Passkey enrollment fails withe the following error if the relying party ID is not a valid domain suffix or if the .well-known/webauthn resource lacks a matching origin for the caller.
The relying party ID is not a registrable domain suffix of, nor equal to the current domain. Subsequently, fetching the .well-known/webauthn resource of the claimed RP ID was successful, but no listed origin matched the caller.
- Okta Identity Engine (OIE)
- Passkey/WebAuthn
- Widget/okta-auth-js
The WebAuthn/FIDO Authenticator in Okta is configured with a custom Relying Party (RP) ID, and the ./well-known/webauthn endpoint does not list the domain the application is running on as a trusted origin.
Modify the Okta custom domain URLs /.well-known/webauthn endpoint to include the domain of the application trying to register the Passkey.
Example
If the WebAuthn/FIDO Authenticator custom RP is set to login.example.com in Okta, then to allow app.example2.com and app.example3.com to use Passkeys login.example.com/.well-known/webauthn should return
{
"origins": [
"https://app.example2.com",
"https://app.example3.com"
]
}
