Is it possible to use .net implementation without using active directory.

We have a .net mvc app publicly available and would like to go passwordless login - using active directory is out of the question as Microsoft

await _signInManager.GetTwoFactorAuthenticationUserAsync() always returns null in release version, while it does function in development mode. I do see a cookie named Identity.TwoFactorUserId being set after the first step of logging in.

My environment is .NET 5.0

I was wondering if you might consider making the warning and error messages translatable to other languages than English. I also asked this from Anders Åberg for the FIDO2 library. (passwordless-lib/fido2-net-lib#394)

In passwordless.login.js, instead of setting window.location.href = "/index", I suggest to redirect to the ReturnUrl like so:

    let returnUrl = findGetParameter('ReturnUrl');
    if (!returnUrl) {
        returnUrl = getFolder();
    }
    window.location.href = returnUrl;

using these helper functions:

function findGetParameter(parameterName) {
    var result = null,
        tmp = [];
    location.search
        .substr(1)
        .split("&")
        .forEach(function (item) {
            tmp = item.split("=");
            if (tmp[0] === parameterName) result = decodeURIComponent(tmp[1]);
        });
    return result;
}

and

function getFolder() {
    var dir = "";
    try {
        dir = document.getElementById('BasePath').value;
    } catch (e) {
    }
    return dir;
}

combined with this line added to Login.cshtml:

<input type="hidden" id="BasePath" name="BasePath" value="@Url.Content("~")">

Consider upstreaming parts of this to the ASP.NET Core project.

Particularly the FidoStoredCredential model and the changes to ApplicationDbContextModelSnapshot.cs.

In passwordless.login.js, in verifyAssertionWithServer, if assertedCredential.response.userHandle is null, still userHandle in data.response is set to "" by coerceToBase64Url(userHandle). Suggest to add check on userHandle.length like so:
userHandle: userHandle !== null && userHandle.length > 0 ? coerceToBase64Url(userHandle) : null,

mfa.register.js

window.location.href = "/Identity/Account/Manage/GenerateRecoveryCodes";

Hi Damien,
I have tried your nice project. I have changed one thing on the fido2mfa.cshtml :

the value is set with the authenticatd user email instead of his username.

The project runs fine on my local host (iss express of visual studio 2019) with the below app settings :
"Fido2": {
"ServerDomain": "localhost",
"ServerName": "WebAuth Fenix",
"Origin": "http://localhost:44398",
"TimestampDriftTolerance": 300000,
"MDSAccessKey": null
}
I can register my fido2 yubikey, log in with it and unregistered it.

But when the test app (.Net 5 with razor pages) is deployed on internet (hosted at somee.com), I cannot register my fido2 yubikey at fido2mfa.cshtml.
I have tried the below settings, but I still get the error :
FIDO2_REGISTRATION_ERROR, exception:TypeError: Cannot read property 'create' of undefined

"Fido2": {
  "ServerDomain": "sipffenix.somee.com",
  "ServerName": "WebAuth Fenix",
  "Origin": "http://sipffenix.somee.com",
  "TimestampDriftTolerance": 300000,
  "MDSAccessKey": null
}

I have looked at the files 'MfaFido2RegisterController.cs' and 'mfa.register.js'.... Everything seems OK. I have not found something related to : "property 'create' of undefined"

Any idea about this bug ?

After login redirection is always done to the root page.

The reason is that in the LoginFido2Mfa page the ReturnUrl is not stored.

It can be fixed applying the BindProperty attribute (with GET) in the page model.

[BindProperty(SupportsGet=true)]
public bool RememberMe { get; set; }

[BindProperty(SupportsGet = true)]
public string ReturnUrl { get; set; }

Hi damien, i am trying out the mfa implementation but i am facing this error on registration exception:TypeError: Failed to execute 'create' on 'CredentialsContainer': Failed to read the 'publicKey' property from 'CredentialCreationOptions': Failed to read the 'attestation' property from 'PublicKeyCredentialCreationOptions': The provided value '0' is not a valid enum value of type AttestationConveyancePreference. on mfa.register.js line 80

i noticed these codes on MfaFidoRegisterController var items = await _fido2Storage.GetCredentialsByUsername(identityUser.UserName); var existingKeys = new List<PublicKeyCredentialDescriptor>(); foreach (var publicKeyCredentialDescriptor in items) { existingKeys.Add(publicKeyCredentialDescriptor.Descriptor); }
does this have anything to do with the error above?

• i am using a copy of an existing AspNetIdentity Database and added the FidoStoredCredential table

Hi Damien, I propose to move the "throw new ArgumentException("Username was not registered");" a few lines up: instead of checking the existence of the user, check the existence of the identityUser, for when that is empty, the new FidoUser will throw an uncaught exception. Suggestion: if (identityUser == null) throw new ArgumentException("Username was not registered");

In PwFido2RegisterController.cs, when user creation fails for whatever reason (e.g. invalidUserName if it contains blank spaces), this goes unnoticed. This could be improved by returning null from CreateUser if !result.Succeeded, but then you still end up having created FIDO credentials. Ideally, this would all be one transaction that can be rolled back upon failure, but maybe changing the order can help, creating the user first and only afterwards make the new credentials.

There is preview9 available. Would be cool if you could update the library as well: https://devblogs.microsoft.com/aspnet/asp-net-core-and-blazor-updates-in-net-core-3-0-preview-9/.

Hi Damien, the MfaFido2SignInFidoController constructor contains this statement twice: "_userManager = userManager;" while it is not even used at all.
And while we're at it, wouldn't it be logical to include the result of the await _signInManager.TwoFactorSignInAsync("FIDO2", string.Empty, false, false) in the return value of the MakeAssertion call, or is this covered by the exception handler?
Nico

In passwordless.login.js and passwordless.register.js, calls to back-end like "/pwmakeAssertion" don't work if the application is deployed in a subfolder like "https://somehost.com/myapplication/".
I suggest to
a) add this line to Login.cshtml and Register.cshtml:
<input type="hidden" id="BasePath" name="BasePath" value="@Url.Content("~")">
and
b) add a helper function like

function getFolder() {
    var dir = "";
    try {
        dir = document.getElementById('BasePath').value;
    } catch (e) {
    }
    return dir;
}

and then call
fetch(getFolder() + "/pwmakeAssertion" ....