#Webauthn registration issue

I am having an issue trying to add a yubikey passkey to my vaultwarden instance that is on my tailnet. There are no error on the back-end.
Im getting the same issue on both chrome and firefox:

**The relying party ID is not a registrable domain suffix of, nor equal to the current domain. Subsequently, an attempt to fetch the .well-known/webauthn resource of the claimed RP ID failed.
**

The DOMAIN(a vaultwarden setup) is set properly, and the vault is funneled, so the IP is public. Since the error is only showing up on the browser, I wanted to check here if it's a known limitation of using webauthn with TS.

Thanks!

It sounds like your vaultwarden instance is configured with a primary domain that doesnt match the .ts.net one youre accessing it from

webauthn/passkeys are very strictly tied to domains so you need to set them up with the domain that is configured as the primary and then never change this domain (or if you do change it, the passkeys will break)

its an intentional part of their phishing protection

But it is the same domain, exactly :S

what domain is vaultwarden configured to use as its primary?

what do you mean specifically by its primary?

just to give you a better overview, vaultwarden is running in docker, connected to my TS using tsbridge. Normal operations (web or browser plugins) work flawlessly

the DOMAIN env variable apparently

https://github.com/dani-garcia/vaultwarden?tab=readme-ov-file#docker-compose

yup, it's set to the https:// for my vault's TS name

https://vault."my ts".ts.net

never mind the stupid quoting but it matches what I use to connect to it.

interesting, that error suggests theres a mismatch somewhere but ive not used vaultwarden enough to understand where

i saw https://github.com/dani-garcia/vaultwarden/discussions/6567 but dont really understand it

well well well!

given the could work/works now table, it's their fault!

@versed osprey
Thanks for helping me confirm that it's not related to TS!

yeah i think in this scenario we're a domain (well, subdomain) like any other and its up to this software how it wants to handle that

they have their own community on matrix/discourse as well as gh discussions, may be worth asking in one of those

unless someone knows more and can share here!

based on that GH discussion, they are working on it. I will wait for them to be ready!

one question, if you will allow it. There are not pure browser solution to connect to a tailnet right ? I'd like to connect a windows machine to a tailnet but I cannot install tailscale (no admin privileges)

you can run the client in userspace mode without admin perms but its much more complicated to setup

theres https://github.com/tailscale/ts-browser-ext/ which aims to automate that but its highly experimental and doesnt yet work on windows

besides that, tailscale ssh does work in browser from the admin panel though

I will investigate, see if it's even allowed. Thanks again, appreciate your support!

heres the doc if you want to attempt it https://tailscale.com/docs/concepts/userspace-networking

it says for containers but well... it also works on other platforms

i'd create a new help thread if you want help with that because its a whole different rabbit hole

I mean I have done it with a simple ssh -D in wsl. that works too.
I will read the doc though.
again. thank you so much!

ah yes, you can install it in wsl too!