API review feedback

Author: MackinnonBuck

src/Identity/Core/src/DefaultPasskeyHandler.cs

@@ -60,7 +60,7 @@ public async Task<PasskeyCreationOptionsResult> MakeCreationOptionsAsync(Passkey
                 DisplayName = userEntity.DisplayName,
             },
             Challenge = BufferSource.FromBytes(challenge),
-            Timeout = (uint)_options.Timeout.TotalMilliseconds,
+            Timeout = (uint)_options.AuthenticatorTimeout.TotalMilliseconds,
             ExcludeCredentials = excludeCredentials,
             PubKeyCredParams = pubKeyCredParams,
             AuthenticatorSelection = new()
@@ -112,13 +112,13 @@ public async Task<PasskeyRequestOptionsResult> MakeRequestOptionsAsync(TUser? us
         ArgumentNullException.ThrowIfNull(httpContext);
 
         var allowCredentials = await GetAllowCredentialsAsync().ConfigureAwait(false);
-        var serverDomain = _options.ServerDomain ?? httpContext.Request.Host.Host;
+        var serverDomain = GetServerDomain(httpContext);
         var challenge = RandomNumberGenerator.GetBytes(_options.ChallengeSize);
         var options = new PublicKeyCredentialRequestOptions
         {
             Challenge = BufferSource.FromBytes(challenge),
             RpId = serverDomain,
-            Timeout = (uint)_options.Timeout.TotalMilliseconds,
+            Timeout = (uint)_options.AuthenticatorTimeout.TotalMilliseconds,
             AllowCredentials = allowCredentials,
             UserVerification = _options.UserVerificationRequirement,
         };
@@ -307,15 +307,19 @@ await VerifyClientDataAsync(
         // 21-24. Determine the attestation statement format by performing a USASCII case-sensitive match on fmt against the set of supported WebAuthn
         //        Attestation Statement Format Identifier values...
         //        Handles all validation related to the attestation statement (21-24).
-        var isAttestationStatementValid = await _options.VerifyAttestationStatement(new()
-        {
-            HttpContext = context.HttpContext,
-            AttestationObject = attestationObjectMemory,
-            ClientDataHash = clientDataHash,
-        }).ConfigureAwait(false);
-        if (!isAttestationStatementValid)
+        if (_options.VerifyAttestationStatement is { } verifyAttestationStatement)
         {
-            throw PasskeyException.InvalidAttestationStatement();
+            var isAttestationStatementValid = await verifyAttestationStatement(new()
+            {
+                HttpContext = context.HttpContext,
+                AttestationObject = attestationObjectMemory,
+                ClientDataHash = clientDataHash,
+            }).ConfigureAwait(false);
+
+            if (!isAttestationStatementValid)
+            {
+                throw PasskeyException.InvalidAttestationStatement();
+            }
         }
 
         // 25. Verify that the credentialId is <= 1023 bytes.
@@ -338,7 +342,6 @@ await VerifyClientDataAsync(
         var credentialRecord = new UserPasskeyInfo(
             credentialId,
             publicKey: attestedCredentialData.CredentialPublicKey.ToArray(),
-            name: null,
             createdAt: DateTime.UtcNow,
             signCount: authenticatorData.SignCount,
             transports: response.Transports,
@@ -591,14 +594,7 @@ private async Task VerifyClientDataAsync(
         }
 
         // Verify that the value of C.origin is an origin expected by the Relying Party.
-        var originInfo = new PasskeyOriginValidationContext
-        {
-            HttpContext = httpContext,
-            Origin = clientData.Origin,
-            CrossOrigin = clientData.CrossOrigin == true,
-            TopOrigin = clientData.TopOrigin,
-        };
-        var isOriginValid = await _options.ValidateOrigin(originInfo).ConfigureAwait(false);
+        var isOriginValid = await ValidateOriginAsync(clientData, httpContext).ConfigureAwait(false);
         if (!isOriginValid)
         {
             throw PasskeyException.InvalidOrigin(clientData.Origin);
@@ -652,6 +648,32 @@ private void VerifyAuthenticatorData(
         }
     }
 
