ASP.NET Core 3.1 - FIDO Utilities Project
Ken HaggertyCreated 04/23/2020 - Updated 05/23/2020 15:10
This article will describe utilities for challenges of implementing a successful FIDO project. I will assume you have created a new ASP.NET Core 3.1 Razor Pages project. I won't use Identity or Individual User Accounts. See Tutorial: Get started with Razor Pages in ASP.NET Core.
I am developing a research project and article series named Users Without Passwords about FIDO (Fast IDentification Online) UAF (Universal Authentication Framework), also known as WebAuthn. The registration and login processes involve communication between the server, client-js, authenticator, and user. The server provides a unique code called a challenge to the client. The client transforms the challenge to a UInt8Array expected by the authenticator. The client requests the user's login name. The challenge and username are used to register or verify a public key with the authenticator. The client sends the response from the authenticator to the server. The response includes the challenge which is decoded from the UInt8Array to verify a match to the server's original code. If the challenge is verified the response is decoded and verified. If the response is verified, it is stored and action is implemented like create or login the user.
The FIDO processes involve a lot of things that can go wrong and I would like to know when it does. A notice of something going right is also nice. By far, my most popular article is ASP.NET Core 2.2 - SMTP EmailSender Implementation. I have added a SendAdminEmail function by adding an AdminEmail setting and injecting IHttpContextAccessor. This allows access to the current HttpContext properties like UserAgent, Anonymized IP, Path and QueryString inside the service. See the ASP.NET Core 3.1 - SMTP EmailSender article.
I developed an email settings verifier which allows you to test email settings and displays the current settings from appsettings.json and appsettings.development.json.
The FIDO processes involve interaction between the client, authenticator and user without the server. I found the frequency of JS alerts required better messaging. A message to inform the user something went wrong and they need to start over is the most important. This oops message needs to prevent the user from continuing on the current page and provide a link to the start over page. My extensive research found Oops means you made a mistake and realize it now. Opps means you made a mistake and wish to try for the bonus round.
The first oops message in the Users Without Passwords Project was a Bootstrap-jQuery modal with no
dismiss button, a link to start over, a 'static' backdrop and keyboard=false. I liked it enough to develop a
success message to present before automatically navigating to the goal. I liked that enough to develop a
global message modal by adding the html for a modal to
_Layout. cshtml and a
showMessageModal() function to site.js. I liked that enough to develop a message-modal.js
which dynamically creates the html. Variables reference the created modal components which allow the
message modal to co-exists with other modals. It can be loaded in
_Layout. cshtml for global
access or used locally by loading from the page. The
showMessageModal() function has
defaults and parameters. See the ASP.NET Core 3.1 - Message Modal article.
The project includes a Modal Message Generator which dynamically creates the minimal signature for the showMessageModal function with examples.
Most but not all browsers support Credentials and PublicKeyCredential which are required by FIDO processes. You can detect support for Credentials and PublicKeyCredential. I developed a getWebAuthnError() function in site.js which also notifies the lack of https on hosts other than localhost. This function returns an error or empty string. If an error is detected you can disable buttons for FIDO functions or inform and redirect the user with the message modal.
The server must persist the challenge code between the initial request and the callback. I use the Cookie TempDataProvider in this project for the proof of concept. I am using the Application Session State in the Users Without Passwords Project. See Session and state management in ASP.NET Core
Base64 encoding uses the = char to pad the string to a multiple of four. I use the IdentityModel Base64Url encoder to convert the guidArray without padding. See GitHub - IdentityModel/ src/ Base64Url. cs
I simulate an authenticator by converting the challenge from the server to a UInt8Array before posting the serialized challenge array to the callback. The callback decodes the posted challenge and compares it to the original code we stored in TempData. See the ASP.NET Core 3.1 - Round Trip Challenge article.
The project includes a Challenge demo which implements the Cookie TempDataProvider and UInt8Array conversion.
I developed an Ajax Postback Control which updates the heading of a control from a list of controls on a page. It allows users to rename authenticators in the Users Without Passwords Project and I include a demonstration in the FIDO Utilities Project.
The project also includes a Spinner Generator which uses a svg image in a partial view to display a waiting or loading state. You can configure the size speed and color of the Spinner control.
I started my FIDO research over 8 months ago when I purchased a Security Key NFC by Yubico. My laptop has a fingerprint scanner which is supported by Windows 10 Hello. Windows 10 Hello is certified as a FIDO2 authenticator for passwordless sign-in on the web. Windows 10 Hello also supports a PIN and face recognition with a compatible IR camera. See the ASP.NET Core 3.1 - FIDO2 Authentecators article.
The FIDO processes are very complex with a lot of moving parts. I decided to create this project to describe some of the fundamentals for a successful process. I will refer to this series from the Users Without Passwords Project series which can now focus on users and authenticators.
I updated the article links and added screenshots of the project utilities.
I updated the article links and added mobile screenshot.
I added the AES Cipher article link and updated screenshots.