Yubikey webauthn authentication only works for one subdomain

[Cyboc]

Hello, I hope I did not miss any post where this issue has already been discussed and maybe resolved. I would appreciate your help with this one:

Problem
My services I want to secure with authelia are using different subdomains (service1.my.domain, service2.my.domain etc.). I registered my yubikey for "service1.my.domain" successfully. However, when trying to access any other service, the yubikey authentication fails with a popup "A unknown error occured" in the web-ui. The authentication with totp works for all services.

Details
When looking at the database entry of the table "webauthn_devices", there is an url specified "service1.my.domain". It is possible to reset the yubikey and make it work for another service, but then it only works for this subdomain.

Question
Is this key only valid for this specific subdomain and therefore service? Or is it a misconfiguration?

[james-d-elliott]

This is mostly a design choice by the W3C when they designed the Webauthn standard. Credentials can only be used on a single origin. We can technically get around this by allowing multiple registrations however the only time we recommend and support using authelia on a subpath is when you do not have the ability to run it as its own subdomain. This is the scenario it was designed for.

[james-d-elliott]

For reference, the multi-registration is coming in 4.38, but I'm dragging my ass a bit on working on it as I don't really enjoy frontend development. However the design goal is specifically for multiple keys, and potentially multiple keys per configured session domain. It's possible it will inadvertently work in this scenario however we will not claim to support this particular scenario and are unlikely to spend a great deal of time working on fixes specifically for it.