RelyingParty should support a list of origins

While implementing Webauthn for Web + Mobile I found that Android requires using the [APK hash as the `origin`](https://developer.android.com/training/sign-in/passkeys#verify-origin). It is valid to have a list of valid origins per [13.4.9 Validating the origin of a credential](https://w3c.github.io/webauthn/#sctn-validating-origin).

This means that if you want to implement both Web and Mobile authentication you currently need to create multiple RelyingParty instances, but I think per the spec it would make more sense for RelyingParty to replace `origin` with `accepted_origins` that is an array of origins that can be validated against.

The rename helps clarify that the origins listed are not a property of the RelyingParty itself, but of the client per [the definitiion](https://w3c.github.io/webauthn/#dom-collectedclientdata-origin).

Does this make sense?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

RelyingParty should support a list of origins #428

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

RelyingParty should support a list of origins #428

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions