This article shows how FIDO2 WebAuthn could be used for a passwordless sign in integrated into an ASP.NET Core Identity application. The FIDO2 WebAuthn is implemented using the fido2-net-lib Nuget package, and demo code created by Anders Åberg. The application is implemented using ASP.NET Core 3.0 with Identity. For information about FIDO2 and WebAuthn, please refer to the links at the bottom.
Code: https://github.com/damienbod/AspNetCoreIdentityFido2Mfa
Other posts in this series
ASP.NET Core Identity with Fido2 WebAuthn MFA
History
2020-08-28 Updated Nuget pacakges, npm packages
Implementing the ASP.NET Core Relying Party
An ASP.NET Core Identity project was created used the Visual Studio templates. This uses EF Core with SQL Server and adds an ApplicationDbContext. The FIDO2 nuget package was added to the project as well as Microsoft.AspNetCore.Mvc.NewtonsoftJson.
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>netcoreapp3.1</TargetFramework>
<UserSecretsId>aspnet-AspNetCoreIdentityFido2Passwordless-A24A7A38-BA5D-4D6C-A05B-54F4421C030B</UserSecretsId>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Fido2" Version="1.1.0" />
<PackageReference Include="BuildBundlerMinifier" Version="3.2.449" />
<PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="3.1.7" />
<PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="3.1.7" />
<PackageReference Include="Microsoft.AspNetCore.Identity.UI" Version="3.1.7" />
<PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="3.1.7" />
<PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="3.1.7" />
<PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="3.1.7">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
</PackageReference>
<PackageReference Include="Microsoft.Extensions.Logging.Debug" Version="3.1.7" />
<PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="3.1.4" />
</ItemGroup>
<Target Name="DebugEnsureNodeEnv" BeforeTargets="Build" Condition=" '$(Configuration)' == 'Debug' And !Exists('node_modules') ">
<!-- Ensure Node.js is installed -->
<Exec Command="node --version" ContinueOnError="true">
<Output TaskParameter="ExitCode" PropertyName="ErrorCode" />
</Exec>
<Error Condition="'$(ErrorCode)' != '0'" Text="Node.js is required to build and run this project. To continue, please install Node.js from https://nodejs.org/, and then restart your command prompt or IDE." />
<Message Importance="high" Text="Restoring dependencies using 'npm'. This may take several minutes..." />
<Exec WorkingDirectory="" Command="npm install" />
</Target>
</Project>
FIDO2 helper classes were created and added to the FIDO2 folder in the project. The FidoStoredCredential class is used to store the data to the database. The FIDO2 services were then added the services in the ConfigureServices method.
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(
Configuration.GetConnectionString("DefaultConnection")));
services.AddDefaultIdentity<IdentityUser>(options => options.SignIn.RequireConfirmedAccount = true)
.AddEntityFrameworkStores<ApplicationDbContext>();
services.Configure<CookiePolicyOptions>(options =>
{
options.Secure = CookieSecurePolicy.Always;
options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
options.OnAppendCookie = cookieContext =>
CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
options.OnDeleteCookie = cookieContext =>
CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
});
services.AddControllers()
.AddNewtonsoftJson();
services.AddRazorPages();
services.Configure<Fido2Configuration>(Configuration.GetSection("fido2"));
services.AddScoped<Fido2Storage>();
// Adds a default in-memory implementation of IDistributedCache.
services.AddDistributedMemoryCache();
services.AddSession(options =>
{
options.IdleTimeout = TimeSpan.FromMinutes(2);
options.Cookie.HttpOnly = true;
options.Cookie.SameSite = SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
});
}
FIDO2 requires session and this was added as middleware in the Configure method.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseCookiePolicy();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
}
else
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseSession();
app.UseEndpoints(endpoints =>
{
endpoints.MapRazorPages();
endpoints.MapControllers();
});
}
The settings are read from the app.settings and this needs to match your deployment, hosting.
