};
+    use crate::ops::webauthn::{MakeCredentialRequest, OriginValidation, RequestOrigin};
     use crate::proto::ctap2::Ctap2PublicKeyCredentialType;
 
     use super::*;
@@ -754,8 +754,10 @@ mod tests {
             origin,
             json,
             &RequestSettings {
-                public_suffix_list: psl,
-                related_origins,
+                origin: OriginValidation::Validate {
+                    public_suffix_list: psl,
+                    related_origins,
+                },
             },
         )
         .await
@@ -1095,6 +1097,48 @@ mod tests {
         ));
     }
 
+    #[tokio::test]
+    async fn origin_trust_accepts_mismatching_rp_id() {
+        let request_origin: RequestOrigin = "https://app.example.org".parse().unwrap();
+        let req_json = json_field_add(
+            REQUEST_BASE_JSON,
+            "rp",
+            r#"{"id": "example.com", "name": "example.com"}"#,
+        );
+        let req = MakeCredentialRequest::prepare(
+            &request_origin,
+            &req_json,
+            &RequestSettings {
+                origin: OriginValidation::Trust,
+            },
+        )
+        .await
+        .unwrap();
+        assert_eq!(req.relying_party.id, "example.com");
+    }
+
+    #[tokio::test]
+    async fn origin_trust_still_rejects_invalid_rp_id() {
+        let request_origin: RequestOrigin = "https://example.org".parse().unwrap();
+        let req_json = json_field_add(
+            REQUEST_BASE_JSON,
+            "rp",
+            r#"{"id": "example.org.", "name": "example.org"}"#,
+        );
+        let result = MakeCredentialRequest::prepare(
+            &request_origin,
+            &req_json,
+            &RequestSettings {
+                origin: OriginValidation::Trust,
+            },
+        )
+        .await;
+        assert!(matches!(
+            result,
+            Err(MakeCredentialPrepareError::InvalidRelyingPartyId(_))
+        ));
+    }
+
     #[tokio::test]
     async fn test_request_from_json_mismatching_rp_id() {
         let request_origin: RequestOrigin = "https://example.org".parse().unwrap();
diff --git a/libwebauthn/src/ops/webauthn/mod.rs b/libwebauthn/src/ops/webauthn/mod.rs
@@ -21,8 +21,8 @@ pub use idl::{
     rpid::RelyingPartyId,
     AuthenticationExtensionsClientOutputsJSON, AuthenticationResponseJSON,
     AuthenticatorAssertionResponseJSON, AuthenticatorAttestationResponseJSON, Base64UrlString,
-    JsonFormat, RegistrationResponseJSON, RequestSettings, ResponseSerializationError,
-    WebAuthnIDLResponse,
+    JsonFormat, OriginValidation, RegistrationResponseJSON, RequestSettings,
+    ResponseSerializationError, WebAuthnIDLResponse,
 };
 pub use make_credential::{
     CredentialPropsExtension, CredentialProtectionExtension, CredentialProtectionPolicy,
diff --git a/libwebauthn/tests/related_origins.rs b/libwebauthn/tests/related_origins.rs
@@ -6,7 +6,7 @@ use async_trait::async_trait;
 
 use libwebauthn::ops::webauthn::{
     GetAssertionRequest, HttpClient, HttpClientError, MakeCredentialRequest, MaxRegistrableLabels,
-    PublicSuffixList, RelatedOrigins, RequestOrigin, RequestSettings,
+    OriginValidation, PublicSuffixList, RelatedOrigins, RequestOrigin, RequestSettings,
     WellKnownRelatedOriginsSource,
 };
 
@@ -86,10 +86,12 @@ fn settings<'a>(
     source: &'a WellKnownRelatedOriginsSource<StaticHttp>,
 ) -> RequestSettings<'a> {
     RequestSettings {
-        public_suffix_list: psl,
-        related_origins: RelatedOrigins::Enabled {
-            source,
-            max_labels: MaxRegistrableLabels::default(),
+        origin: OriginValidation::Validate {
+            public_suffix_list: psl,
+            related_origins: RelatedOrigins::Enabled {
+                source,
+                max_labels: MaxRegistrableLabels::default(),
+            },
         },
     }
 }
