aspnetcore icon indicating copy to clipboard operation
aspnetcore copied to clipboard
verified publisher icon dotnet

Follow-ups for passkey support in ASP.NET Core Identity

Open MackinnonBuck opened this issue 6 months ago • 2 comments

https://github.com/dotnet/aspnetcore/pull/62112 adds support for passkeys in ASP.NET Core Identity and extends the Blazor Web App template to support passkey management and authentication. However, there are some follow-up items we should consider:

  • [ ] Enable WebAuthn conformance testing in CI
    • There's currently a project in this repo that can be run against the FIDO2 Conformance Test tool, but the tool itself is proprietary and doesn't have a CLI. We should consider writing our own solution that performs similar validations to the conformance testing tool.
  • [ ] Determine how to best help customers migrate their databases to include passkeys
  • [ ] Update scaffolding to include passkey support
  • [ ] Support passwordless account creation
  • [ ] Support conditional create to allow the user to seamlessly upgrade a password to a passkey after signing in
  • [ ] Use the signals API to, e.g., inform the authenticator when a passkey was revoked so it doesn't get presented to the user as an option when signing in
  • [ ] Make it easy to configure well-known passkey endpoints so that authenticators can automatically upgrade passwords to passkeys without requiring the customer to visit the site
  • [ ] ~Update MapIdentityApi() to add endpoints for passkeys~
  • [ ] ~Update Microsoft.AspNetCore.Identity.UI to support the same passkey UI that got added to the Blazor Web App template~

MackinnonBuck avatar Jun 13 '25 19:06 MackinnonBuck

This issue tracks the considerations I raised here. Since my comment also adressess the API proposal I'll leave it be for now.

abergs avatar Jun 16 '25 08:06 abergs

Are there plans to integrate the new passkey support into the MapIdentityApi endpoints?

mguinness avatar Jun 16 '25 22:06 mguinness

Are there plans to integrate the new passkey support into the MapIdentityApi endpoints?

@mikekistler Asking if passkey support will be included the identity API endpoints via IdentityApiEndpointRouteBuilderExtensions. Maybe this could be added as a sub-issue here where it can be upvoted by others?

mguinness avatar Jun 25 '25 20:06 mguinness

@danroth27 - Not getting a response regarding passkey support for MapIdentityApi endpoints. Simply need to know if this is being considered or not?

mguinness avatar Jul 29 '25 17:07 mguinness

Can https://github.com/dotnet/aspnetcore/pull/62917 be considered?

maartenba avatar Jul 29 '25 18:07 maartenba

@mguinness Sorry I missed this earlier. I agree we should add a sub issue for API support for Passkeys.

At this point we are out of runway for a feature like this to get into .NET 10. We had an item on the .NET 10 Roadmap to provide scaffolding support for the identity APIs, but this had to be dropped due to resource constraints. I believe that scaffolding support is the best strategic solution and we'll probably try again to put that out in .NET 11.

mikekistler avatar Jul 30 '25 00:07 mikekistler

Thanks for addressing that Mike and for creating the corresponding issue.

mguinness avatar Jul 30 '25 13:07 mguinness

While doing this can we make all of this stuff that is internal not internal so that we can create a challenge via a secure rest request, and then complete the challenge the same way?

As part of this need to create a storage system for the challenges/recovery on IUserStore so that instead of just using cookies by default this could be overriden so that it can be stored in a database etc. and recovered from the completion request.

JohnGalt1717 avatar Nov 07 '25 19:11 JohnGalt1717