+    private ValueTask<bool> ValidateOriginAsync(CollectedClientData clientData, HttpContext httpContext)
+    {
+        if (_options.ValidateOrigin is { } validateOrigin)
+        {
+            // The user has overridden the default origin validation,
+            // so we'll use that instead of the default behavior.
+            return validateOrigin(new PasskeyOriginValidationContext
+            {
+                HttpContext = httpContext,
+                Origin = clientData.Origin,
+                CrossOrigin = clientData.CrossOrigin == true,
+                TopOrigin = clientData.TopOrigin,
+            });
+        }
+
+        if (string.IsNullOrEmpty(clientData.Origin) ||
+            clientData.CrossOrigin == true ||
+            !Uri.TryCreate(clientData.Origin, UriKind.Absolute, out var originUri))
+        {
+            return ValueTask.FromResult(false);
+        }
+
+        // Uri.Equals correctly handles string comparands.
+        return ValueTask.FromResult(httpContext.Request.Headers.Origin is [var origin] && originUri.Equals(origin));
+    }
+
     private string GetServerDomain(HttpContext httpContext)
         => _options.ServerDomain ?? httpContext.Request.Host.Host;
 }

src/Identity/Core/src/PasskeyAttestationStatementVerificationContext.cs

@@ -11,7 +11,7 @@ namespace Microsoft.AspNetCore.Identity;
 /// <remarks>
 /// See <see href="https://www.w3.org/TR/webauthn-3/#verification-procedure"/>.
 /// </remarks>
-public readonly struct PasskeyAttestationStatementVerificationContext
+public sealed class PasskeyAttestationStatementVerificationContext
 {
     /// <summary>
     /// Gets or sets the <see cref="HttpContext"/> for the current request.

src/Identity/Core/src/PasskeyOptions.cs

@@ -9,69 +9,132 @@ namespace Microsoft.AspNetCore.Identity;
 public class PasskeyOptions
 {
     /// <summary>
-    /// Gets or sets the time that the server is willing to wait for a passkey operation to complete.
+    /// Gets or sets the time that the browser should wait for the authenticator to provide a passkey.
     /// </summary>
     /// <remarks>
+    /// <para>
+    /// This option applies to both creating a new passkey and requesting an existing passkey.
+    /// This is treated as a hint to the browser, and the browser may choose to ignore it.
+    /// </para>
+    /// <para>
     /// The default value is 5 minutes.
+    /// </para>
+    /// <para>
     /// See <see href="https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialcreationoptions-timeout"/>
     /// and <see href="https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialrequestoptions-timeout"/>.
+    /// </para>
     /// </remarks>
-    public TimeSpan Timeout { get; set; } = TimeSpan.FromMinutes(5);
+    public TimeSpan AuthenticatorTimeout { get; set; } = TimeSpan.FromMinutes(5);
 
     /// <summary>
-    /// The size of the challenge in bytes sent to the client during WebAuthn attestation and assertion.
+    /// Gets or sets the size of the challenge in bytes sent to the client during attestation and assertion.
     /// </summary>
     /// <remarks>
+    /// <para>
+    /// This option applies to both creating a new passkey and requesting an existing passkey.
+    /// </para>
+    /// <para>
     /// The default value is 32 bytes.
+    /// </para>
+    /// <para>
     /// See <see href="https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialcreationoptions-challenge"/>
     /// and <see href="https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialrequestoptions-challenge"/>.
+    /// </para>
     /// </remarks>
     public int ChallengeSize { get; set; } = 32;
 
