Passkey Autofill UI with Related Origins feature

[Franciszek-Bubnicki]

Hi, I've read https://passkeys.dev/docs/advanced/related-origins/ but I still don't understand one thing.
Suppose I have a passkey autofill UI with related origins feature and a multi-country site with domains:
my-shop.com
my-shop.pl

There are JSON files served at https://my-shop.pl/.well-known/webauthn and one at https://my-shop.com/.well-known/webauthn
with the proper allowed origins:
https://my-shop.pl and https://my-shop.com

Now suppose a user opens login page on my-shop.com and rp returns PublicKeyCredentialRequestOptions with rpId my-shop.com but the user have a passkey registered for rpId my-shop.pl.
Can I make the browser list user's passkey even though it is set for different rpId?

Or should all the passkeys be registered with common rpId (e.g. my-shop.com), so that rpId passed in PublicKeyCredentialRequestOptions would always be the same?

[timcappalli]

In a greenfield environment, you should use a common RP ID as documented in that article.

In a brownfield environment where passkeys already exist, the autofill UI will only be possible with one RP ID and it's related origins (as you can only have one conditional request in flight). If you want to support that scenario, follow the guidance in the doc for an identifier first flow with backend lookup.

Related Origins doesn't make passkeys for different RP IDs available in one selector / UI. It just allows WebAuthn to be called from origins that do not match the RP ID in the request.