aspnetcore icon indicating copy to clipboard operation
aspnetcore copied to clipboard
verified publisher icon dotnet

Add passkeys to ASP.NET Core Identity

Open MackinnonBuck opened this issue 6 months ago • 4 comments

Add passkeys to ASP.NET Core Identity

This PR adds passkey support to ASP.NET Core Identity.

Description

Following is a summary of the changes in this PR:

  • Updated the Blazor Web App template to support passkey management and login
  • Added passkey (WebAuthn) support to ASP.NET Core Identity:
    • New passkey store abstractions with updated store implementations in Microsoft.AspNetCore.Identity.EntityFrameworkCore
    • New passkey abstractions for attestation and assertion
    • Extensibility points in the default passkey handler for e.g., attestation statement validation
    • Support for all cryptographic algorithms tested by the FIDO conformance testing tool, except EdDSA.
    • New APIs in SignInManager and UserManager for passkey management and sign in
  • Added a sample project that can be run against the FIDO conformance testing tool

Note that the goal of this PR is to add support for passkey authentication in ASP.NET Core Identity. While it implements core WebAuthn functionality, it does not provide a complete and general-purpose WebAuthn/FIDO2 library. The public API surface is limited in order to enable long-term stability of the feature. Targeted extensibility points were added to enable functionality not implemented by default, most notably attestation statement validation. This allows the use of third-party libraries to fill the missing gaps, when desired. Community feedback may result in additional extensibility APIs being added in the future.

This PR includes E2E tests validating that a passkey can be registered and used for logging in. I'll add unit tests after we agree on the design to avoid churn.

Fixes #53467

MackinnonBuck avatar May 27 '25 06:05 MackinnonBuck

FYI I have a PR adding metrics to identity here: https://github.com/dotnet/aspnetcore/pull/62078. Whoever merges second will need to react and add counters and tags for passkey signins.

JamesNK avatar May 27 '25 08:05 JamesNK

Is there any provision for passkey integration into identity API endpoints via IdentityApiEndpointRouteBuilderExtensions?

mguinness avatar Jun 01 '25 03:06 mguinness

/azp run

MackinnonBuck avatar Jun 10 '25 13:06 MackinnonBuck

Azure Pipelines successfully started running 3 pipeline(s).

azure-pipelines[bot] avatar Jun 10 '25 13:06 azure-pipelines[bot]

/azp run

MackinnonBuck avatar Jun 20 '25 13:06 MackinnonBuck

Azure Pipelines successfully started running 3 pipeline(s).

azure-pipelines[bot] avatar Jun 20 '25 13:06 azure-pipelines[bot]