Move core passkey implementation to Microsoft.AspNetCore.Identity

Author: MackinnonBuck

src/Identity/Extensions.Core/src/DefaultPasskeyHandler.cs renamed to src/Identity/Core/src/DefaultPasskeyHandler.cs

@@ -1,16 +1,11 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System;
-using System.Buffers.Binary;
-using System.Collections.Generic;
 using System.Diagnostics;
 using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
-using System.Threading.Tasks;
-using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 
 namespace Microsoft.AspNetCore.Identity;
@@ -22,7 +17,7 @@ public sealed partial class DefaultPasskeyHandler<TUser> : IPasskeyHandler<TUser
     where TUser : class
 {
     private readonly IPasskeyOriginValidator _originValidator;
-    private readonly IPasskeyAttestationStatementVerifier? _attestationStatementVerifier;
+    private readonly IPasskeyAttestationStatementVerifier _attestationStatementVerifier;
     private readonly PasskeyOptions _passkeyOptions;
 
     /// <summary>
@@ -34,7 +29,7 @@ public sealed partial class DefaultPasskeyHandler<TUser> : IPasskeyHandler<TUser
     public DefaultPasskeyHandler(
         IOptions<IdentityOptions> options,
         IPasskeyOriginValidator originValidator,
-        IPasskeyAttestationStatementVerifier? attestationStatementVerifier = null)
+        IPasskeyAttestationStatementVerifier attestationStatementVerifier)
     {
         _originValidator = originValidator;
         _attestationStatementVerifier = attestationStatementVerifier;
@@ -151,7 +146,7 @@ private async Task<PasskeyAttestationResult> PerformAttestationCoreAsync(
         }
 
         // 12. Let clientDataHash be the result of computing a hash over response.clientDataJSON using SHA-256.
-        var clientDataHash = ComputeSHA256Hash(response.ClientDataJSON);
+        var clientDataHash = SHA256.HashData(response.ClientDataJSON.AsSpan());
 
         // 13. Perform CBOR decoding on the attestationObject field of the AuthenticatorAttestationResponse structure and obtain the
         //     the authenticator data authenticatorData.
@@ -166,7 +161,7 @@ private async Task<PasskeyAttestationResult> PerformAttestationCoreAsync(
         }
 
         // 14. Verify that the rpIdHash in authenticatorData is the SHA-256 hash of the RP ID expected by the Relying Party.
-        var rpIdHash = ComputeSHA256Hash(Encoding.UTF8.GetBytes(originalOptions.Rp.Id ?? string.Empty));
+        var rpIdHash = SHA256.HashData(Encoding.UTF8.GetBytes(originalOptions.Rp.Id ?? string.Empty));
         if (!authenticatorData.RpIdHash.Span.SequenceEqual(rpIdHash.AsSpan()))
         {
             throw PasskeyException.InvalidRelyingPartyIDHash();
@@ -230,14 +225,11 @@ private async Task<PasskeyAttestationResult> PerformAttestationCoreAsync(
 
         // 21-24. Determine the attestation statement format by performing a USASCII case-sensitive match on fmt against the set of supported WebAuthn
         //        Attestation Statement Format Identifier values...
-        if (_attestationStatementVerifier is not null)
+        //        Handles all validation related to the attestation statement (21-24).
+        var isAttestationStatementValid = await _attestationStatementVerifier.VerifyAsync(attestationObjectMemory, clientDataHash).ConfigureAwait(false);
+        if (!isAttestationStatementValid)
         {
-            // Handles all validation related to the attestation statement (21-24).
-            var isAttestationStatementValid = await _attestationStatementVerifier.VerifyAsync(attestationObjectMemory, clientDataHash).ConfigureAwait(false);
-            if (!isAttestationStatementValid)
-            {
-                throw PasskeyException.InvalidAttestationStatement();
-            }
+            throw PasskeyException.InvalidAttestationStatement();
         }
 
         // 25. Verify that the credentialId is <= 1023 bytes.
@@ -410,7 +402,7 @@ private async Task<PasskeyAssertionResult<TUser>> PerformAssertionCoreAsync(
         }
 
         // 15. Verify that the rpIdHash in authData is the SHA-256 hash of the RP ID expected by the Relying Party.
-        var rpIdHash = ComputeSHA256Hash(Encoding.UTF8.GetBytes(originalOptions.RpId ?? string.Empty));
+        var rpIdHash = SHA256.HashData(Encoding.UTF8.GetBytes(originalOptions.RpId ?? string.Empty));
         if (!authenticatorData.RpIdHash.Span.SequenceEqual(rpIdHash.AsSpan()))
         {
             throw PasskeyException.InvalidRelyingPartyIDHash();
@@ -459,7 +451,7 @@ private async Task<PasskeyAssertionResult<TUser>> PerformAssertionCoreAsync(
         }
 
