https://github.com/bigbuildbench/passwordless-lib_fido2-net-lib

https://github.com/bigbuildbench/passwordless-lib_fido2-net-lib

Science Score: 13.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (12.9%) to scientific vocabulary
Last synced: 10 months ago · JSON representation

Repository

Basic Info
  • Host: GitHub
  • Owner: BigBuildBench
  • License: mit
  • Language: C#
  • Default Branch: master
  • Size: 4.15 MB
Statistics
  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • Open Issues: 0
  • Releases: 0
Created over 1 year ago · Last pushed over 1 year ago
Metadata Files
Readme Changelog Contributing Funding License

README.md

FIDO2 .NET Library (WebAuthn)

A working implementation library + demo for FIDO2 and WebAuthn using .NET
Build Status codecov Financial Contributors on Open Collective NuGet Status Releases & Change log

💡 Passwordless API now available!

The quickest way to get started with FIDO2 and WebAuthn is with the Passwordless API. It free to try and get started with before commiting to implement your own server with this library.

Blog: How to get started

Purpose

Our purpose is to enable passwordless sign in for all .NET apps (asp, core, native).

To provide a developer friendly and well tested .NET FIDO2 Server / WebAuthn relying party library for the easy validation of registration (attestation) and authentication (assertion) of FIDO2 / WebAuthn credentials, in order to increase the adoption of the technology, ultimately defeating phishing attacks.

This project is part of the .NET foundation

Install-Package Fido2

To use the asp.net helpers, install the asp.net-package.

Install-Package Fido2.AspNet

Demo

  • Online examples: https://www.passwordless.dev
  • Library website: https://fido2-net-lib.passwordless.dev
  • Code examples

What is FIDO2?

The passwordless web is coming.
FIDO2 / WebAuthn is a new open authentication standard, supported by browsers and many large tech companies such as Microsoft, Google etc. The main driver is to allow a user to login without passwords, creating passwordless flows or strong MFA for user signup/login on websites. The standard is not limited to web applications with support coming to Active Directory and native apps. The technology builds on public/private keys, allowing authentication to happen without sharing a secret between the user & platform. This brings many benefits, such as easier and safer logins and makes phishing attempts extremely hard.

Read more: - Why it's exciting - Medium - FIDO Alliance - Yubico - WebAuthn.Guide from Duo Security - WebAuthn.io - WebAuthn Awesome

Supported features

  • ✅ Attestation API & verification (Register and verify credentials/authenticators)
  • ✅ Assertion API & verification (Authenticate users)
  • ✅ 100% pass rate in conformance testing (results)
  • ✅ FIDO2 security keys aka roaming authenticators (spec), like SoloKeys Solo, Yubico YubiKey, and Feitian BioPass FIDO2)
  • ✅ Device embedded authenticators aka platform authenticators (spec), like Android Key and TPM)
  • ✅ Backwards compatibility with FIDO U2F authenticators (spec)
  • Windows Hello
  • Face ID and Touch ID for the Web (aka "Apple Hello")
  • ✅ All currently referenced cryptographic algorithms for FIDO2 Server (spec)
  • ✅ All current attestation formats: "packed", "tpm", "android-key", "android-safetynet", "fido-u2f", "apple", "apple-appattest", and "none" (spec)
  • ✅ FIDO2 Server attestation validation via FIDO Metadata Service V3 (spec)
  • ✅ WebAuthn extensions (spec)
  • ✅ Examples & demos
  • ✅ Intellisense documentation
  • 💤 Formal documentation
  • 💤 Recommended usage patterns

Configuration

Only some options are mentioned here, see the Configuration class for all options

  • fido2:MDSCacheDirPath - App Secret / environment variable that sets the cache path for the MDS. Defaults to "current user's temporary folder"/fido2mdscache. Optional when using the default MetadataService provider.

Examples

See the demo controller for full examples of both attestation and assertion.

See the test controller for examples of how to pass the conformance tests.

See the Active Directory Store information and example credential store for ideas on how to integrate this library with an on-premises Active Directory.

Create attestation Options

To add FIDO2 credentials to an existing user account, we we perform a attestation process. It starts with returning options to the client.

```csharp // file: Controller.cs // 1. Get user from DB by username (in our example, auto create missing users) var user = DemoStorage.GetOrAddUser(username, () => new User { DisplayName = "Display " + username, Name = username, Id = Encoding.UTF8.GetBytes(username) // byte representation of userID is required });

// 2. Get user existing keys by username List existingKeys = DemoStorage.GetCredentialsByUser(user).Select(c => c.Descriptor).ToList();

// 3. Create options var options = _lib.RequestNewCredential(user, existingKeys, AuthenticatorSelection.Default, AttestationConveyancePreference.Parse(attType));

// 4. Temporarily store options, session/in-memory cache/redis/db HttpContext.Session.SetString("fido2.attestationOptions", options.ToJson());

// 5. return options to client return Json(options); ```

Register credentials

When the client returns a response, we verify and register the credentials.