     /// <summary>
-    /// The effective domain of the server. Should be unique and will be used as the identity for the server.
+    /// Gets or sets the effective domain of the server.
+    /// This should be unique and will be used as the identity for the server.
     /// </summary>
     /// <remarks>
+    /// <para>
+    /// This option applies to both creating a new passkey and requesting an existing passkey.
+    /// </para>
+    /// <para>
     /// If left <see langword="null"/>, the server's origin may be used instead.
+    /// </para>
+    /// <para>
     /// See <see href="https://www.w3.org/TR/webauthn-3/#rp-id"/>.
+    /// </para>
     /// </remarks>
     public string? ServerDomain { get; set; }
 
     /// <summary>
     /// Gets or sets the user verification requirement.
     /// </summary>
     /// <remarks>
-    /// See <see href="https://www.w3.org/TR/webauthn-3/#enumdef-userverificationrequirement"/>.
+    /// <para>
+    /// This option applies to both creating a new passkey and requesting an existing passkey.
+    /// </para>
+    /// <para>
     /// Possible values are "required", "preferred", and "discouraged".
+    /// </para>
+    /// <para>
     /// If left <see langword="null"/>, the browser defaults to "preferred".
+    /// </para>
+    /// <para>
+    /// See <see href="https://www.w3.org/TR/webauthn-3/#enumdef-userverificationrequirement"/>.
+    /// </para>
     /// </remarks>
     public string? UserVerificationRequirement { get; set; }
 
     /// <summary>
     /// Gets or sets the extent to which the server desires to create a client-side discoverable credential.
     /// </summary>
     /// <remarks>
-    /// See <see href="https://www.w3.org/TR/webauthn-3/#enumdef-residentkeyrequirement"/>.
+    /// <para>
+    /// This option only applies when creating a new passkey, and is not enforced on the server.
+    /// </para>
+    /// <para>
     /// Possible values are "discouraged", "preferred", or "required".
+    /// </para>
+    /// <para>
     /// If left <see langword="null"/>, the browser defaults to "preferred".
+    /// </para>
+    /// <para>
+    /// See <see href="https://www.w3.org/TR/webauthn-3/#enumdef-residentkeyrequirement"/>.
+    /// </para>
     /// </remarks>
     public string? ResidentKeyRequirement { get; set; }
 
     /// <summary>
     /// Gets or sets the attestation conveyance preference.
     /// </summary>
     /// <remarks>
-    /// See <see href="https://www.w3.org/TR/webauthn-3/#enumdef-attestationconveyancepreference"/>.
+    /// <para>
+    /// This option only applies when creating a new passkey, and already-registered passkeys are not affected by it.
+    /// To validate the attestation statement of a passkey during passkey creation, provide a value for the
+    /// <see cref="VerifyAttestationStatement"/> option.
+    /// </para>
+    /// <para>
+    /// Possible values are "none", "indirect", "direct", and "enterprise".
+    /// </para>
+    /// <para>
     /// If left <see langword="null"/>, the browser defaults to "none".
+    /// </para>
+    /// <para>
+    /// See <see href="https://www.w3.org/TR/webauthn-3/#enumdef-attestationconveyancepreference"/>.
+    /// </para>
     /// </remarks>
     public string? AttestationConveyancePreference { get; set; }
 
     /// <summary>
-    /// Gets or sets the authenticator attachment.
+    /// Gets or sets the allowed authenticator attachment.
     /// </summary>
     /// <remarks>
-    /// See <see href="https://www.w3.org/TR/webauthn-3/#enumdef-authenticatorattachment"/>.
+    /// <para>
+    /// This option only applies when creating a new passkey, and already-registered passkeys are not affected by it.
+    /// </para>
+    /// <para>
+    /// Possible values are "platform" and "cross-platform".
+    /// </para>
+    /// <para>
     /// If left <see langword="null"/>, any authenticator attachment modality is allowed.
+    /// </para>
+    /// <para>
+    /// See <see href="https://www.w3.org/TR/webauthn-3/#enumdef-authenticatorattachment"/>.
+    /// </para>
     /// </remarks>
     public string? AuthenticatorAttachment { get; set; }
 
