ASP.NET Core 3.1 - FIDO Utilities Project

This article will describe utilities for implementing a successful FIDO project. I will assume you have downloaded the FREE ASP.NET Core 3.1 - FIDO Utilities Project or created a new ASP.NET Core 3.1 Razor Pages project. I won't use Identity or Individual User Accounts. See Tutorial: Get started with Razor Pages in ASP.NET Core.

FIDO Utilities Project and Article Series

The ASP.NET Core 3.1 - FIDO Utilities Project (FUP) is a collection of utilities I use in the ASP.NET Core 5.0 - Users Without Passwords Project (UWPP). I have upgraded the FUP with Bootstrap v5 and Bootstrap Native v4. FUP version 2.1 features SingleUser Authentication, Admin Page with Send Email Tests, ExceptionEmailerMiddleware, Bootstrap v5 Detection JavaScript, Copy and Paste Demo, Offcanvas Partial Demo, and Path QR Code Demo. The SMTP Settings Tester is updated and now located in the authorized Pages > Admin folder. The EmailSender and AES Cipher Demo are also updated. Registered users can download the source code for free on KenHaggerty. Com at Manage > Assets. The UWPP is published at Fido. KenHaggerty. Com.

Update 09/01/2021

I have upgraded the FUP with Bootstrap v5 and Bootstrap Native v4. FUP version 2.1 features SingleUser Authentication, Admin Page with Send Email Tests, ExceptionEmailerMiddleware, Bootstrap v5 Detection JavaScript, Offcanvas Partial Demo, Path QR Code Demo, and Copy and Paste Demo. The SMTP Settings Tester is updated and now located in the authorized Pages > Admin folder. The EmailSender and AES Cipher Demo are also updated.

While testing and debugging the new versions, I found the Microsoft. AspNetCore. Mvc. Razor. RuntimeCompilation NuGet package extremely helpful. I have had issues with runtime compilation in the past, but I implemented it in this project with new guidance from MS Docs with no issues. See: Razor file compilation in ASP.NET Core

I am developing a research project and article series named Users Without Passwords about FIDO (Fast IDentification Online) UAF (Universal Authentication Framework), also known as WebAuthn. The registration and login processes involve communication between the server, client-js, authenticator, and user. The server provides a unique code called a challenge to the client. The client transforms the challenge to a UInt8Array expected by the authenticator. The client requests the user's login name. The challenge and username are used to register or verify a public key with the authenticator. The client sends the response from the authenticator to the server. The response includes the challenge which is decoded from the UInt8Array to verify a match to the server's original code. If the challenge is verified the response is decoded and verified. If the response is verified, it is stored, and action is implemented like create or login the user.

The FIDO processes involve a lot of things that can go wrong and I would like to know when it does. A notice of something going right is also nice. By far, my most popular article is ASP.NET Core 2.2 - SMTP EmailSender Implementation. I have added a SendAdminEmail function by adding an AdminEmail setting and injecting IHttpContextAccessor. This allows access to the current HttpContext properties like UserAgent, Anonymized IP, Path and QueryString inside the service. See the ASP.NET Core 3.1 - SMTP EmailSender article.

I developed an email settings verifier which allows you to test email settings and displays the runtime settings and settings from appsettings. json and appsettings. development. json.

SMTP Settings Tester UserSecrets.
SMTP Settings Tester Development.

The FIDO processes involve interaction between the client, authenticator, and user without the server. I found the frequency of JS alerts required better messaging. A message to inform the user something went wrong, and they need to start over is the most important. This oops message needs to prevent the user from continuing on the current page and provide a link to the start over page. My extensive research found Oops means you made a mistake and realize it now. Opps means you made a mistake and wish to try for the bonus round.

