/// <summary>
/// GetRegisterCredentialOptions method implementation
/// </summary>
private string GetRegisterCredentialOptions(AuthenticationContext ctx)
{
try
{
if (string.IsNullOrEmpty(ctx.UPN))
{
throw new ArgumentNullException(ctx.UPN);
}
string attType = this.ConveyancePreference; // none, direct, indirect
string authType = this.Attachement; // <empty>, platform, cross-platform
string userVerification = this.UserVerificationRequirement; // preferred, required, discouraged
bool requireResidentKey = this.RequireResidentKey; // true,false
MFAWebAuthNUser user = RuntimeRepository.GetUser(Config, ctx.UPN);
if (user != null)
{
List <MFAPublicKeyCredentialDescriptor> existingKeys = RuntimeRepository.GetCredentialsByUser(Config, user).Select(c => c.Descriptor).ToList();
// 3. Create options
AuthenticatorSelection authenticatorSelection = new AuthenticatorSelection
{
RequireResidentKey = requireResidentKey,
UserVerification = userVerification.ToEnum <UserVerificationRequirement>()
};
if (!string.IsNullOrEmpty(authType))
{
authenticatorSelection.AuthenticatorAttachment = authType.ToEnum <AuthenticatorAttachment>();
}
AuthenticationExtensionsClientInputs exts = new AuthenticationExtensionsClientInputs()
{
Extensions = this.Extentions,
UserVerificationIndex = this.UserVerificationIndex,
Location = this.Location,
UserVerificationMethod = this.UserVerificationMethod,
EnforceCredProtect = this.EnforceCredProtect,
CredProtect = this.CredProtect,
HmacSecret = this.HmacSecret,
BiometricAuthenticatorPerformanceBounds = new AuthenticatorBiometricPerfBounds
{
FAR = float.MaxValue,
FRR = float.MaxValue
}
};
RegisterCredentialOptions options = _webathn.GetRegisterCredentialOptions(user.ToCore(), existingKeys.ToCore(), authenticatorSelection, attType.ToEnum <AttestationConveyancePreference>(), exts);
string result = options.ToJson();
ctx.CredentialOptions = result;
return(result);
}
else
{
Log.WriteEntry(string.Format("{0}\r\n{1}", ctx.UPN, "User does not exists !"), EventLogEntryType.Error, 5000);
string result = (new RegisterCredentialOptions {
Status = "error", ErrorMessage = string.Format("{0}", "User does not exists !")
}).ToJson();
ctx.CredentialOptions = result;
return(result);
}
}
catch (Exception e)
{
Log.WriteEntry(string.Format("{0}\r\n{1}", ctx.UPN, e.Message), System.Diagnostics.EventLogEntryType.Error, 5000);
string result = (new RegisterCredentialOptions {
Status = "error", ErrorMessage = string.Format("{0}{1}", e.Message, e.InnerException != null ? " (" + e.InnerException.Message + ")" : "")
}).ToJson();
ctx.CredentialOptions = result;
return(result);
}
}
/// <summary>
/// Create static method implementation
/// </summary>
public static RegisterCredentialOptions Create(Fido2Configuration config, byte[] challenge, Fido2User user, AuthenticatorSelection authenticatorSelection, AttestationConveyancePreference attestationConveyancePreference, List <PublicKeyCredentialDescriptor> excludeCredentials, AuthenticationExtensionsClientInputs extensions)
{
return(new RegisterCredentialOptions
{
Status = "ok",
ErrorMessage = string.Empty,
Challenge = challenge,
Rp = new PublicKeyCredentialRpEntity(config.ServerDomain, config.ServerName, config.ServerIcon),
Timeout = config.Timeout,
User = user,
PubKeyCredParams = new List <PubKeyCredParam>()
{
// Add additional as appropriate
ES256,
RS256,
PS256,
ES384,
RS384,
PS384,
ES512,
RS512,
PS512,
},
AuthenticatorSelection = authenticatorSelection,
Attestation = attestationConveyancePreference,
ExcludeCredentials = excludeCredentials ?? new List <PublicKeyCredentialDescriptor>(),
Extensions = extensions
});
}
/// <summary>
/// GetCredentialCreateOptions method implementation
/// </summary>
/// <returns>CredentialCreateOptions including a challenge to be sent to the browser/authr to create new credentials</returns>
/// <param name="attestationPreference">This member is intended for use by Relying Parties that wish to express their preference for attestation conveyance. The default is none.</param>
/// <param name="excludeCredentials">Recommended. This member is intended for use by Relying Parties that wish to limit the creation of multiple credentials for the same account on a single authenticator.The client is requested to return an error if the new credential would be created on an authenticator that also contains one of the credentials enumerated in this parameter.</param>
public RegisterCredentialOptions GetRegisterCredentialOptions(Fido2User user, List <PublicKeyCredentialDescriptor> excludeCredentials, AuthenticatorSelection authenticatorSelection, AttestationConveyancePreference attestationPreference, AuthenticationExtensionsClientInputs extensions = null)
{
var challenge = new byte[_config.ChallengeSize];
_crypto.GetBytes(challenge);
var options = RegisterCredentialOptions.Create(_config, challenge, user, authenticatorSelection, attestationPreference, excludeCredentials, extensions);
return(options);
}