@@ -80,47 +143,42 @@ public class PasskeyOptions
     /// is allowed for passkey operations.
     /// </summary>
     /// <remarks>
-    /// If <see langword="null"/> all supported algorithms are allowed.
+    /// <para>
+    /// This option only applies when creating a new passkey, and already-registered passkeys are not affected by it.
+    /// </para>
+    /// <para>
+    /// If left <see langword="null"/>, all supported algorithms are allowed.
+    /// </para>
+    /// <para>
     /// See <see href="https://www.iana.org/assignments/cose/cose.xhtml#algorithms"/>.
+    /// </para>
     /// </remarks>
     public Func<int, bool>? IsAllowedAlgorithm { get; set; }
 
     /// <summary>
     /// Gets or sets a function that validates the origin of the request.
     /// </summary>
     /// <remarks>
-    /// By default, this function disallows cross-origin requests and checks
-    /// that the request's origin header matches the credential's origin.
+    /// <para>
+    /// This option applies to both creating a new passkey and requesting an existing passkey.
+    /// </para>
+    /// <para>
+    /// If left <see langword="null"/>, cross-origin requests are disallowed, and the request is only
+    /// considered valid if the request's origin header matches the credential's origin.
+    /// </para>
     /// </remarks>
-    public Func<PasskeyOriginValidationContext, Task<bool>> ValidateOrigin { get; set; } = DefaultValidateOrigin;
+    public Func<PasskeyOriginValidationContext, ValueTask<bool>>? ValidateOrigin { get; set; }
 
     /// <summary>
     /// Gets or sets a function that verifies the attestation statement of a passkey.
     /// </summary>
     /// <remarks>
-    /// By default, this function does not perform any verification and always returns <see langword="true"/>.
+    /// <para>
+    /// This option only applies when creating a new passkey, and already-registered passkeys are not affected by it.
+    /// </para>
+    /// <para>
+    /// If left <see langword="null"/>, this function does not perform any verification and always returns <see langword="true"/>.
+    /// </para>
     /// </remarks>
-    public Func<PasskeyAttestationStatementVerificationContext, Task<bool>> VerifyAttestationStatement { get; set; } = DefaultVerifyAttestationStatement;
-
-    private static Task<bool> DefaultValidateOrigin(PasskeyOriginValidationContext context)
-    {
-        var result = IsValidOrigin();
-        return Task.FromResult(result);
-
-        bool IsValidOrigin()
-        {
-            if (string.IsNullOrEmpty(context.Origin) ||
-                context.CrossOrigin ||
-                !Uri.TryCreate(context.Origin, UriKind.Absolute, out var originUri))
-            {
-                return false;
-            }
-
-            // Uri.Equals correctly handles string comparands.
-            return context.HttpContext.Request.Headers.Origin is [var origin] && originUri.Equals(origin);
-        }
-    }
-
-    private static Task<bool> DefaultVerifyAttestationStatement(PasskeyAttestationStatementVerificationContext context)
-        => Task.FromResult(true);
+    public Func<PasskeyAttestationStatementVerificationContext, ValueTask<bool>>? VerifyAttestationStatement { get; set; }
 }

src/Identity/Core/src/PasskeyOriginValidationContext.cs

@@ -8,7 +8,7 @@ namespace Microsoft.AspNetCore.Identity;
 /// <summary>
 /// Contains information used for determining whether a passkey's origin is valid.
 /// </summary>
-public readonly struct PasskeyOriginValidationContext
+public sealed class PasskeyOriginValidationContext
 {
     /// <summary>
     /// Gets or sets the HTTP context associated with the request.

