Add support for Related Origin Requests with passkeys#2828
Merged
varjolintu merged 3 commits intodevelopfrom Feb 16, 2026
Merged
Add support for Related Origin Requests with passkeys#2828varjolintu merged 3 commits intodevelopfrom
varjolintu merged 3 commits intodevelopfrom
Conversation
Member
Author
|
Possibly the maximum amount of labels needs to be increased. For example Amazon has 56 labels in the list: |
Member
Author
|
This is also needed for authentication. |
varjolintu
commented
Jan 18, 2026
Member
|
Since this bumps minimum browser version, this might be a change for 1.10.0 instead of a minor release. |
droidmonkey
approved these changes
Feb 16, 2026
varjolintu
force-pushed
the
feature/passkeys_related_origin_requests
branch
from
4d75d1e to
5e876f0
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds support for Related Origin Requests for passkeys. The specification for this is available here: https://www.w3.org/TR/webauthn-3/#sctn-related-origins
In short, the RP ID domain is requested for a list of related origins that can be used when registering a new passkey. For example Facebook and Microsoft is using this feature, and #2808 depends on this. KeePassXC side implementation is also needed for this to actually work. The Related Origins list is always downloaded from
https://<RP_ID>/.well-known/webauthn.The change also introduces a static timeout for the
AbortSignalso the web requests will timeout after five seconds. Because of this the minimum browser versions must be upgraded.Related KeePassXC side PR: keepassxreboot/keepassxc#12971
Testing strategy
For now the only way to check the related origins array is when a new passkeys is created in Facebook or Microsoft account page. A breakpoint must be set to the
keepass.passkeysRegister()for checking the value. Actual validation for the labels will be implemented to KeePassXC side.At least the following lists are found:
https://login.microsoftonline.com/.well-known/webauthn
https://accounts.meta.com/.well-known/webauthn
https://www.amazon.de/.well-known/webauthn
Type of change