diff --git a/spec/acceptance/2_realm_spec.rb b/spec/acceptance/2_realm_spec.rb
index d06b4185..26d6a21b 100644
--- a/spec/acceptance/2_realm_spec.rb
+++ b/spec/acceptance/2_realm_spec.rb
@@ -239,6 +239,7 @@ class { 'keycloak': }
         web_authn_policy_create_timeout                    => 600,
         web_authn_policy_avoid_same_authenticator_register => true,
         web_authn_policy_acceptable_aaguids                => ['d1d1d1d1-d1d1-d1d1-d1d1-d1d1d1d1d1d1'],
+        web_authn_policy_extra_origins                     => ['https://example.com'],
         web_authn_policy_passwordless_rp_entity_name                    => 'Keycloak',
         web_authn_policy_passwordless_signature_algorithms              => ['ES256', 'ES384', 'ES512', 'RS256', 'RS384', 'RS512'],
         web_authn_policy_passwordless_rp_id                             => 'https://example.com',
@@ -249,6 +250,7 @@ class { 'keycloak': }
         web_authn_policy_passwordless_create_timeout                    => 600,
         web_authn_policy_passwordless_avoid_same_authenticator_register => true,
         web_authn_policy_passwordless_acceptable_aaguids                => ['d1d1d1d1-d1d1-d1d1-d1d1-d1d1d1d1d1d1'],
+        web_authn_policy_passwordless_extra_origins                     => ['https://example.com'],
       }
       PUPPET_PP
 
@@ -321,6 +323,7 @@ class { 'keycloak': }
         expect(data['webAuthnPolicyCreateTimeout']).to eq(600)
         expect(data['webAuthnPolicyAvoidSameAuthenticatorRegister']).to eq(true)
         expect(data['webAuthnPolicyAcceptableAaguids']).to eq(['d1d1d1d1-d1d1-d1d1-d1d1-d1d1d1d1d1d1'])
+        expect(data['webAuthnPolicyExtraOrigins']).to eq(['https://example.com'])
         expect(data['webAuthnPolicyPasswordlessRpEntityName']).to eq('Keycloak')
         expect(data['webAuthnPolicyPasswordlessSignatureAlgorithms']).to eq(['ES256', 'ES384', 'ES512', 'RS256', 'RS384', 'RS512'])
         expect(data['webAuthnPolicyPasswordlessRpId']).to eq('https://example.com')
@@ -331,6 +334,7 @@ class { 'keycloak': }
         expect(data['webAuthnPolicyPasswordlessCreateTimeout']).to eq(600)
         expect(data['webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister']).to eq(true)
         expect(data['webAuthnPolicyPasswordlessAcceptableAaguids']).to eq(['d1d1d1d1-d1d1-d1d1-d1d1-d1d1d1d1d1d1'])
+        expect(data['webAuthnPolicyPasswordlessExtraOrigins']).to eq(['https://example.com'])
       end
     end
 
diff --git a/spec/unit/puppet/type/keycloak_realm_spec.rb b/spec/unit/puppet/type/keycloak_realm_spec.rb
index 42a48eba..dca25314 100644
--- a/spec/unit/puppet/type/keycloak_realm_spec.rb
+++ b/spec/unit/puppet/type/keycloak_realm_spec.rb
@@ -82,6 +82,7 @@
     web_authn_policy_create_timeout: 0,
     web_authn_policy_avoid_same_authenticator_register: :false,
     web_authn_policy_acceptable_aaguids: [],
+    web_authn_policy_extra_origins: [],
     web_authn_policy_passwordless_rp_entity_name: 'keycloak',
     web_authn_policy_passwordless_signature_algorithms: ['ES256'],
     web_authn_policy_passwordless_rp_id: '',
@@ -91,7 +92,8 @@
     web_authn_policy_passwordless_user_verification_requirement: 'not specified',
     web_authn_policy_passwordless_create_timeout: 0,
     web_authn_policy_passwordless_avoid_same_authenticator_register: :false,
-    web_authn_policy_passwordless_acceptable_aaguids: []
+    web_authn_policy_passwordless_acceptable_aaguids: [],
+    web_authn_policy_passwordless_extra_origins: []
   }
 
   describe 'otp_policy_digits' do
@@ -348,8 +350,10 @@
       :roles,
       :web_authn_policy_signature_algorithms,
       :web_authn_policy_acceptable_aaguids,
+      :web_authn_policy_extra_origins,
       :web_authn_policy_passwordless_signature_algorithms,
-      :web_authn_policy_passwordless_acceptable_aaguids
+      :web_authn_policy_passwordless_acceptable_aaguids,
+      :web_authn_policy_passwordless_extra_origins
     ].each do |p|
       it "accepts array for #{p}" do
         config[p] = ['foo', 'bar']