```csharp // file: Controller.cs // 1. get the options we sent the client and remove it from storage var jsonOptions = HttpContext.Session.GetString("fido2.attestationOptions"); HttpContext.Session.Remove("fido2.attestationOptions"); var options = CredentialCreateOptions.FromJson(jsonOptions);

// 2. Create callback so that lib can verify credential id is unique to this user IsCredentialIdUniqueToUserAsyncDelegate callback = async (IsCredentialIdUniqueToUserParams args) => { List users = await DemoStorage.GetUsersByCredentialIdAsync(args.CredentialId); if (users.Count > 0) return false;

return true;

};

// 2. Verify and make the credentials var success = await _lib.MakeNewCredentialAsync(attestationResponse, options, callback);

// 3. Store the credentials in db DemoStorage.AddCredentialToUser(options.User, new StoredCredential { Descriptor = new PublicKeyCredentialDescriptor(success.Result.CredentialId), PublicKey = success.Result.PublicKey, UserHandle = success.Result.User.Id });

// 4. return "ok" to the client return Json(success); ```

Create Assertion options

When a user wants to log a user in, we do an assertion based on the registered credentials.

First we create the assertion options and return to the client.

```csharp // file: Controller.cs // 1. Get user from DB var user = DemoStorage.GetUser(username); if (user == null) return NotFound("username was not registered");

// 2. Get registered credentials from database List existingCredentials = DemoStorage.GetCredentialsByUser(user).Select(c => c.Descriptor).ToList();

// 3. Create options var options = _lib.GetAssertionOptions( existingCredentials, UserVerificationRequirement.Discouraged );

// 4. Temporarily store options, session/in-memory cache/redis/db HttpContext.Session.SetString("fido2.assertionOptions", options.ToJson());

// 5. Return options to client return Json(options); ```

Verify the assertion response

When the client returns a response, we verify it and accepts the login.

```csharp // 1. Get the assertion options we sent the client and remove from storage var jsonOptions = HttpContext.Session.GetString("fido2.assertionOptions"); HttpContext.Session.Remove("fido2.assertionOptions"); var options = AssertionOptions.FromJson(jsonOptions);

// 2. Get registered credential from database StoredCredential creds = DemoStorage.GetCredentialById(clientResponse.Id);

// 3. Get credential counter from database var storedCounter = creds.SignatureCounter;

// 4. Create callback to check if userhandle owns the credentialId IsUserHandleOwnerOfCredentialIdAsync callback = async (args) => { List storedCreds = await DemoStorage.GetCredentialsByUserHandleAsync(args.UserHandle); return storedCreds.Exists(c => c.Descriptor.Id.SequenceEqual(args.CredentialId)); };

// 5. Make the assertion var res = await _lib.MakeAssertionAsync(clientResponse, options, creds.PublicKey, storedCounter, callback);

// 6. Store the updated counter DemoStorage.UpdateCounter(res.CredentialId, res.Counter);

// 7. return OK to client return Json(res); ```

Nuget package

https://www.nuget.org/packages/Fido2/ and https://www.nuget.org/packages/Fido2.Models/

Contributing

See Contributing for information about contributing to the project.

This project has adopted the code of conduct defined by the Contributor Covenant to clarify expected behavior in our community. For more information see the .NET Foundation Code of Conduct.

For security and penetration testing, please see our Vulnerability Disclosure Program

Contributors

Code Contributors

This project exists thanks to all the people who contribute. [Contribute].

Financial Contributors

Become a financial contributor and help us sustain our community. [Contribute]

Individuals

Organizations

Support this project with your organization. Your logo will show up here with a link to your website. [Contribute]

.NET Foundation

This project is supported by the .NET Foundation.

Owner

  • Name: BigBuildBench
  • Login: BigBuildBench
  • Kind: organization

abbr. B3, benchmarking the repo-level understanding capability of your LLMs by reconstructing project build-file.

GitHub Events

Total
  • Create event: 4
Last Year
  • Create event: 4

Dependencies

.github/workflows/main.yml actions
  • actions/checkout ac593985615ec2ede58e132d2e21d2b1cbd6127c composite
  • actions/download-artifact 9bc31d5ccc31df68ecc42ccf4149144866c47d8a composite
  • actions/setup-dotnet 607fce577a46308457984d59e4954e075820f10a composite
  • actions/upload-artifact a8a3f3ad30e3422c9c7b888a15615d19a852ae32 composite
.github/workflows/release-drafter.yml actions
  • release-drafter/release-drafter v5 composite
BlazorWasmDemo/Server/Dockerfile docker
  • base latest build
  • build latest build
  • mcr.microsoft.com/dotnet/aspnet 6.0 build
  • mcr.microsoft.com/dotnet/sdk 6.0 build
BlazorWasmDemo/Client/BlazorWasmDemo.Client.csproj nuget
BlazorWasmDemo/Server/BlazorWasmDemo.Server.csproj nuget
Demo/Demo.csproj nuget
Src/Fido2/Fido2.csproj nuget
Src/Fido2.AspNet/Fido2.AspNet.csproj nuget
Src/Fido2.BlazorWebAssembly/Fido2.BlazorWebAssembly.csproj nuget
Src/Fido2.Ctap2/Fido2.Ctap2.csproj nuget
Src/Fido2.Development/Fido2.Development.csproj nuget
Src/Fido2.Models/Fido2.Models.csproj nuget
Test/Test.csproj nuget
Tests/Fido2.Ctap2.Tests/Fido2.Ctap2.Tests.csproj nuget