Is it allowed to use an IPv4 as rp_id in webauthn credential creation options?

Question

I am writing a webauthn demonstrator following https://webauthn.guide, and it works well when I host my frontend on https://localhost:4200.'

However, if I host the angular frontend to my local network, and replace rp_id='localhost' with the ip address I can open the frontend with, say, rp_id='198.168.99.99', navigator.credentials.create always gives DOMException: The operation is insecure..

I expected the credential creation to succeed since the ip is part of the URL I open the website with. How can I successfully create the credentials on a website served on my local network?

Answer 1

IP addresses cannot be RP IDs. Note the following from the WebAuthn spec:

Note: An effective domain may resolve to a host, which can be represented in various manners, such as domain, ipv4 address, ipv6 address, opaque host, or empty host. Only the domain format of host is allowed here. This is for simplification and also is in recognition of various issues with using direct IP address identification in concert with PKI-based security.