"fido2": {
"serverDomain": "localhost",
"serverName": "Fido2PasswordlessTest",
"origin": "https://localhost:44326",
"timestampDriftTolerance": 300000,
"MDSAccessKey": null
},
The ApplicationDbContext Entity Framework Core context is extended to include the FidoStoredCredential, which is used to persist the FIDO2 data. After adding this, run the migrations to create a table in the database.
using System;
using System.Collections.Generic;
using System.Text;
using Fido2Identity;
using Microsoft.AspNetCore.Identity.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore;
namespace AspNetCoreIdentityFido2Passwordless.Data
{
public class ApplicationDbContext : IdentityDbContext
{
public ApplicationDbContext(DbContextOptions<ApplicationDbContext> options)
: base(options)
{
}
public DbSet<FidoStoredCredential> FidoStoredCredential { get; set; }
protected override void OnModelCreating(ModelBuilder builder)
{
builder.Entity<FidoStoredCredential>().HasKey(m => m.Id);
base.OnModelCreating(builder);
}
}
}
Passwordless Register and Authentication with Identity
The register and the sign in controllers are uses to execute the FIDO2 password flow. The URLs used must match the URLS set in the WebAuthn javascript implementation. The ASP.NET Core Identity UserManager is used to create an Identity, if the FIDO2 register completes successfully.
using System;
using System.Collections.Generic;
using System.Text;
using System.Threading.Tasks;
using Fido2NetLib.Objects;
using Fido2NetLib;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using static Fido2NetLib.Fido2;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Options;
namespace Fido2Identity
{
[Route("api/[controller]")]
public class PwFido2RegisterController : Controller
{
private Fido2 _lib;
public static IMetadataService _mds;
private readonly Fido2Storage _fido2Storage;
private readonly UserManager<IdentityUser> _userManager;
private readonly IOptions<Fido2Configuration> _optionsFido2Configuration;
public PwFido2RegisterController(
Fido2Storage fido2Storage,
UserManager<IdentityUser> userManager,
IOptions<Fido2Configuration> optionsFido2Configuration)
{
_userManager = userManager;
_optionsFido2Configuration = optionsFido2Configuration;
_fido2Storage = fido2Storage;
_lib = new Fido2(new Fido2Configuration()
{
ServerDomain = _optionsFido2Configuration.Value.ServerDomain,
ServerName = _optionsFido2Configuration.Value.ServerName,
Origin = _optionsFido2Configuration.Value.Origin,
TimestampDriftTolerance = _optionsFido2Configuration.Value.TimestampDriftTolerance
});
}
private string FormatException(Exception e)
{
return string.Format("{0}{1}", e.Message, e.InnerException != null ? " (" + e.InnerException.Message + ")" : "");
}
[HttpPost]
[Route("/pwmakeCredentialOptions")]
public async Task<JsonResult> MakeCredentialOptions([FromForm] string username, [FromForm] string displayName, [FromForm] string attType, [FromForm] string authType, [FromForm] bool requireResidentKey, [FromForm] string userVerification)
{
try
{
if (string.IsNullOrEmpty(username))
{
username = $"{displayName} (Usernameless user created at {DateTime.UtcNow})";
}
var user = new Fido2User
{
DisplayName = displayName,
Name = username,
Id = Encoding.UTF8.GetBytes(username) // byte representation of userID is required
};
// 2. Get user existing keys by username
var items = await _fido2Storage.GetCredentialsByUsername(username);
var existingKeys = new List<PublicKeyCredentialDescriptor>();
foreach(var publicKeyCredentialDescriptor in items)
{
existingKeys.Add(publicKeyCredentialDescriptor.Descriptor);
}
// 3. Create options
var authenticatorSelection = new AuthenticatorSelection
{
RequireResidentKey = requireResidentKey,
UserVerification = userVerification.ToEnum<UserVerificationRequirement>()
};
if (!string.IsNullOrEmpty(authType))
authenticatorSelection.AuthenticatorAttachment = authType.ToEnum<AuthenticatorAttachment>();
var exts = new AuthenticationExtensionsClientInputs() { Extensions = true, UserVerificationIndex = true, Location = true, UserVerificationMethod = true, BiometricAuthenticatorPerformanceBounds = new AuthenticatorBiometricPerfBounds { FAR = float.MaxValue, FRR = float.MaxValue } };
