Multi-Site

TYPO3 multi-site installations require each site to have its own passkey configuration because WebAuthn credentials are bound to a specific domain (Relying Party ID).

How site-aware RP ID works

When a passkey authentication or enrollment request arrives, the extension resolves the current TYPO3 site from the request and reads the nr_passkeys_fe.rpId value from the site's config.yaml.

If no per-site RP ID is configured, the extension falls back to the global extension setting (auto-detected from HTTP_HOST).

This means:

Credentials registered on site-a.example cannot be used on site-b.example.
Each site maintains its own independent credential store (filtered by site RP ID).
Users who access multiple sites must enroll a passkey separately on each site.

Configuration example

For a TYPO3 installation with two separate domains:

config/sites/company-intranet/config.yaml

base: 'https://intranet.example.com/'
settings:
  nr_passkeys_fe:
    rpId: 'intranet.example.com'
    origin: 'https://intranet.example.com'
    enforcementLevel: 'enforced'
    enrollmentPageUrl: '/passkey-setup'

config/sites/public-shop/config.yaml

base: 'https://shop.example.com/'
settings:
  nr_passkeys_fe:
    rpId: 'shop.example.com'
    origin: 'https://shop.example.com'
    enforcementLevel: 'encourage'
    enrollmentPageUrl: '/passkey-setup'

Shared RP ID across subdomains

WebAuthn allows the RP ID to be a registrable domain suffix. For example, credentials registered with rpId: 'example.com' can be used on both app.example.com and api.example.com.

To enable this, set all sites to the same parent domain:

# site-a/config.yaml
settings:
  nr_passkeys_fe:
    rpId: 'example.com'
    origin: 'https://app.example.com'

# site-b/config.yaml
settings:
  nr_passkeys_fe:
    rpId: 'example.com'
    origin: 'https://api.example.com'

Warning

Sharing an RP ID means a passkey registered on one subdomain can be used on all other subdomains sharing the same RP ID. Only share RP IDs across subdomains you fully trust.

Database isolation

Credentials are stored with a site_identifier column in tx_nrpasskeysfe_credential. The credential lookup in the auth service always filters by the current site's identifier. There is no cross-site credential leakage.

Migration from single-site to multi-site

If you initially deployed without per-site RP ID configuration (using auto-detected RP ID) and later add multiple sites:

The auto-detected RP ID was HTTP_HOST from the original request.
Existing credentials have a site_identifier matching the original site.
When adding a new site with a different domain, users must re-enroll (their existing credentials won't match the new RP ID).

Plan migrations carefully and communicate re-enrollment to users in advance.