Create wrapper objects for GetAssertionOptinos

Author: abergs

BlazorWasmDemo/Server/Controllers/UserController.cs

@@ -219,10 +219,12 @@ public AssertionOptions MakeAssertionOptions([FromRoute] string? username, [From
             };
 
             // 2. Create options (usernameless users will be prompted by their device to select a credential from their own list)
-            var options = _fido2.GetAssertionOptions(
-                existingKeys,
-                userVerification ?? UserVerificationRequirement.Discouraged,
-                exts);
+            var options = _fido2.GetAssertionOptions(new GetAssertionOptionsParams
+            {
+                AllowedCredentials = existingKeys,
+                UserVerification = userVerification ?? UserVerificationRequirement.Discouraged,
+                Extensions = exts
+            });
 
             // 4. Temporarily store options, session/in-memory cache/redis/db
             _pendingAssertions[new string(options.Challenge.Select(b => (char)b).ToArray())] = options;

Demo/Controller.cs

@@ -166,11 +166,12 @@ public ActionResult AssertionOptionsPost([FromForm] string username, [FromForm]
 
             // 3. Create options
             var uv = string.IsNullOrEmpty(userVerification) ? UserVerificationRequirement.Discouraged : userVerification.ToEnum<UserVerificationRequirement>();
-            var options = _fido2.GetAssertionOptions(
-                existingCredentials,
-                uv,
-                exts
-            );
+            var options = _fido2.GetAssertionOptions(new GetAssertionOptionsParams()
+            {
+                AllowedCredentials = existingCredentials,
+                UserVerification = uv,
+                Extensions = exts
+            });
 
             // 4. Temporarily store options, session/in-memory cache/redis/db
             HttpContext.Session.SetString("fido2.assertionOptions", options.ToJson());

Demo/TestController.cs

@@ -151,11 +151,12 @@ public IActionResult AssertionOptionsTest([FromBody] TEST_AssertionClientParams
             exts.Example = assertionClientParams.Extensions.Example;
 
         // 3. Create options
-        var options = _fido2.GetAssertionOptions(
-            existingCredentials,
-            uv,
-            exts
-        );
+        var options = _fido2.GetAssertionOptions(new GetAssertionOptionsParams
+        {
+            AllowedCredentials = existingCredentials,
+            UserVerification = uv,
+            Extensions = exts
+        });
 
         // 4. Temporarily store options, session/in-memory cache/redis/db
         HttpContext.Session.SetString("fido2.assertionOptions", options.ToJson());

Src/Fido2/Fido2.cs

@@ -53,10 +53,15 @@ public async Task<RegisteredPublicKeyCredential> MakeNewCredentialAsync(MakeNewC
     /// <summary>
     /// Returns AssertionOptions including a challenge to the browser/authenticator to assert existing credentials and authenticate a user.
     /// </summary>
-    /// <param name="allowedCredentials"></param>
-    /// <param name="userVerification"></param>
-    /// <param name="extensions"></param>
+    /// <param name="getAssertionOptionsParams">The input arguments for generating AssertionOptions</param>
     /// <returns></returns>
+    public AssertionOptions GetAssertionOptions(GetAssertionOptionsParams getAssertionOptionsParams)
+    {
+        byte[] challenge = RandomNumberGenerator.GetBytes(_config.ChallengeSize);
+
+        return AssertionOptions.Create(_config, challenge, getAssertionOptionsParams.AllowedCredentials, getAssertionOptionsParams.UserVerification, getAssertionOptionsParams.Extensions);
+    }
+
     public AssertionOptions GetAssertionOptions(
         IReadOnlyList<PublicKeyCredentialDescriptor> allowedCredentials,
         UserVerificationRequirement? userVerification,

Src/Fido2/GetAssertionOptionsParams.cs

@@ -0,0 +1,35 @@
+using System;
+using System.Collections.Generic;
+using Fido2NetLib.Objects;
+
+namespace Fido2NetLib;
+
+/// <summary>
+///  The input arguments for generating AssertionOptions
+/// </summary>
+public sealed class GetAssertionOptionsParams
+{
+    /// <summary>
+    ///  This OPTIONAL member is used by the client to find authenticators eligible for this authentication ceremony. It can be used in two ways:
+    /// 
+    /// * If the user account to authenticate is already identified (e.g., if the user has entered a username), then the Relying Party SHOULD use this member to list credential descriptors for credential records in the user account. This SHOULD usually include all credential records in the user account.
+    /// The items SHOULD specify transports whenever possible. This helps the client optimize the user experience for any given situation. Also note that the Relying Party does not need to filter the list when requesting user verification — the client will automatically ignore non-eligible credentials if userVerification is set to required.
+    /// See also the § 14.6.3 Privacy leak via credential IDs privacy consideration.
+    ///  * If the user account to authenticate is not already identified, then the Relying Party MAY leave this member empty or unspecified. In this case, only discoverable credentials will be utilized in this authentication ceremony, and the user account MAY be identified by the userHandle of the resulting AuthenticatorAssertionResponse. If the available authenticators contain more than one discoverable credential scoped to the Relying Party, the credentials are displayed by the client platform or authenticator for the user to select from (see step 7 of § 6.3.3 The authenticatorGetAssertion Operation).
+    ///
+    /// If not empty, the client MUST return an error if none of the listed credentials can be used.
+    ///
+    /// The list is ordered in descending order of preference: the first item in the list is the most preferred credential, and the last is the least preferred.
+    /// </summary>
+    public IReadOnlyList<PublicKeyCredentialDescriptor> AllowedCredentials { get; init; } = Array.Empty<PublicKeyCredentialDescriptor>();
+    
+    /// <summary>
+    /// This OPTIONAL member specifies the Relying Party's requirements regarding user verification for the get() operation. The value SHOULD be a member of UserVerificationRequirement but client platforms MUST ignore unknown values, treating an unknown value as if the member does not exist. Eligible authenticators are filtered to only those capable of satisfying this requirement.
+    /// </summary>
+    public UserVerificationRequirement? UserVerification { get; init; }
+    
+    /// <summary>
+    /// The Relying Party MAY use this OPTIONAL member to provide client extension inputs requesting additional processing by the client and authenticator.
+    /// </summary>
+    public AuthenticationExtensionsClientInputs? Extensions { get; init; }
+}

Src/Fido2/IFido2.cs

@@ -8,10 +8,7 @@ namespace Fido2NetLib;
 
 public interface IFido2
 {
-    AssertionOptions GetAssertionOptions(
-        IReadOnlyList<PublicKeyCredentialDescriptor> allowedCredentials,
-        UserVerificationRequirement? userVerification,
-        AuthenticationExtensionsClientInputs? extensions = null);
+    AssertionOptions GetAssertionOptions(GetAssertionOptionsParams getAssertionOptionsParams);
 
     Task<VerifyAssertionResult> MakeAssertionAsync(MakeAssertionParams makeAssertionParams,
         CancellationToken cancellationToken = default);