var options = _lib.RequestNewCredential(user, existingKeys, authenticatorSelection, attType.ToEnum<AttestationConveyancePreference>(), exts);
// 4. Temporarily store options, session/in-memory cache/redis/db
HttpContext.Session.SetString("fido2.attestationOptions", options.ToJson());
// 5. return options to client
return Json(options);
}
catch (Exception e)
{
return Json(new CredentialCreateOptions { Status = "error", ErrorMessage = FormatException(e) });
}
}
[HttpPost]
[Route("/pwmakeCredential")]
public async Task<JsonResult> MakeCredential([FromBody] AuthenticatorAttestationRawResponse attestationResponse)
{
try
{
// 1. get the options we sent the client
var jsonOptions = HttpContext.Session.GetString("fido2.attestationOptions");
var options = CredentialCreateOptions.FromJson(jsonOptions);
// 2. Create callback so that lib can verify credential id is unique to this user
IsCredentialIdUniqueToUserAsyncDelegate callback = async (IsCredentialIdUniqueToUserParams args) =>
{
var users = await _fido2Storage.GetUsersByCredentialIdAsync(args.CredentialId);
if (users.Count > 0) return false;
return true;
};
// 2. Verify and make the credentials
var success = await _lib.MakeNewCredentialAsync(attestationResponse, options, callback);
// 3. Store the credentials in db
await _fido2Storage.AddCredentialToUser(options.User, new FidoStoredCredential
{
Username = options.User.Name,
Descriptor = new PublicKeyCredentialDescriptor(success.Result.CredentialId),
PublicKey = success.Result.PublicKey,
UserHandle = success.Result.User.Id,
SignatureCounter = success.Result.Counter,
CredType = success.Result.CredType,
RegDate = DateTime.Now,
AaGuid = success.Result.Aaguid
});
// 4. return "ok" to the client
var user = await CreateUser(options.User.Name);
// await _userManager.GetUserAsync(User);
if (user == null)
{
return Json(new CredentialMakeResult { Status = "error", ErrorMessage = $"Unable to load user with ID '{_userManager.GetUserId(User)}'." });
}
//await _userManager.SetTwoFactorEnabledAsync(user, true);
//var userId = await _userManager.FindByNameAsync(user);
return Json(success);
}
catch (Exception e)
{
return Json(new CredentialMakeResult { Status = "error", ErrorMessage = FormatException(e) });
}
}
private async Task<IdentityUser> CreateUser(string userEmail)
{
var user = new IdentityUser { UserName = userEmail, Email = userEmail, EmailConfirmed = true };
var result = await _userManager.CreateAsync(user);
if (result.Succeeded)
{
//await _signInManager.SignInAsync(user, isPersistent: false);
}
return user;
}
}
}
The PwFido2SignInController implements the FIDO2 passwordless sign in. This uses ASP.NET Core Identity to sign in the user, if the FIDO2 flow completes successfully.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using Fido2NetLib.Objects;
using Fido2NetLib;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Options;
namespace Fido2Identity
{
[Route("api/[controller]")]
public class PwFido2SignInController : Controller
{
private Fido2 _lib;
public static IMetadataService _mds;
private readonly Fido2Storage _fido2Storage;
private readonly UserManager<IdentityUser> _userManager;
private readonly SignInManager<IdentityUser> _signInManager;
private readonly IOptions<Fido2Configuration> _optionsFido2Configuration;
public PwFido2SignInController(
Fido2Storage fido2Storage,
UserManager<IdentityUser> userManager,
SignInManager<IdentityUser> signInManager,
IOptions<Fido2Configuration> optionsFido2Configuration)
{
_userManager = userManager;
_optionsFido2Configuration = optionsFido2Configuration;
_signInManager = signInManager;
_userManager = userManager;
_fido2Storage = fido2Storage;
_lib = new Fido2(new Fido2Configuration()
{
ServerDomain = _optionsFido2Configuration.Value.ServerDomain,
ServerName = _optionsFido2Configuration.Value.ServerName,
Origin = _optionsFido2Configuration.Value.Origin,
TimestampDriftTolerance = _optionsFido2Configuration.Value.TimestampDriftTolerance
});
}
private string FormatException(Exception e)
{