The first oops message in the Users Without Passwords Project was a Bootstrap-jQuery modal with no dismiss button, a link to start over, a 'static' backdrop and keyboard=false. I liked it enough to develop a success message to present before automatically navigating to the goal. I liked that enough to develop a global message modal by adding the html for a modal to _Layout. cshtml and a showMessageModal() function to site.js. I liked that enough to develop a message-modal.js which dynamically creates the html. Variables reference the created modal components which allow the message modal to co-exists with other modals. It can be loaded in _Layout. cshtml for global access or used locally by loading from the page. The showMessageModal() function has defaults and parameters. See the ASP.NET Core 3.1 - Message Modal article.

The project includes a Modal Message Generator which dynamically creates the minimal signature for the showMessageModal function with examples.

Message Modal Generator.
Message Modal Generator Mobile.

Most but not all browsers support Credentials and PublicKeyCredential which are required by FIDO processes. You can detect support for Credentials and PublicKeyCredential. I developed a getWebAuthnError() function in site.js which also notifies the lack of https on hosts other than localhost. This function returns an error or empty string. If an error is detected, you can disable buttons for FIDO functions or inform and redirect the user with the message modal.

The server must persist the challenge code between the initial request and the callback. I use the Cookie TempDataProvider in this project for the proof of concept. The UWPP implements the PageModel's ITempDataDictionary. See ASP.NET Core 5.0 - The TempData Challenge.

The challenge must be properly encoded and decoded to survive the round trip from the server to the client-js and back. I use a new guid for the unique code which needs to be ASCII encoded to work well with JavaScript's btoa (binary to ASCII) and atob (ASCII to binary) functions. See MDN - Base64.

Base64 encoding uses the = char to pad the string to a multiple of four. I use the IdentityModel Base64Url encoder to convert the guidArray without padding.

I simulate an authenticator by converting the challenge from the server to a UInt8Array before posting the serialized challenge array to the callback. The callback decodes the posted challenge and compares it to the original code we stored in TempData. See the ASP.NET Core 3.1 - Round Trip Challenge article.

The project includes a Challenge demo which implements the Cookie TempDataProvider and UInt8Array conversion. I added The TempData Demo which demonstrates the TempData attribute and ITempDataDictionary implemented in the UWPP.

The TempData Demo.
The Challenge Demo.

The Challenge demo uses cookies, so I implemented a sample Privacy Policy and ASP.NET Core GDPR Consent features in the project.

Sample Privacy Policy and Cookie Banner.
Sample Privacy Policy and Cookie Banner Mobile.

I developed an Ajax Postback Control which updates the heading of a control from a list of controls on a page. It allows users to rename authenticators in the Users Without Passwords Project and I include a demonstration in the FIDO Utilities Project.

Ajax Postback Control Demo.
Ajax Postback Control Demo Mobile.

The project includes a Spinner Generator which uses a svg image in a partial view to display a waiting or loading state. You can configure the size speed and color of the Spinner control.

Spinner Generator.
Spinner Generator Mobile.

With fresh encryption experience I decided to implement a cipher for database connection strings in appsettings. json. I added an Advanced Encryption Standard (AES) cipher and an encrypted connection string demo to the project.

AES Cipher.
AES Cipher Mobile.

I started my FIDO research over 8 months ago when I purchased a Security Key NFC by Yubico. My laptop has a fingerprint scanner which is supported by Windows 10 Hello. Windows 10 Hello is certified as a FIDO2 authenticator for passwordless sign-in on the web. Windows 10 Hello also supports a PIN and face recognition with a compatible IR camera. See the ASP.NET Core 3.1 - FIDO2 Authentecators article.

The FIDO processes are often complex with a lot of moving parts. I decided to create this project to describe some of the fundamentals for a successful process. I will refer to this series from the Users Without Passwords Project series which can now focus on users and authenticators.

Ken Haggerty
Created 04/23/20
Updated 09/02/21 01:43 GMT

Log In or Reset Quota to read more.

Successfully completed. Thank you for contributing.
Processing...
Something went wrong. Please try again.
Contribute to enjoy content without advertisments.
You can contribute without registering.

Comments(0)

Loading...
Loading...

Not accepting new comments.

Submit your comment. Comments are moderated.

User Image.
DisplayedName - Member Since ?