passwordless-lib · Regenhardt · Dec 30, 2024 · Feb 21, 2025
diff --git a/BlazorWasmDemo/Server/Controllers/UserController.cs b/BlazorWasmDemo/Server/Controllers/UserController.cs
@@ -265,7 +265,7 @@ public async Task<string> MakeAssertionAsync([FromBody] AuthenticatorAssertionRa
             _pendingAssertions.Remove(key);
 
             // 2. Get registered credential from database
-            var creds = _demoStorage.GetCredentialById(clientResponse.Id) ?? throw new Exception("Unknown credentials");
+            var creds = _demoStorage.GetCredentialById(clientResponse.RawId) ?? throw new Exception("Unknown credentials");
 
             // 3. Make the assertion
             var res = await _fido2.MakeAssertionAsync(new MakeAssertionParams

diff --git a/Demo/Controller.cs b/Demo/Controller.cs
@@ -194,7 +194,7 @@ public async Task<JsonResult> MakeAssertion([FromBody] AuthenticatorAssertionRaw
             var options = AssertionOptions.FromJson(jsonOptions);
 
             // 2. Get registered credential from database
-            var creds = DemoStorage.GetCredentialById(clientResponse.Id) ?? throw new Exception("Unknown credentials");
+            var creds = DemoStorage.GetCredentialById(clientResponse.RawId) ?? throw new Exception("Unknown credentials");
 
             // 3. Get credential counter from database
             var storedCounter = creds.SignCount;

diff --git a/Demo/TestController.cs b/Demo/TestController.cs
@@ -181,7 +181,7 @@ public async Task<JsonResult> MakeAssertionTestAsync([FromBody] AuthenticatorAss
         var options = AssertionOptions.FromJson(jsonOptions);
 
         // 2. Get registered credential from database
-        var creds = _demoStorage.GetCredentialById(clientResponse.Id);
+        var creds = _demoStorage.GetCredentialById(clientResponse.RawId);
 
         // 3. Get credential counter from database
         var storedCounter = creds.SignCount;

diff --git a/Src/Fido2.Models/AuthenticatorAssertionRawResponse.cs b/Src/Fido2.Models/AuthenticatorAssertionRawResponse.cs
@@ -12,9 +12,11 @@ namespace Fido2NetLib;
 /// </summary>
 public class AuthenticatorAssertionRawResponse
 {
-    [JsonConverter(typeof(Base64UrlConverter))]
+    /// <summary>
+    /// A string containing the credential's identifier. Base64UrlEncoding of <seealso cref="RawId"/>.
+    /// </summary>
     [JsonPropertyName("id"), Required]
-    public byte[] Id { get; init; }
+    public string Id { get; init; }
 
     // might be wrong to base64url encode this...
     [JsonConverter(typeof(Base64UrlConverter))]

diff --git a/Src/Fido2.Models/AuthenticatorAttestationRawResponse.cs b/Src/Fido2.Models/AuthenticatorAttestationRawResponse.cs
@@ -9,9 +9,11 @@ namespace Fido2NetLib;
 
 public sealed class AuthenticatorAttestationRawResponse
 {
-    [JsonConverter(typeof(Base64UrlConverter))]
+    /// <summary>
+    /// A string containing the credential's identifier. Base64UrlEncoding of <seealso cref="RawId"/>.
+    /// </summary>
     [JsonPropertyName("id"), Required]
-    public byte[] Id { get; init; }
+    public string Id { get; init; }
 
     [JsonConverter(typeof(Base64UrlConverter))]
     [JsonPropertyName("rawId"), Required]

diff --git a/Src/Fido2/AuthenticatorAssertionResponse.cs b/Src/Fido2/AuthenticatorAssertionResponse.cs
@@ -77,7 +77,7 @@ public async Task<VerifyAssertionResult> VerifyAsync(
         if (options.AllowCredentials != null && options.AllowCredentials.Any())
         {
             // might need to transform x.Id and raw.id as described in https://www.w3.org/TR/webauthn/#publickeycredential
-            if (!options.AllowCredentials.Any(x => x.Id.SequenceEqual(Raw.Id)))
+            if (!options.AllowCredentials.Any(x => x.Id.SequenceEqual(Raw.RawId)))
                 throw new Fido2VerificationException(Fido2ErrorCode.InvalidAssertionResponse, Fido2ErrorMessages.CredentialIdNotInAllowedCredentials);
         }
 
@@ -87,7 +87,7 @@ public async Task<VerifyAssertionResult> VerifyAsync(
             if (UserHandle.Length is 0)
                 throw new Fido2VerificationException(Fido2ErrorMessages.UserHandleIsEmpty);
 
-            if (await isUserHandleOwnerOfCredId(new IsUserHandleOwnerOfCredentialIdParams(Raw.Id, UserHandle), cancellationToken) is false)
+            if (await isUserHandleOwnerOfCredId(new IsUserHandleOwnerOfCredentialIdParams(Raw.RawId, UserHandle), cancellationToken) is false)
             {
                 throw new Fido2VerificationException(Fido2ErrorCode.InvalidAssertionResponse, Fido2ErrorMessages.UserHandleNotOwnerOfPublicKey);
             }
@@ -177,7 +177,7 @@ public async Task<VerifyAssertionResult> VerifyAsync(
 
         return new VerifyAssertionResult
         {
-            CredentialId = Raw.Id,
+            CredentialId = Raw.RawId,
             SignCount = authData.SignCount,
             IsBackedUp = authData.IsBackedUp
 

diff --git a/Tests/Fido2.Tests/Attestation/Apple.cs b/Tests/Fido2.Tests/Attestation/Apple.cs
@@ -224,7 +224,7 @@ public async Task TestApplePublicKeyMismatch()
         var attestationResponse = new AuthenticatorAttestationRawResponse
         {
             Type = PublicKeyCredentialType.PublicKey,
-            Id = [0xf1, 0xd0],
+            Id = "8dA",
             RawId = [0xf1, 0xd0],
             Response = new AuthenticatorAttestationRawResponse.AttestationResponse
             {