Q: Is WebAuthn planned to be implemented by aspnet.security?

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.

https://asp.net

MIT License

35.44k stars 10.02k forks source link

Q: Is WebAuthn planned to be implemented by aspnet.security? #4657

Open Guymestef opened 6 years ago

Guymestef commented 6 years ago

Hello,

The API should be available in Chrome and Firefox May release. Starting to look at it and be ready for it could be a good idea?

webauthn specs

kevinchalet commented 6 years ago

FIDO2/WebAuthn is definitely the future and I'd personally love to see it adopted everywhere.

That said, it essentially dictates how things happen client-side, not server-side. The specification doesn't say how you're supposed to retrieve the challenge from the server or how you send the public key when creating an account or adding a new key to an existing account: all this stuff is necessarily implementation-specific (which gives you total flexibility).

As such, I'm not sure aspnet/Security will ever have anything related to FIDO, just like there's nothing for "password authentication" in this repo (on the other hand, membership frameworks like ASP.NET Core Identity will have to offer ways to store the public keys in the DB).

Guymestef commented 6 years ago

About validating the client/user signature, I thought it would be considered as an external authentication provider. But you are probably right about adding this as a whole feature into Identity.

Eilon commented 6 years ago

Should we close the issue here then? A new Identity issue was just logged at https://github.com/aspnet/Identity/issues/1747.

blowdart commented 6 years ago

I think it belongs in both, because it's not just an identity issue.

tstojecki commented 5 years ago

I agree with @blowdart. Aspnet Identity could store and retrieve credentials but it seems that something like an authorization handler (or maybe a middleware?) to handle the challenge, registration and authentication requests, etc... would be helpful. The login pages in aspnet templates would also have to be updated to accommodate this option for registering/logging-in. This might be what @Guymestef was referring to in the comment about external providers.

Adding a link to the diagram and the code references below as it might be helpful for this discussion https://developers.yubico.com/FIDO2/Libraries/Using_a_library.html

wsy commented 2 years ago

It has been many years since this issue has been created. FIDO2 is now being trending.

iOS 16 and iPadOS 16 is supporting FIDO2. (https://www.apple.com/ios/ios-16/features/ , "Passkeys" section)
Android has been FIDO2 certified since 2019. (https://fidoalliance.org/android-now-fido2-certified-accelerating-global-migration-beyond-passwords/ )
GitHub already supports FIDO2 passkey login. (https://github.com/settings/two_factor_authentication/configure )
Microsoft Account also supports FIDO2 passkey. (https://support.microsoft.com/en-us/windows/sign-in-to-your-microsoft-account-with-windows-hello-or-a-security-key-800a8c01-6b61-49f5-0660-c2159bea4d84 )

So, I think it's time to move this issue out of Backlog and start to plan something about it.

Bartmax commented 1 year ago

What's the status on this?