Overview

This repository provides a server-side implementation of the FIDO2 protocol, enabling secure passwordless authentication and multi-factor authentication (MFA) for web applications. It handles key FIDO2 operations, including credential registration and authentication, ensuring compliance with modern authentication standards.

Supported Features

• Attestation flow for credentials registration
• Assertion flow for credentials verification
• Supported attestation statement formats:
  • Packed
  • TPM
  • Android Key
  • Android SafetyNet
  • FIDO U2F
  • None
  • Apple Anonymous
• Built-in storage providers:
  • Microsoft SQL Server
  • In-memory storage
• FIDO metadata service

Usage

The following examples demonstrate how to implement FIDO2 authentication in your application.

Server-side (ASP.NET Core Controllers)

The sample C# code below is designed for ASP.NET Core controllers.

Attestation (registration)

1. Get creation options.

[HttpPost("options")]
public async Task<IActionResult> Options(ServerPublicKeyCredentialCreationOptionsRequest request)
{
    var creationOptions = await _attestation.GetOptions(request.Map());
    var response = creationOptions.Map();
    HttpContext.Session.SetString("CreationOptions", JsonSerializer.Serialize(creationOptions));
    return Ok(response);
}

2. Create credential.

[HttpPost("result")]
public async Task<IActionResult> Result(ServerPublicKeyCredentialAttestation request)
{
    var creationOptionsString = HttpContext.Session.GetString("CreationOptions");
    var creationOptions = JsonSerializer.Deserialize<PublicKeyCredentialCreationOptions>(creationOptionsString!);
    await _attestation.Complete(request.Map(), creationOptions!);
    return Ok(ServerResponse.Create());
}

Assertion (authentication)

1. Get request options.

[HttpPost("options")]
public async Task<IActionResult> Options(ServerPublicKeyCredentialGetOptionsRequest request)
{
    var requestOptions = await _assertion.RequestOptions(request.Map());
    var response = requestOptions.Map();
    HttpContext.Session.SetString("RequestOptions", JsonSerializer.Serialize(requestOptions));
    return Ok(response);
}

2. Validate credential.

[HttpPost("result")]
public async Task<IActionResult> Result(ServerPublicKeyCredentialAssertion request)
{
    var requestOptionsString = HttpContext.Session.GetString("RequestOptions");
    var requestOptions = JsonSerializer.Deserialize<PublicKeyCredentialRequestOptions>(requestOptionsString!);
    await _assertion.Complete(request.Map(), requestOptions!);
    return Ok(ServerResponse.Create());
}

Client-side (JavaScript)

To complete the FIDO2 implementation, you need to add JavaScript code that communicates with the Web Authentication API (WebAuthn) in the browser. The WebAuthn API is part of the FIDO2 specification and provides the client-side functionality for secure authentication. Below you can find sample implementation for communication with WebAuthn:

• fido2-attestation.js - Handles the registration process using the Web Authentication API (navigator.credentials.create)
• fido2-assertion.js - Handles the authentication process using the Web Authentication API (navigator.credentials.get)

This JavaScript code bridges the browser's WebAuthn API with the server-side REST API endpoints provided by the ASP.NET Core controllers described above.

Build Status

Packages

Package Name	Status
Shark.Fido2.Core
Shark.Fido2.InMemory
Shark.Fido2.Models
Shark.Fido2.SqlServer

FIDO Conformance Tests

All test cases successfully passed using the FIDO Conformance Tool.

Specification

Web Authentication

• Web Authentication: An API for accessing Public Key Credentials Level 2
• Server Requirements and Transport Binding Profile
• Web Authentication: An API for accessing Public Key Credentials Level 3

Metadata Service

• FIDO Metadata Service
• FIDO Metadata Statement

Tools

• FIDO Alliance - Certification Conformance Test Tools

References

• PublicKeyCredential