         // 20. Let clientDataHash be the result of computing a hash over the cData using SHA-256.
-        var clientDataHash = ComputeSHA256Hash(response.ClientDataJSON);
+        var clientDataHash = SHA256.HashData(response.ClientDataJSON.AsSpan());
 
         // 21. Using credentialRecord.publicKey, verify that sig is a valid signature over the binary concatenation of authData and hash.
         byte[] data = [.. response.AuthenticatorData.AsSpan(), .. clientDataHash];
@@ -502,24 +494,4 @@ private async Task<PasskeyAssertionResult<TUser>> PerformAssertionCoreAsync(
         // 25. If all the above steps are successful, continue the authentication ceremony as appropriate.
         return PasskeyAssertionResult.Success(storedPasskey, user);
     }
-
-    private static byte[] ComputeSHA256Hash(byte[] data)
-    {
-#if NETCOREAPP
-        return SHA256.HashData(data);
-#else
-        using var sha256 = SHA256.Create();
-        return sha256.ComputeHash(data);
-#endif
-    }
-
-    private static byte[] ComputeSHA256Hash(BufferSource data)
-    {
-#if NETCOREAPP
-        return SHA256.HashData(data.AsSpan());
-#else
-        using var sha256 = SHA256.Create();
-        return sha256.ComputeHash(data.ToArray());
-#endif
-    }
 }

src/Identity/Extensions.Core/src/DefaultPasskeyOriginValidator.cs renamed to src/Identity/Core/src/DefaultPasskeyOriginValidator.cs

@@ -1,36 +1,27 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Runtime.CompilerServices;
-using System.Text;
-using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Options;
 
 namespace Microsoft.AspNetCore.Identity;
 
-/// <summary>
-/// The default passkey origin validator.
-/// </summary>
-public sealed class DefaultPasskeyOriginValidator : IPasskeyOriginValidator
+internal class DefaultPasskeyOriginValidator : IPasskeyOriginValidator
 {
-    private readonly IPasskeyRequestContextProvider _requestContextProvider;
+    private readonly IHttpContextAccessor _httpContextAccessor;
     private readonly PasskeyOptions _options;
 
-    /// <summary>
-    /// Constructs a new <see cref="DefaultPasskeyOriginValidator"/>.
-    /// </summary>
     public DefaultPasskeyOriginValidator(
-        IPasskeyRequestContextProvider requestContextProvider,
+        IHttpContextAccessor httpContextAccessor,
         IOptions<IdentityOptions> options)
     {
-        _requestContextProvider = requestContextProvider;
+        ArgumentNullException.ThrowIfNull(httpContextAccessor);
+        ArgumentNullException.ThrowIfNull(options);
+
+        _httpContextAccessor = httpContextAccessor;
         _options = options.Value.Passkey;
     }
 
-    /// <inheritdoc/>
     public bool IsValidOrigin(PasskeyOriginInfo originInfo)
     {
         if (string.IsNullOrEmpty(originInfo.Origin))
@@ -59,12 +50,10 @@ public bool IsValidOrigin(PasskeyOriginInfo originInfo)
                 }
             }
 
-            if (_options.AllowCurrentOrigin)
+            if (_options.AllowCurrentOrigin && _httpContextAccessor.HttpContext?.Request.Headers.Origin is [var origin])
             {
-                var context = _requestContextProvider.Context;
-
                 // Uri.Equals correctly handles string comparands.
-                if (originUri.Equals(context.Origin))
+                if (originUri.Equals(origin))
                 {
                     return true;
                 }

src/Identity/Core/src/EventIds.cs

@@ -7,14 +7,16 @@ namespace Microsoft.AspNetCore.Identity;
 
