WebAuthn: Does navigator.credentials.create() work from localhost to another (sub)domain?

Question

I am trying to develope the WebAuthn registration flow in Java. For this reason I got access to the privacyIDEA server from my university. Let's assume, for example, that the origin domain from my university is called university-server.com. The privacyIDEA server has the subdomain webauthn.university-server.com. For building the web application I am using Vaadin.

If I start the web application, Tomcat will be started as local web server. The idea behind this web application is:

• Users can log in with their username and password and create a WebAuthn token as their 2nd factor.
• The registration process should be triggered when users press on a button.
• If enrollment succeed, the WebAuthn token should be saved on webauthn.university-server.com.

From here, I encountered two problems:

Problem 1:

On the localhost site, I am prompted to use my security key, but the registration process is never completed. Apparently the data never arrives.

Problem 2:

If I set in the JavaScript function navigator.credentials.create() the parameter rp (Relying Party) to the subdomain webauthn.university-server.com and start the web application, unlike the first problem, I will never be prompted to use my security key. Instead, the error "The operation is insecure" appears.

Can the WebAuth enrollment work at all with my test environment? To be honest, I am not sure about this.

Answer 1

Had a similar issue. But I successfully configured my local test site to work with subdomains using a self-signed certificate.