Dealing with “localhost”
aka non-https relying parties
Secured Context
If your are working on a development environment, https
may not be available but the context could be considered as secured. You can bypass the scheme verification by passing the list of rpIds you consider secured.
Please be careful using this feature. It should NOT be used in production.
The Easy Way
$server->setSecuredRelyingPartyId(['localhost']);
The Hard Way
$publicKeyCredentialSource = $authenticatorAttestationResponseValidator->check(
$authenticatorAttestationResponse,
$publicKeyCredentialCreationOptions,
$serverRequest,
['localhost']
);
$publicKeyCredentialSource = $authenticatorAssertionResponse->check(
$publicKeyCredential->getRawId(),
$authenticatorAssertionResponse,
$publicKeyCredentialRequestOptions,
$request,
$userHandle,
['localhost']
);
The Symfony Way
security:
firewalls:
main:
webauthn:
secured_rp_ids:
- 'localhost'
Last updated
Was this helpful?