 internal static class EventIds
 {
-    public static EventId UserCannotSignInWithoutConfirmedEmail = new EventId(0, "UserCannotSignInWithoutConfirmedEmail");
-    public static EventId SecurityStampValidationFailed = new EventId(0, "SecurityStampValidationFailed");
-    public static EventId SecurityStampValidationFailedId4 = new EventId(4, "SecurityStampValidationFailed");
-    public static EventId UserCannotSignInWithoutConfirmedPhoneNumber = new EventId(1, "UserCannotSignInWithoutConfirmedPhoneNumber");
-    public static EventId InvalidPassword = new EventId(2, "InvalidPassword");
-    public static EventId UserLockedOut = new EventId(3, "UserLockedOut");
-    public static EventId UserCannotSignInWithoutConfirmedAccount = new EventId(4, "UserCannotSignInWithoutConfirmedAccount");
-    public static EventId TwoFactorSecurityStampValidationFailed = new EventId(5, "TwoFactorSecurityStampValidationFailed");
-    public static EventId NoPasskeyCreationOptions = new EventId(6, "NoPasskeyCreationOptions");
-    public static EventId UserDoesNotMatchPasskeyCreationOptions = new EventId(7, "UserDoesNotMatchPasskeyCreationOptions");
+    public static readonly EventId UserCannotSignInWithoutConfirmedEmail = new(0, "UserCannotSignInWithoutConfirmedEmail");
+    public static readonly EventId SecurityStampValidationFailed = new(0, "SecurityStampValidationFailed");
+    public static readonly EventId SecurityStampValidationFailedId4 = new(4, "SecurityStampValidationFailed");
+    public static readonly EventId UserCannotSignInWithoutConfirmedPhoneNumber = new(1, "UserCannotSignInWithoutConfirmedPhoneNumber");
+    public static readonly EventId InvalidPassword = new(2, "InvalidPassword");
+    public static readonly EventId UserLockedOut = new(3, "UserLockedOut");
+    public static readonly EventId UserCannotSignInWithoutConfirmedAccount = new(4, "UserCannotSignInWithoutConfirmedAccount");
+    public static readonly EventId TwoFactorSecurityStampValidationFailed = new(5, "TwoFactorSecurityStampValidationFailed");
+    public static readonly EventId NoPasskeyCreationOptions = new(6, "NoPasskeyCreationOptions");
+    public static readonly EventId UserDoesNotMatchPasskeyCreationOptions = new(7, "UserDoesNotMatchPasskeyCreationOptions");
+    public static readonly EventId PasskeyAttestationFailed = new(8, "PasskeyAttestationFailed");
+    public static readonly EventId PasskeyAssertionFailed = new(9, "PasskeyAssertionFailed");
 }

src/Identity/Core/src/HttpPasskeyRequestContextProvider.cs

@@ -1,12 +1,6 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
-
 namespace Microsoft.AspNetCore.Identity;
 
 /// <summary>

src/Identity/Extensions.Core/src/IPasskeyAttestationStatementVerifier.cs renamed to src/Identity/Core/src/IPasskeyAttestationStatementVerifier.cs

@@ -1,12 +1,6 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
-
 namespace Microsoft.AspNetCore.Identity;
 
 /// <summary>

src/Identity/Extensions.Core/src/IPasskeyHandler.cs renamed to src/Identity/Core/src/IPasskeyHandler.cs

@@ -1,12 +1,6 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
-
 namespace Microsoft.AspNetCore.Identity;
 
 /// <summary>

src/Identity/Extensions.Core/src/IPasskeyOriginValidator.cs renamed to src/Identity/Core/src/IPasskeyOriginValidator.cs

@@ -41,7 +41,9 @@ public static IdentityBuilder AddDefaultTokenProviders(this IdentityBuilder buil
     private static void AddSignInManagerDeps(this IdentityBuilder builder)
     {
         builder.Services.AddHttpContextAccessor();
-        builder.Services.AddScoped<IPasskeyRequestContextProvider, HttpPasskeyRequestContextProvider>();
+        builder.Services.AddScoped<IPasskeyAttestationStatementVerifier, NoOpPasskeyAttestationStatementVerifier>();
+        builder.Services.AddScoped<IPasskeyOriginValidator, DefaultPasskeyOriginValidator>();
+        builder.Services.AddScoped(typeof(IPasskeyHandler<>).MakeGenericType(builder.UserType), typeof(DefaultPasskeyHandler<>).MakeGenericType(builder.UserType));
         builder.Services.AddScoped(typeof(ISecurityStampValidator), typeof(SecurityStampValidator<>).MakeGenericType(builder.UserType));
         builder.Services.AddScoped(typeof(ITwoFactorSecurityStampValidator), typeof(TwoFactorSecurityStampValidator<>).MakeGenericType(builder.UserType));
         builder.Services.TryAddEnumerable(ServiceDescriptor.Singleton<IPostConfigureOptions<SecurityStampValidatorOptions>, PostConfigureSecurityStampValidatorOptions>());

src/Identity/Core/src/IdentityBuilderExtensions.cs

@@ -102,7 +102,7 @@ public static class IdentityServiceCollectionExtensions
         services.TryAddScoped<ITwoFactorSecurityStampValidator, TwoFactorSecurityStampValidator<TUser>>();
         services.TryAddScoped<IUserClaimsPrincipalFactory<TUser>, UserClaimsPrincipalFactory<TUser, TRole>>();
         services.TryAddScoped<IUserConfirmation<TUser>, DefaultUserConfirmation<TUser>>();
-        services.TryAddScoped<IPasskeyRequestContextProvider, HttpPasskeyRequestContextProvider>();
+        services.TryAddScoped<IPasskeyAttestationStatementVerifier, NoOpPasskeyAttestationStatementVerifier>();
         services.TryAddScoped<IPasskeyOriginValidator, DefaultPasskeyOriginValidator>();
         services.TryAddScoped<IPasskeyHandler<TUser>, DefaultPasskeyHandler<TUser>>();
         services.TryAddScoped<UserManager<TUser>>();