I'm trying to implement passkeys, more or less like https://react.demo.allauth.org/account/login. It's working at localhost, but when I deploy my application I'm not able to login because the rpId contains my back-end domain (api.example.com) which is a subdomain of my front-end (example.com):
SecurityError: The requested RPID did not match the origin or related origins.
In the example project here https://react.demo.allauth.org/account/login is a similar structure as the back-end is running on a subdomain (api.react.demo.allauth.org) of the front-end domain (react.demo.allauth.org). And when I click "sign in with passkey" there is a response with the right Relying Party ID:
{
"status": 200,
"data": {
"request_options": {
"publicKey": {
"challenge": "_5CEZrt...",
"rpId": "react.demo.allauth.org",
"allowCredentials": [],
"userVerification": "preferred"
}
}
}
}
In my case the rpId is "api.example.com". How do I change the value of this field so it is "example.com"?
I can't find anything in the docs, so I've tried some guesses: setting my SESSION_COOKIE_DOMAIN to example.com, and I've added django.contrib.sites so my requests use a Site with domain and name example.com. But so far nothing that affects the rpId property.
Fixed it by adding this to settings.py:
MFA_ADAPTER = "myproject.mfaAdapter.MFAAdapter"
and in myproject/mfaAdapter.py:
from typing import Dict
from allauth.mfa.adapter import DefaultMFAAdapter
class MFAAdapter(DefaultMFAAdapter):
def get_public_key_credential_rp_entity(self) -> Dict[str, str]:
return {
"id": "example.com",
"name": "example.com",
}