return string.Format("{0}{1}", e.Message, e.InnerException != null ? " (" + e.InnerException.Message + ")" : "");
}
[HttpPost]
[Route("/pwassertionOptions")]
public async Task<ActionResult> AssertionOptionsPost([FromForm] string username, [FromForm] string userVerification)
{
try
{
var existingCredentials = new List<PublicKeyCredentialDescriptor>();
if (!string.IsNullOrEmpty(username))
{
var identityUser = await _userManager.FindByNameAsync(username);
var user = new Fido2User
{
DisplayName = identityUser.UserName,
Name = identityUser.UserName,
Id = Encoding.UTF8.GetBytes(identityUser.UserName) // byte representation of userID is required
};
if (user == null) throw new ArgumentException("Username was not registered");
// 2. Get registered credentials from database
var items = await _fido2Storage.GetCredentialsByUsername(identityUser.UserName);
existingCredentials = items.Select(c => c.Descriptor).ToList();
}
var exts = new AuthenticationExtensionsClientInputs() { SimpleTransactionAuthorization = "FIDO", GenericTransactionAuthorization = new TxAuthGenericArg { ContentType = "text/plain", Content = new byte[] { 0x46, 0x49, 0x44, 0x4F } }, UserVerificationIndex = true, Location = true, UserVerificationMethod = true };
// 3. Create options
var uv = string.IsNullOrEmpty(userVerification) ? UserVerificationRequirement.Discouraged : userVerification.ToEnum<UserVerificationRequirement>();
var options = _lib.GetAssertionOptions(
existingCredentials,
uv,
exts
);
// 4. Temporarily store options, session/in-memory cache/redis/db
HttpContext.Session.SetString("fido2.assertionOptions", options.ToJson());
// 5. Return options to client
return Json(options);
}
catch (Exception e)
{
return Json(new AssertionOptions { Status = "error", ErrorMessage = FormatException(e) });
}
}
[HttpPost]
[Route("/pwmakeAssertion")]
public async Task<JsonResult> MakeAssertion([FromBody] AuthenticatorAssertionRawResponse clientResponse)
{
try
{
// 1. Get the assertion options we sent the client
var jsonOptions = HttpContext.Session.GetString("fido2.assertionOptions");
var options = AssertionOptions.FromJson(jsonOptions);
// 2. Get registered credential from database
var creds = await _fido2Storage.GetCredentialById(clientResponse.Id);
if (creds == null)
{
throw new Exception("Unknown credentials");
}
// 3. Get credential counter from database
var storedCounter = creds.SignatureCounter;
// 4. Create callback to check if userhandle owns the credentialId
IsUserHandleOwnerOfCredentialIdAsync callback = async (args) =>
{
var storedCreds = await _fido2Storage.GetCredentialsByUserHandleAsync(args.UserHandle);
return storedCreds.Exists(c => c.Descriptor.Id.SequenceEqual(args.CredentialId));
};
// 5. Make the assertion
var res = await _lib.MakeAssertionAsync(clientResponse, options, creds.PublicKey, storedCounter, callback);
// 6. Store the updated counter
await _fido2Storage.UpdateCounter(res.CredentialId, res.Counter);
var identityUser = await _userManager.FindByNameAsync(creds.Username);
if (identityUser == null)
{
throw new InvalidOperationException($"Unable to load user.");
}
await _signInManager.SignInAsync(identityUser, isPersistent: false);
// 7. return OK to client
return Json(res);
}
catch (Exception e)
{
return Json(new AssertionVerificationResult { Status = "error", ErrorMessage = FormatException(e) });
}
}
}
}
//
Implementing the WebAuthn javascript APIs
The WebAuthn FIDO2 passwordless flow is implemented in javascript. We need to replace the Identity login, and register pages with the FIDO2 logic. To do this, the Login and the Register Identity pages are scaffolded into the project using Visual Studio.
The Logic from the Register.cshtml.cs is completely removed, and replaced with the following code. We do not want to register using a password.
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc.RazorPages;
namespace AspNetCoreIdentityFido2Passwordless.Areas.Identity.Pages.Account
{
[AllowAnonymous]
public class RegisterModel : PageModel
{
public void OnGet()
{
}
public void OnPost()
{
}
}
}
The HTML part of the Register page is replaced and the passwordless.register.js WebAuthn implementation is added here.
