ASP.NET Core 3.1 - FIDO Utilities Project

Ken Haggerty
Created 04/23/2020 - Updated 06/09/2020 21:40

This article will describe utilities for challenges of implementing a successful FIDO project. I will assume you have created a new ASP.NET Core 3.1 Razor Pages project. I won't use Identity or Individual User Accounts. See Tutorial: Get started with Razor Pages in ASP.NET Core.

FIDO Utilties Project and Article Series

The project implements Bootstrap Native v3 with a jQuery option. The Message Modal requires jQuery or Bootstrap Native.

Access to the research project source code may be purchased on KenHaggerty.Com at Manage > Assets.

I will publish the FIDO Utilities Project at until I publish the Users Without Passwords Project.

I enjoy writing these articles. It often enhances and clarifies my coding. The research project is a result of a lot of refactoring and hopefully provides logical segues for the articles. Thank you for supporting my efforts.

Update 06/09/2020

I updated the free FIDO Utilities Project to support Bootstrap Native v3. See: Native JavaScript for Bootstrap I had developed message-modal.js with dependency on jQuery or Bootstrap Native v2. Bootstrap Native V3.0.0 was released about 10 days ago and v3.0.5 about 5 days ago. See: GitHub: thednp/ bootstrap.native/ releases The FIDO Utilities Project v1.0.5 implements Bootstrap Native v3.0.5 with a jQuery option. The _Layout.cshtml is updated with Bootstrap, Bootstrap Native and jQuery CDN links with integrity metadata. I implemented libman.json to ease the task of updating client-side libraries. See: ASP.NET Core 2.2 - Manage Client-Side Libraries I updated message-modal.js to v1.0.2 with support for Bootstrap Native v3.

While testing and debugging the new versions, I found the Microsoft. AspNetCore. Mvc. Razor. RuntimeCompilation NuGet package extremely helpful. I have had issues with runtime compilation in the past, but I implemented it in this project with new guidance from MS Docs with no issues. See: Razor file compilation in ASP.NET Core

I am developing a research project and article series named Users Without Passwords about FIDO (Fast IDentification Online) UAF (Universal Authentication Framework), also known as WebAuthn. The registration and login processes involve communication between the server, client-js, authenticator, and user. The server provides a unique code called a challenge to the client. The client transforms the challenge to a UInt8Array expected by the authenticator. The client requests the user's login name. The challenge and username are used to register or verify a public key with the authenticator. The client sends the response from the authenticator to the server. The response includes the challenge which is decoded from the UInt8Array to verify a match to the server's original code. If the challenge is verified the response is decoded and verified. If the response is verified, it is stored, and action is implemented like create or login the user.

The FIDO processes involve a lot of things that can go wrong and I would like to know when it does. A notice of something going right is also nice. By far, my most popular article is ASP.NET Core 2.2 - SMTP EmailSender Implementation. I have added a SendAdminEmail function by adding an AdminEmail setting and injecting IHttpContextAccessor. This allows access to the current HttpContext properties like UserAgent, Anonymized IP, Path and QueryString inside the service. See the ASP.NET Core 3.1 - SMTP EmailSender article.

I developed an email settings verifier which allows you to test email settings and displays the current settings from appsettings. json and appsettings. development. json.

Email Settings Verifier

The FIDO processes involve interaction between the client, authenticator, and user without the server. I found the frequency of JS alerts required better messaging. A message to inform the user something went wrong, and they need to start over is the most important. This oops message needs to prevent the user from continuing on the current page and provide a link to the start over page. My extensive research found Oops means you made a mistake and realize it now. Opps means you made a mistake and wish to try for the bonus round.

The first oops message in the Users Without Passwords Project was a Bootstrap-jQuery modal with no dismiss button, a link to start over, a 'static' backdrop and keyboard=false. I liked it enough to develop a success message to present before automatically navigating to the goal. I liked that enough to develop a global message modal by adding the html for a modal to _Layout. cshtml and a showMessageModal() function to site.js. I liked that enough to develop a message-modal.js which dynamically creates the html. Variables reference the created modal components which allow the message modal to co-exists with other modals. It can be loaded in _Layout. cshtml for global access or used locally by loading from the page. The showMessageModal() function has defaults and parameters. See the ASP.NET Core 3.1 - Message Modal article.

The project includes a Modal Message Generator which dynamically creates the minimal signature for the showMessageModal function with examples.

Modal Message Generator

Most but not all browsers support Credentials and PublicKeyCredential which are required by FIDO processes. You can detect support for Credentials and PublicKeyCredential. I developed a getWebAuthnError() function in site.js which also notifies the lack of https on hosts other than localhost. This function returns an error or empty string. If an error is detected, you can disable buttons for FIDO functions or inform and redirect the user with the message modal.

The server must persist the challenge code between the initial request and the callback. I use the Cookie TempDataProvider in this project for the proof of concept. I am using the Application Session State in the Users Without Passwords Project. See Session and state management in ASP.NET Core

The challenge must be properly encoded and decoded to survive the round trip from the server to the client-js and back. I use a new guid for the unique code which needs to be ASCII encoded to work well with JavaScript's btoa (binary to ASCII) and atob (ASCII to binary) functions. See MDN - Base64

Base64 encoding uses the = char to pad the string to a multiple of four. I use the IdentityModel Base64Url encoder to convert the guidArray without padding. See GitHub - IdentityModel/ src/ Base64Url. cs

I simulate an authenticator by converting the challenge from the server to a UInt8Array before posting the serialized challenge array to the callback. The callback decodes the posted challenge and compares it to the original code we stored in TempData. See the ASP.NET Core 3.1 - Round Trip Challenge article.

The project includes a Challenge demo which implements the Cookie TempDataProvider and UInt8Array conversion.

Challenge Demo

The Challenge demo uses cookies, so I implemented ASP.NET Core GDPR Consent features in the project.

Cookie Consent Banner
Cookie Consent Banner Mobile

I developed an Ajax Postback Control which updates the heading of a control from a list of controls on a page. It allows users to rename authenticators in the Users Without Passwords Project and I include a demonstration in the FIDO Utilities Project.

Ajax Postback Control

The project includes a Spinner Generator which uses a svg image in a partial view to display a waiting or loading state. You can configure the size speed and color of the Spinner control.

Spinner Generator

With fresh encryption experience I decided to implement a cipher for database connection strings in appsettings.json. The result is an Advanced Encryption Standard (AES) cipher which I added to the project.

AES Cipher

I started my FIDO research over 8 months ago when I purchased a Security Key NFC by Yubico. My laptop has a fingerprint scanner which is supported by Windows 10 Hello. Windows 10 Hello is certified as a FIDO2 authenticator for passwordless sign-in on the web. Windows 10 Hello also supports a PIN and face recognition with a compatible IR camera. See the ASP.NET Core 3.1 - FIDO2 Authentecators article.

The FIDO processes are often complex with a lot of moving parts. I decided to create this project to describe some of the fundamentals for a successful process. I will refer to this series from the Users Without Passwords Project series which can now focus on users and authenticators.

Update 05/08/2020

I updated the article links and added screenshots of the project utilities.

Update 05/10/2020

I updated the article links and added mobile screenshot.

Update 05/21/2020

I added the AES Cipher article link and screenshot and updated screenshots.

Update 06/09/2020

I updated the article to announce support for Bootstrap Native v3.

Comment Count = 0

Please log in to comment or follow.

Login Register
Follow to get web notifications when new comments are posted to this article.
Logged in users receive web notifications for new articles, topics and assets.
Web Notifications