src/Identity/Core/src/PublicAPI.Unshipped.txt

@@ -59,6 +59,8 @@ Microsoft.AspNetCore.Identity.PasskeyOptions.AttestationConveyancePreference.get
 Microsoft.AspNetCore.Identity.PasskeyOptions.AttestationConveyancePreference.set -> void
 Microsoft.AspNetCore.Identity.PasskeyOptions.AuthenticatorAttachment.get -> string?
 Microsoft.AspNetCore.Identity.PasskeyOptions.AuthenticatorAttachment.set -> void
+Microsoft.AspNetCore.Identity.PasskeyOptions.AuthenticatorTimeout.get -> System.TimeSpan
+Microsoft.AspNetCore.Identity.PasskeyOptions.AuthenticatorTimeout.set -> void
 Microsoft.AspNetCore.Identity.PasskeyOptions.ChallengeSize.get -> int
 Microsoft.AspNetCore.Identity.PasskeyOptions.ChallengeSize.set -> void
 Microsoft.AspNetCore.Identity.PasskeyOptions.IsAllowedAlgorithm.get -> System.Func<int, bool>?
@@ -68,13 +70,11 @@ Microsoft.AspNetCore.Identity.PasskeyOptions.ResidentKeyRequirement.get -> strin
 Microsoft.AspNetCore.Identity.PasskeyOptions.ResidentKeyRequirement.set -> void
 Microsoft.AspNetCore.Identity.PasskeyOptions.ServerDomain.get -> string?
 Microsoft.AspNetCore.Identity.PasskeyOptions.ServerDomain.set -> void
-Microsoft.AspNetCore.Identity.PasskeyOptions.Timeout.get -> System.TimeSpan
-Microsoft.AspNetCore.Identity.PasskeyOptions.Timeout.set -> void
 Microsoft.AspNetCore.Identity.PasskeyOptions.UserVerificationRequirement.get -> string?
 Microsoft.AspNetCore.Identity.PasskeyOptions.UserVerificationRequirement.set -> void
-Microsoft.AspNetCore.Identity.PasskeyOptions.ValidateOrigin.get -> System.Func<Microsoft.AspNetCore.Identity.PasskeyOriginValidationContext, System.Threading.Tasks.Task<bool>!>!
+Microsoft.AspNetCore.Identity.PasskeyOptions.ValidateOrigin.get -> System.Func<Microsoft.AspNetCore.Identity.PasskeyOriginValidationContext!, System.Threading.Tasks.ValueTask<bool>>?
 Microsoft.AspNetCore.Identity.PasskeyOptions.ValidateOrigin.set -> void
-Microsoft.AspNetCore.Identity.PasskeyOptions.VerifyAttestationStatement.get -> System.Func<Microsoft.AspNetCore.Identity.PasskeyAttestationStatementVerificationContext, System.Threading.Tasks.Task<bool>!>!
+Microsoft.AspNetCore.Identity.PasskeyOptions.VerifyAttestationStatement.get -> System.Func<Microsoft.AspNetCore.Identity.PasskeyAttestationStatementVerificationContext!, System.Threading.Tasks.ValueTask<bool>>?
 Microsoft.AspNetCore.Identity.PasskeyOptions.VerifyAttestationStatement.set -> void
 Microsoft.AspNetCore.Identity.PasskeyOriginValidationContext
 Microsoft.AspNetCore.Identity.PasskeyOriginValidationContext.CrossOrigin.get -> bool

src/Identity/EntityFrameworkCore/src/IdentityUserContext.cs

@@ -287,7 +287,7 @@ internal virtual void OnModelCreatingVersion3(ModelBuilder builder)
             b.HasKey(p => p.CredentialId);
             b.ToTable("AspNetUserPasskeys");
             b.Property(p => p.CredentialId).HasMaxLength(1024); // Defined in WebAuthn spec to be no longer than 1023 bytes
-            b.Property(p => p.PublicKey).HasMaxLength(1024); // Safe upper limit
+            b.OwnsOne(p => p.Data).ToJson();
         });
     }