@page
@{
ViewData["Title"] = "Register";
}
<h1>@ViewData["Title"]</h1>
<div class="row">
<div class="col-md-4">
<form action="/mfa" method="post" id="register">
<div class="form-group">
<label name="username">Email</label>
<input name="username" class="form-control" />
</div>
<div class="form-group">
<label name="displayName">Display name</label>
<input name="displayName" class="form-control" />
</div>
<div class="field">
<div class="control">
<button class="btn btn-primary">Register user</button>
</div>
</div>
</form>
</div>
</div>
<script src="~/js/helpers.js"></script>
<script src="~/js/instant.js"></script>
<script src="~/js/passwordless.register.js"></script>
The Login.cshtml.cs logic is also completely removed and replaced with the following:
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc.RazorPages;
namespace AspNetCoreIdentityFido2Passwordless.Areas.Identity.Pages.Account
{
[AllowAnonymous]
public class LoginModel : PageModel
{
public void OnGet()
{
}
public void OnPost()
{
}
}
}
The HTML part of the page implements the form which uses the passwordless.login.js jaavascript functions.
@page
@model LoginModel
@{
ViewData["Title"] = "Log in";
}
<h1>@ViewData["Title"]</h1>
<div class="row">
<div class="col-md-4">
<section>
<form action="/mfa" method="post" id="signin">
<div class="form-group">
<label name="username">Email</label>
<input name="username" class="form-control" />
</div>
<div class="field">
<div class="control">
<button class="btn btn-primary">Login</button>
</div>
</div>
</form>
</section>
</div>
</div>
<script src="~/js/helpers.js"></script>
<script src="~/js/instant.js"></script>
<script src="~/js/passwordless.login.js"></script>
The passwordless.login.js and the passwordless.register.js have require sweetalert2 and other javascript packages. These are added in the _Layout view. You could remove these if you want, and update the 2 javacript files, not to use these.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>@ViewData["Title"] - AspNetCoreIdentityFido2Passwordless</title>
<link rel="stylesheet" href="~/lib/bootstrap/dist/css/bootstrap.min.css" />
<link rel="stylesheet" href="~/css/site.css" />
<link href="https://fonts.googleapis.com/css?family=Work+Sans" rel="stylesheet">
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.11.0/umd/popper.min.js" integrity="sha384-b/U6ypiBEHpOf/4+1nzFpr53nxSS+GLCkfwBdFNTxtclqqenISfwAzpKaMNFNmj4" crossorigin="anonymous"></script>
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/sweetalert2"></script>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/limonte-sweetalert2/6.10.1/sweetalert2.min.css" />
<script defer src="https://use.fontawesome.com/releases/v5.3.1/js/all.js"></script>
</head>
The register WebAuthn is implemented in the passwordless.register.js. This is more or less the code from the fido2-net-lib demo project, except the URLs have been changed. In a production app, this would need to be cleaned up.
