Change Id to be received as string instead of decoded (#586)

RawId is decoded to the raw byte value, while Id is the same value in base64url-encoded form.

Co-authored-by: Anders Åberg <[email protected]>

Author: Regenhardt

BlazorWasmDemo/Server/Controllers/UserController.cs

@@ -265,7 +265,7 @@ public async Task<string> MakeAssertionAsync([FromBody] AuthenticatorAssertionRa
             _pendingAssertions.Remove(key);
 
             // 2. Get registered credential from database
-            var creds = _demoStorage.GetCredentialById(clientResponse.Id) ?? throw new Exception("Unknown credentials");
+            var creds = _demoStorage.GetCredentialById(clientResponse.RawId) ?? throw new Exception("Unknown credentials");
 
             // 3. Make the assertion
             var res = await _fido2.MakeAssertionAsync(new MakeAssertionParams

Demo/Controller.cs

@@ -194,7 +194,7 @@ public async Task<JsonResult> MakeAssertion([FromBody] AuthenticatorAssertionRaw
             var options = AssertionOptions.FromJson(jsonOptions);
 
             // 2. Get registered credential from database
-            var creds = DemoStorage.GetCredentialById(clientResponse.Id) ?? throw new Exception("Unknown credentials");
+            var creds = DemoStorage.GetCredentialById(clientResponse.RawId) ?? throw new Exception("Unknown credentials");
 
             // 3. Get credential counter from database
             var storedCounter = creds.SignCount;

Demo/TestController.cs

@@ -181,7 +181,7 @@ public async Task<JsonResult> MakeAssertionTestAsync([FromBody] AuthenticatorAss
         var options = AssertionOptions.FromJson(jsonOptions);
 
         // 2. Get registered credential from database
-        var creds = _demoStorage.GetCredentialById(clientResponse.Id);
+        var creds = _demoStorage.GetCredentialById(clientResponse.RawId);
 
         // 3. Get credential counter from database
         var storedCounter = creds.SignCount;

Src/Fido2.Models/AuthenticatorAssertionRawResponse.cs

@@ -12,9 +12,11 @@ namespace Fido2NetLib;
 /// </summary>
 public class AuthenticatorAssertionRawResponse
 {
-    [JsonConverter(typeof(Base64UrlConverter))]
+    /// <summary>
+    /// A string containing the credential's identifier. Base64UrlEncoding of <seealso cref="RawId"/>.
+    /// </summary>
     [JsonPropertyName("id"), Required]
-    public byte[] Id { get; init; }
+    public string Id { get; init; }
 
     // might be wrong to base64url encode this...
     [JsonConverter(typeof(Base64UrlConverter))]

Src/Fido2.Models/AuthenticatorAttestationRawResponse.cs

@@ -9,9 +9,11 @@ namespace Fido2NetLib;
 
 public sealed class AuthenticatorAttestationRawResponse
 {
-    [JsonConverter(typeof(Base64UrlConverter))]
+    /// <summary>
+    /// A string containing the credential's identifier. Base64UrlEncoding of <seealso cref="RawId"/>.
+    /// </summary>
     [JsonPropertyName("id"), Required]
-    public byte[] Id { get; init; }
+    public string Id { get; init; }
 
     [JsonConverter(typeof(Base64UrlConverter))]
     [JsonPropertyName("rawId"), Required]

Src/Fido2/AuthenticatorAssertionResponse.cs

@@ -77,7 +77,7 @@ public async Task<VerifyAssertionResult> VerifyAsync(
         if (options.AllowCredentials != null && options.AllowCredentials.Any())
         {
             // might need to transform x.Id and raw.id as described in https://www.w3.org/TR/webauthn/#publickeycredential
-            if (!options.AllowCredentials.Any(x => x.Id.SequenceEqual(Raw.Id)))
+            if (!options.AllowCredentials.Any(x => x.Id.SequenceEqual(Raw.RawId)))
                 throw new Fido2VerificationException(Fido2ErrorCode.InvalidAssertionResponse, Fido2ErrorMessages.CredentialIdNotInAllowedCredentials);
         }
 
@@ -87,7 +87,7 @@ public async Task<VerifyAssertionResult> VerifyAsync(
             if (UserHandle.Length is 0)
                 throw new Fido2VerificationException(Fido2ErrorMessages.UserHandleIsEmpty);
 
-            if (await isUserHandleOwnerOfCredId(new IsUserHandleOwnerOfCredentialIdParams(Raw.Id, UserHandle), cancellationToken) is false)
+            if (await isUserHandleOwnerOfCredId(new IsUserHandleOwnerOfCredentialIdParams(Raw.RawId, UserHandle), cancellationToken) is false)
             {
                 throw new Fido2VerificationException(Fido2ErrorCode.InvalidAssertionResponse, Fido2ErrorMessages.UserHandleNotOwnerOfPublicKey);
             }
@@ -177,7 +177,7 @@ public async Task<VerifyAssertionResult> VerifyAsync(
 
         return new VerifyAssertionResult
         {
-            CredentialId = Raw.Id,
+            CredentialId = Raw.RawId,
             SignCount = authData.SignCount,
             IsBackedUp = authData.IsBackedUp
 

Tests/Fido2.Tests/Attestation/Apple.cs

@@ -224,7 +224,7 @@ public async Task TestApplePublicKeyMismatch()
         var attestationResponse = new AuthenticatorAttestationRawResponse
         {
             Type = PublicKeyCredentialType.PublicKey,
-            Id = [0xf1, 0xd0],
+            Id = "8dA",
             RawId = [0xf1, 0xd0],
             Response = new AuthenticatorAttestationRawResponse.AttestationResponse
             {