aseigler
commented
3 years ago Did you see the demo site? It's the code behind https://passwordless.dev. Or maybe I am misunderstanding the question.
Open Trolldemorted opened 3 years ago
aseigler
commented
3 years ago Did you see the demo site? It's the code behind https://passwordless.dev. Or maybe I am misunderstanding the question.
Trolldemorted
commented
3 years ago I think you are - I require a dotnet api which implements a FIDO2 authenticator (the client's side of things), and can easily be combined with dotnet's HttpClient. Testing non-passwordless web apis with simulated user agents are straightforward (POST to the login endpoint with the correct credentials, extract cookie/token), but with FIDO2's cryptographic handshake it is not.
https://passwordless.dev is a nice demo for a server project, but I didn't find any tests that covered the entire registration->login->logout workflow with a "real" webauthn client.
abergs
commented
3 years ago Depending on how you define "real" that would be difficult, since a "real" Authenticator needs to verify User Presence etc.
Our unit test does test assertion with pre-determined payloads, you could have a look on those and see if it would be suitable.
I haven't seen a .net software Authenticator, but then I haven't really looked.
I am considering using webauthn/fido2-net-lib for a project, but I couldn't find documentation that covers whether I can fully test the registration/login flow with a real user agent. Can I do that more or less easily, preferably with a normal dotnet HttpClient?