document.getElementById('register').addEventListener('submit', handleRegisterSubmit);
async function handleRegisterSubmit(event) {
event.preventDefault();
let username = this.username.value;
let displayName = this.displayName.value;
// possible values: none, direct, indirect
let attestation_type = "none";
// possible values: <empty>, platform, cross-platform
let authenticator_attachment = "";
// possible values: preferred, required, discouraged
let user_verification = "preferred";
// possible values: true,false
let require_resident_key = false;
// prepare form post data
var data = new FormData();
data.append('username', username);
data.append('displayName', displayName);
data.append('attType', attestation_type);
data.append('authType', authenticator_attachment);
data.append('userVerification', user_verification);
data.append('requireResidentKey', require_resident_key);
// send to server for registering
let makeCredentialOptions;
try {
makeCredentialOptions = await fetchMakeCredentialOptions(data);
} catch (e) {
console.error(e);
let msg = "Something wen't really wrong";
showErrorAlert(msg);
}
console.log("Credential Options Object", makeCredentialOptions);
if (makeCredentialOptions.status !== "ok") {
console.log("Error creating credential options");
console.log(makeCredentialOptions.errorMessage);
showErrorAlert(makeCredentialOptions.errorMessage);
return;
}
// Turn the challenge back into the accepted format of padded base64
makeCredentialOptions.challenge = coerceToArrayBuffer(makeCredentialOptions.challenge);
// Turn ID into a UInt8Array Buffer for some reason
makeCredentialOptions.user.id = coerceToArrayBuffer(makeCredentialOptions.user.id);
makeCredentialOptions.excludeCredentials = makeCredentialOptions.excludeCredentials.map((c) => {
c.id = coerceToArrayBuffer(c.id);
return c;
});
if (makeCredentialOptions.authenticatorSelection.authenticatorAttachment === null) makeCredentialOptions.authenticatorSelection.authenticatorAttachment = undefined;
console.log("Credential Options Formatted", makeCredentialOptions);
Swal.fire({
title: 'Registering...',
text: 'Tap your security key to finish registration.',
imageUrl: "/images/securitykey.min.svg",
showCancelButton: true,
showConfirmButton: false,
focusConfirm: false,
focusCancel: false
});
console.log("Creating PublicKeyCredential...");
let newCredential;
try {
newCredential = await navigator.credentials.create({
publicKey: makeCredentialOptions
});
} catch (e) {
var msg = "Could not create credentials in browser. Probably because the username is already registered with your authenticator. Please change username or authenticator."
console.error(msg, e);
showErrorAlert(msg, e);
}
console.log("PublicKeyCredential Created", newCredential);
try {
registerNewCredential(newCredential);
} catch (e) {
showErrorAlert(err.message ? err.message : err);
}
}
async function fetchMakeCredentialOptions(formData) {
let response = await fetch('/pwmakeCredentialOptions', {
method: 'POST', // or 'PUT'
body: formData, // data can be `string` or {object}!
headers: {
'Accept': 'application/json'
}
});
let data = await response.json();
return data;
}
// This should be used to verify the auth data with the server
async function registerNewCredential(newCredential) {
// Move data into Arrays incase it is super long
let attestationObject = new Uint8Array(newCredential.response.attestationObject);
let clientDataJSON = new Uint8Array(newCredential.response.clientDataJSON);
let rawId = new Uint8Array(newCredential.rawId);
const data = {
id: newCredential.id,
rawId: coerceToBase64Url(rawId),
type: newCredential.type,
extensions: newCredential.getClientExtensionResults(),
response: {
AttestationObject: coerceToBase64Url(attestationObject),
clientDataJson: coerceToBase64Url(clientDataJSON)
}
};
let response;
try {
response = await registerCredentialWithServer(data);
} catch (e) {
showErrorAlert(e);
}
console.log("Credential Object", response);
// show error
if (response.status !== "ok") {
console.log("Error creating credential");
console.log(response.errorMessage);
showErrorAlert(response.errorMessage);
return;
}
// show success
Swal.fire({
title: 'Registration Successful!',
text: 'You\'ve registered successfully.',
type: 'success',
timer: 2000
});
// redirect to dashboard?
//window.location.href = "/dashboard/" + state.user.displayName;
}
async function registerCredentialWithServer(formData) {
let response = await fetch('/pwmakeCredential', {
method: 'POST', // or 'PUT'
body: JSON.stringify(formData), // data can be `string` or {object}!
headers: {
'Accept': 'application/json',
'Content-Type': 'application/json'
}
});
let data = await response.json();
return data;
}
The passwordless login WebAuthn is implemented in the passwordless.login.js. This is more or less the code from the fido2-net-lib demo project, except the URLs have been changed.
document.getElementById('signin').addEventListener('submit', handleSignInSubmit);
async function handleSignInSubmit(event) {
event.preventDefault();
let username = this.username.value;
// prepare form post data
var formData = new FormData();
formData.append('username', username);
// send to server for registering
let makeAssertionOptions;
try {
var res = await fetch('/pwassertionOptions', {
method: 'POST', // or 'PUT'
body: formData, // data can be `string` or {object}!
