From df376920a75d62e6f5cb817541f5de7145b86f2d Mon Sep 17 00:00:00 2001 From: Jonas Hendrickx Date: Mon, 15 Jul 2024 15:29:22 +0200 Subject: [PATCH] Implement PublicKeyCredentialHint for WebAuthn L3 (#524) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Implement PublicKeyCredentialHint for WebAuthn L3. * Set `Hints` to `null` when empty array is passed. * Format XML comment * Ignore when writing null * remove link * Needs to be list, order matters * Correct backwards compatibility options for PublicKeyCredentialHint * Add support for `hints` during authentication. * Correct --------- Co-authored-by: Anders Åberg --- Src/Fido2.Models/AssertionOptions.cs | 6 +++ Src/Fido2.Models/CredentialCreateOptions.cs | 38 +++++++++++++++++++ .../Objects/PublicKeyCredentialHint.cs | 30 +++++++++++++++ 3 files changed, 74 insertions(+) create mode 100644 Src/Fido2.Models/Objects/PublicKeyCredentialHint.cs diff --git a/Src/Fido2.Models/AssertionOptions.cs b/Src/Fido2.Models/AssertionOptions.cs index 536f6b93..3c4f6e27 100644 --- a/Src/Fido2.Models/AssertionOptions.cs +++ b/Src/Fido2.Models/AssertionOptions.cs @@ -48,6 +48,12 @@ public class AssertionOptions : Fido2ResponseBase [JsonPropertyName("userVerification")] public UserVerificationRequirement? UserVerification { get; set; } + /// + /// This OPTIONAL member contains zero or more elements from to guide the user agent in interacting with the user. Note that the elements have type DOMString despite being taken from that enumeration. + /// + [JsonPropertyName("hints")] + public IReadOnlyList Hints { get; set; } = Array.Empty(); + /// /// This OPTIONAL member contains additional parameters requesting additional processing by the client and authenticator. /// For example, if transaction confirmation is sought from the user, then the prompt string might be included as an extension. diff --git a/Src/Fido2.Models/CredentialCreateOptions.cs b/Src/Fido2.Models/CredentialCreateOptions.cs index bc55d159..f792b5d1 100644 --- a/Src/Fido2.Models/CredentialCreateOptions.cs +++ b/Src/Fido2.Models/CredentialCreateOptions.cs @@ -55,6 +55,44 @@ public sealed class CredentialCreateOptions : Fido2ResponseBase [JsonPropertyName("authenticatorSelection")] public AuthenticatorSelection AuthenticatorSelection { get; set; } + private IReadOnlyList _hints = Array.Empty(); + + /// + /// Guides the user agent in interacting with the user. This OPTIONAL member contains zero or more elements from . + /// + /// + /// When is set, will be set to one of the values in the table below: + /// + /// + /// + /// + /// + /// + [JsonPropertyName("hints")] + [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)] + public IReadOnlyList Hints + { + get + { + return _hints; + } + set + { + if (value.Any()) + { + AuthenticatorSelection ??= new AuthenticatorSelection(); + AuthenticatorSelection.AuthenticatorAttachment = value[0] switch + { + PublicKeyCredentialHint.SecurityKey or PublicKeyCredentialHint.Hybrid => AuthenticatorAttachment + .CrossPlatform, + PublicKeyCredentialHint.ClientDevice => AuthenticatorAttachment.Platform, + _ => AuthenticatorSelection.AuthenticatorAttachment + }; + } + _hints = value; + } + } + /// /// This member is intended for use by Relying Parties that wish to limit the creation of multiple credentials for the same account on a single authenticator.The client is requested to return an error if the new credential would be created on an authenticator that also contains one of the credentials enumerated in this parameter. /// diff --git a/Src/Fido2.Models/Objects/PublicKeyCredentialHint.cs b/Src/Fido2.Models/Objects/PublicKeyCredentialHint.cs new file mode 100644 index 00000000..9634174a --- /dev/null +++ b/Src/Fido2.Models/Objects/PublicKeyCredentialHint.cs @@ -0,0 +1,30 @@ +using System.Runtime.Serialization; +using System.Text.Json.Serialization; + +namespace Fido2NetLib.Objects; + +/// +/// WebAuthn Relying Parties may use this enumeration to communicate hints to the user-agent about how a request may be best completed. These hints are not requirements, and do not bind the user-agent, but may guide it in providing the best experience by using contextual information that the Relying Party has about the request. Hints are provided in order of decreasing preference so, if two hints are contradictory, the first one controls. Hints may also overlap: if a more-specific hint is defined a Relying Party may still wish to send less specific ones for user-agents that may not recognise the more specific one. In this case the most specific hint should be sent before the less-specific ones. +/// Hints MAY contradict information contained in credential transports and authenticatorAttachment. When this occurs, the hints take precedence. (Note that transports values are not provided when using discoverable credentials, leaving hints as the only avenue for expressing some aspects of such a request.) +/// +[JsonConverter(typeof(FidoEnumConverter))] +public enum PublicKeyCredentialHint +{ + /// + /// Indicates that the Relying Party believes that users will satisfy this request with a physical security key. For example, an enterprise Relying Party may set this hint if they have issued security keys to their employees and will only accept those authenticators for registration and authentication. + /// + [EnumMember(Value = "security-key")] + SecurityKey, + + /// + /// Indicates that the Relying Party believes that users will satisfy this request with a platform authenticator attached to the client device. + /// + [EnumMember(Value = "client-device")] + ClientDevice, + + /// + /// Indicates that the Relying Party believes that users will satisfy this request with general-purpose authenticators such as smartphones. For example, a consumer Relying Party may believe that only a small fraction of their customers possesses dedicated security keys. This option also implies that the local platform authenticator should not be promoted in the UI. + /// + [EnumMember(Value = "hybrid")] + Hybrid, +}