[PR #6828] Make available toggling webauthn allow_subdomains #3855

New issue

Open

opened 2026-03-03 10:38:08 +03:00 by kerem · 0 comments

kerem commented 2026-03-03 10:38:08 +03:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/6828
Author: @Bert-Proesmans
Created: 2/14/2026
Status: 🔄 Open

Base: main ← Head: webauth_origin_proper

---

📝 Commits (1)

• 19dc021 Add option to validate keys where browser reports subdomain of domain URL

📊 Changes

2 files changed (+10 additions, -2 deletions)

View changed files

📝 src/api/core/two_factor/webauthn.rs (+7 -2)
📝 src/config.rs (+3 -0)

📄 Description

This patch makes it possible to have DNS records for subdomains of DOMAIN_URL to point to vaultwarden instances with working webauthn keys.

I verified this code works by running patched vaultwarden instances. This change is foolproof, allow_subdomains might as well have been set to true by default but opted for defensive approach.

Related discussion; https://github.com/dani-garcia/vaultwarden/discussions/6567

Before;

DOMAIN_URL = passwords.my.domain

1. RESET
2. Navigate to URL passwords.my.domain and login
3. Generate webauthn key and save
4. Attempt login and webauthn validation = OK
5. Navigate to URL <anything>.passwords.my.domain and login
6. Attempt webauthn validation => FAILURE

Before;

DOMAIN_URL = passwords.my.domain

1. RESET
2. Navigate to URL <anything>.passwords.my.domain and login
3. Generate webauthn key and save => FAILURE

=> webauthn_rs fails on the browser URL passed into auth_requests when doing stuff from hostname zone.passwords.my.domain

After;

DOMAIN_URL = passwords.my.domain
WEBAUTHN_ALLOW_SUBDOMAINS = true

• Generating webauthn keys from browser URL <anything>.passwords.my.domain works
• Validating webauthn keys from browser URL <anything>.passwords.my.domain works

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/6828 **Author:** [@Bert-Proesmans](https://github.com/Bert-Proesmans) **Created:** 2/14/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `webauth_origin_proper` --- ### 📝 Commits (1) - [`19dc021`](https://github.com/dani-garcia/vaultwarden/commit/19dc021246e1ff731a3105907f2a41463eebdb5e) Add option to validate keys where browser reports subdomain of domain URL ### 📊 Changes **2 files changed** (+10 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `src/api/core/two_factor/webauthn.rs` (+7 -2) 📝 `src/config.rs` (+3 -0) </details> ### 📄 Description This patch makes it possible to have DNS records for subdomains of DOMAIN_URL to point to vaultwarden instances with working webauthn keys. I verified this code works by running patched vaultwarden instances. This change is foolproof, allow_subdomains might as well have been set to true by default but opted for defensive approach. Related discussion; https://github.com/dani-garcia/vaultwarden/discussions/6567 Before; DOMAIN_URL = passwords.my.domain 1. RESET 1. Navigate to URL passwords.my.domain and login 2. Generate webauthn key and save 3. Attempt login and webauthn validation = OK 4. Navigate to URL \<anything>.passwords.my.domain and login 5. Attempt webauthn validation => FAILURE Before; DOMAIN_URL = passwords.my.domain 1. RESET 1. Navigate to URL \<anything>.passwords.my.domain and login 2. Generate webauthn key and save => FAILURE => webauthn_rs fails on the browser URL passed into auth_requests when doing stuff from hostname zone.passwords.my.domain # After; DOMAIN_URL = passwords.my.domain WEBAUTHN_ALLOW_SUBDOMAINS = true * Generating webauthn keys from browser URL \<anything>.passwords.my.domain works * Validating webauthn keys from browser URL \<anything>.passwords.my.domain works --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

kerem added the

pull-request

label 2026-03-03 10:38:08 +03:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#3855

No description provided.