headers: {
'Accept': 'application/json'
}
});
makeAssertionOptions = await res.json();
} catch (e) {
showErrorAlert("Request to server failed", e);
}
console.log("Assertion Options Object", makeAssertionOptions);
// show options error to user
if (makeAssertionOptions.status !== "ok") {
console.log("Error creating assertion options");
console.log(makeAssertionOptions.errorMessage);
showErrorAlert(makeAssertionOptions.errorMessage);
return;
}
// todo: switch this to coercebase64
const challenge = makeAssertionOptions.challenge.replace(/-/g, "+").replace(/_/g, "/");
makeAssertionOptions.challenge = Uint8Array.from(atob(challenge), c => c.charCodeAt(0));
// fix escaping. Change this to coerce
makeAssertionOptions.allowCredentials.forEach(function (listItem) {
var fixedId = listItem.id.replace(/\_/g, "/").replace(/\-/g, "+");
listItem.id = Uint8Array.from(atob(fixedId), c => c.charCodeAt(0));
});
console.log("Assertion options", makeAssertionOptions);
Swal.fire({
title: 'Logging In...',
text: 'Tap your security key to login.',
imageUrl: "/images/securitykey.min.svg",
showCancelButton: true,
showConfirmButton: false,
focusConfirm: false,
focusCancel: false
});
// ask browser for credentials (browser will ask connected authenticators)
let credential;
try {
credential = await navigator.credentials.get({ publicKey: makeAssertionOptions })
} catch (err) {
showErrorAlert(err.message ? err.message : err);
}
try {
await verifyAssertionWithServer(credential);
} catch (e) {
showErrorAlert("Could not verify assertion", e);
}
}
async function verifyAssertionWithServer(assertedCredential) {
// Move data into Arrays incase it is super long
let authData = new Uint8Array(assertedCredential.response.authenticatorData);
let clientDataJSON = new Uint8Array(assertedCredential.response.clientDataJSON);
let rawId = new Uint8Array(assertedCredential.rawId);
let sig = new Uint8Array(assertedCredential.response.signature);
const data = {
id: assertedCredential.id,
rawId: coerceToBase64Url(rawId),
type: assertedCredential.type,
extensions: assertedCredential.getClientExtensionResults(),
response: {
authenticatorData: coerceToBase64Url(authData),
clientDataJson: coerceToBase64Url(clientDataJSON),
signature: coerceToBase64Url(sig)
}
};
let response;
try {
let res = await fetch("/pwmakeAssertion", {
method: 'POST', // or 'PUT'
body: JSON.stringify(data), // data can be `string` or {object}!
headers: {
'Accept': 'application/json',
'Content-Type': 'application/json'
}
});
response = await res.json();
} catch (e) {
showErrorAlert("Request to server failed", e);
throw e;
}
console.log("Assertion Object", response);
// show error
if (response.status !== "ok") {
console.log("Error doing assertion");
console.log(response.errorMessage);
showErrorAlert(response.errorMessage);
return;
}
// show success message
await Swal.fire({
title: 'Logged In!',
text: 'You\'re logged in successfully.',
type: 'success',
timer: 2000
});
window.location.href = "/index";
}
Now when the application is started, you can register and authenticate using a FIDO2 passwordless flow with ASP.NET Core Identity. If you do use the password flow, you should consider forcing a second factor on the FIDO2 device like using a pin or a biometric validation, so that if the device is lost, a second factor is still required to use the authenticator with the webpage.
Links:
https://github.com/abergs/fido2-net-lib
https://www.troyhunt.com/beyond-passwords-2fa-u2f-and-google-advanced-protection/
https://www.w3.org/TR/webauthn/
https://www.scottbrady91.com/FIDO/A-FIDO2-Primer-and-Proof-of-Concept-using-ASPNET-Core
https://github.com/herrjemand/awesome-webauthn
https://developers.yubico.com/FIDO2/Libraries/Using_a_library.html
https://docs.microsoft.com/en-us/aspnet/core/?view=aspnetcore-3.0
Software Engineering 
[…] Adding FIDO2 Passwordless authentication to an ASP.NET Core Identity App (Damien Bowden) […]
[…] Adding FIDO2 Passwordless authentication to an ASP.NET Core Identity App – Damien Bowden […]