Related Origin Requests
The Related Origin Requests (ROR) feature allows an RP to enable a passkey to be created and used across a limited set of related origins.
The two use cases for Related Origin Requests (ROR) are deployments which use different country code top-level domains (ccTLD) across the world, and deployments where different branding is used for different services.
To address these use cases, it is recommended to leverage industry-standard federation protocols such as OpenID Connect. This approach facilitates a centralized login experience, by using a dedicated login page (e.g., login.example.com) that serves as the authentication point for all origins and services.
ROR is designed to be used when federation is not possible.
Note
ROR is a WebAuthn feature for the web. App platforms have existing mechanisms for mapping native apps to one or more web origins: Digital Asset Links for Android and Associated Domains on Apple platforms.
Many global organizations utilize
country code top level domains (ccTLDs) to cater to their international services. For instance, a shopping website might use shopping.com for users in the United States, while also having shopping.ca for Canada, shopping.co.uk for the United Kingdom, shopping.ie for Ireland, and shopping.sg for Singapore, among others. However, a passkey created on shopping.com can’t be used on shopping.sg, and vice versa.
Some organizations offer additional services with different or extended branding and share the same accounts. For instance, a shopping site might have their own credit card or their own travel services, which are accessed via different websites.
Related Origin Requests (ROR) works by allowing a Relying Party (RP) to provide a list of valid origins for a given Relying Party ID (RP ID).
During a WebAuthn ceremony, if the RP ID and origin do not match, the WebAuthn client can query the RP for a list of valid origins. The client processes that origin list and then re-evaluates the binding based on this additional context. If an origin is matched, the client will continue with the request in the context of the RP ID.
A label, in the context of this feature, is the name directly preceding the
effective top level domain. For instance, shopping is the label for https://shopping.com, https://shopping.co.uk, https://shopping.co.jp, https://shopping.net, and https://shopping.org. Labels are used as a way to support the large number of entries required to support
ccTLDs, while enabling clients to restrict the number of unique origins to prevent abuse.
If there are 30 origins in the list, all with the same label, these count as 1 unique label. WebAuthn requires client implementations to support at least 5 unique labels, however there are no known clients which support more than 5, so that should be treated as the maximum for deployments.
Below are three examples of origin lists and their respective label counts.
The Device Support matrix lists the browsers which support Related Origin Requests. The Passkeys Feature Detect page will also attempt to detect ROR support in the browser in which the page was loaded.
To dynamically detect support for Related Origin Requests on an enrollment or login page, Relying Parties should check for relatedOrigins in the
WebAuthn Get Client Capabilities (PublicKeyCredential.getClientCapabilities()) response.
A JSON document must be hosted at the WebAuthn well-known path for the Relying Party ID, /.well-known/webauthn.
For example, if the RP ID is shopping.com, the full URL would be https://shopping.com/.well-known/webauthn.
The server must respond with a content type of application/json.
The JSON document must have a member named origins, containing an array of valid origins for use with passkeys scoped for the RP ID.
See Deployment Considerations below for details on choosing an RP ID.
Below is an example for the RP ID shopping.com.
The most important design decision for a greenfield deployment using ROR is picking a common Relying Party ID (RP ID) to be used for passkeys across all origins. All WebAuthn requests across all related origins will use that as rp.id.
It is recommended to pick the most commonly used and/or understood domain for the common RP ID. This is typically the domain closely associated with the organization’s brand, and is often the .com.
For deployments where passkeys are already rolled out with multiple RP IDs, there are some unique considerations and requirements.
This flow assumes the autofill UI for passkeys is being used.
In this example, passkeys have previously been rolled out to the following users:
https://shopping.com users, with an RP ID of shopping.comhttps://shopping.co.uk users, with an RP ID of shopping.co.ukA user with a passkey for shopping.com navigates to https://shopping.com, clicks into the username field, selects their passkey, performs user verification, and is then signed in!
A user with a passkey for shopping.co.uk has traveled to the US and navigates to https://shopping.co.uk. Based on location data, the user is redirected to https://shopping.com. They click into the username field and do not see any passkey available. They then type their username and click continue. A backend lookup occurs, and WebAuthn is now invoked with an RP ID of shopping.co.uk and the user selects their passkey, performs user verification, and is signed in!