-
-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for additional extensions #190
Comments
Adding this type of stuff has long been on my list of things to do. Check https://webauthntest.azurewebsites.net and the code behind it, https://github.com/microsoft/webauthntest. Those particular extensions are very different from the small handful of extensions that are actually functional today in this library. |
In the meantime, I have implemented those extensions by deriving from Fido2.Model classes in my project. Feel free to integrate it into the base classes, after some code review: /// <summary>
/// Defines the credential protection policy.
/// </summary>
[JsonConverter(typeof(StringEnumConverter))]
public enum UserVerification
{
/// <summary>
/// This reflects "FIDO_2_0" semantics. In this configuration, user verification is optional with or without credentialID list. This is the default state of the credential if the extension is not specified and the authenticator does not report a defaultCredProtect value in the authenticatorGetInfo response.
/// </summary>
[EnumMember(Value = "userVerificationOptional")]
Optional,
/// <summary>
/// In this configuration, credential is discovered only when its credentialID is provided by the platform or when user verification is performed.
/// </summary>
[EnumMember(Value = "userVerificationOptionalWithCredentialIDList")]
OptionalWithCredentialIDList,
/// <summary>
/// This reflects that discovery and usage of the credential MUST be preceeded by user verification.
/// </summary>
[EnumMember(Value = "userVerificationRequired")]
Required
} public class WinExtensionsIn : Fido2NetLib.Objects.AuthenticationExtensionsClientInputs
{
private bool _enforceCredProtect;
private bool _hmacSecret;
/// <summary>
/// This extension is used by the platform to retrieve a symmetric secret from the authenticator when it needs to encrypt or decrypt data using that symmetric secret. This symmetric secret is scoped to a credential. The authenticator and the platform each only have the part of the complete secret to prevent offline attacks. This extension can be used to maintain different secrets on different machines.
/// https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html#sctn-hmac-secret-extension
/// </summary>
[JsonProperty("hmacCreateSecret", NullValueHandling = NullValueHandling.Ignore)]
public bool? HmacSecret
{
get
{
// Treat false as null, so that it is not serialized.
return _hmacSecret ? true : (bool?)null;
}
set
{
_hmacSecret = (value == true);
}
}
/// <summary>
/// This extension indicates that the authenticator supports enhanced protection mode for the credentials created on the authenticator.
/// If present, verify that the credentialProtectionPolicy value is one of following values: userVerificationOptional, userVerificationOptionalWithCredentialIDList, userVerificationRequired
/// https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html#sctn-credProtect-extension
/// </summary>
[JsonProperty("credentialProtectionPolicy", NullValueHandling = NullValueHandling.Ignore)]
public UserVerification? CredProtect { get; set; }
/// <summary>
/// Controls whether it is better to fail to create a credential rather than ignore the protection policy. When enforceCredentialProtectionPolicy is true, and credentialProtectionPolicy is either userVerificationOptionalWithCredentialIDList or userVerificationRequired, the platform SHOULD NOT create the credential in a way that does not implement the requested protection policy.
/// https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html#sctn-credProtect-extension
/// </summary>
[JsonProperty("enforceCredentialProtectionPolicy", NullValueHandling = NullValueHandling.Ignore)]
public bool? EnforceCredProtect
{
get
{
// Treat false as null, so that it is not serialized.
return _hmacSecret ? true : (bool?)null;
}
set
{
_enforceCredProtect = (value == true);
}
} public class WinExtensionsOut : Fido2NetLib.Objects.AuthenticationExtensionsClientOutputs
{
private bool _hmacSecret;
/// <summary>
/// This extension is used by the platform to retrieve a symmetric secret from the authenticator when it needs to encrypt or decrypt data using that symmetric secret. This symmetric secret is scoped to a credential. The authenticator and the platform each only have the part of the complete secret to prevent offline attacks. This extension can be used to maintain different secrets on different machines.
/// https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html#sctn-hmac-secret-extension
/// </summary>
[JsonProperty("hmacCreateSecret", NullValueHandling = NullValueHandling.Ignore)]
public bool? HmacSecret
{
get
{
// Treat false as null, so that it is not serialized.
return _hmacSecret ? true : (bool?)null;
}
set
{
_hmacSecret = (value == true);
}
}
/// <summary>
/// This extension indicates that the authenticator supports enhanced protection mode for the credentials created on the authenticator.
/// If present, verify that the credentialProtectionPolicy value is one of following values: userVerificationOptional, userVerificationOptionalWithCredentialIDList, userVerificationRequired
/// https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html#sctn-credProtect-extension
/// </summary>
[JsonProperty("credentialProtectionPolicy", NullValueHandling = NullValueHandling.Ignore)]
public UserVerification? CredProtect { get; set; }
} |
Hello, I would like to ask whether the following extensions are supported by this library:
Is there please any sample code available for reading/writing these extensions? I am trying to exactly mimic the behavior of
login.microsoft.com
.The text was updated successfully, but these errors were encountered: