Nedo.AspNet.Authentication.Local.Passkeys 2.0.3

.NET 9.0 This package targets .NET 9.0. The package is compatible with this framework or higher.
There is a newer version of this package available.
See the version list below for details. 
dotnet add package Nedo.AspNet.Authentication.Local.Passkeys --version 2.0.3
                    


                    

                
NuGet\Install-Package Nedo.AspNet.Authentication.Local.Passkeys -Version 2.0.3
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="Nedo.AspNet.Authentication.Local.Passkeys" Version="2.0.3" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="Nedo.AspNet.Authentication.Local.Passkeys" Version="2.0.3" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="Nedo.AspNet.Authentication.Local.Passkeys" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add Nedo.AspNet.Authentication.Local.Passkeys --version 2.0.3
                    


                    

                
#r "nuget: Nedo.AspNet.Authentication.Local.Passkeys, 2.0.3"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package Nedo.AspNet.Authentication.Local.Passkeys@2.0.3
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=Nedo.AspNet.Authentication.Local.Passkeys&version=2.0.3
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=Nedo.AspNet.Authentication.Local.Passkeys&version=2.0.3
                    


                            Install as a Cake Tool

Nedo.AspNet.Authentication.Local.Passkeys

Passkeys / WebAuthn (FIDO2) sign-in for Nedo.AspNet.Authentication.Local. Passwordless or step-up sign-in via Touch ID, Windows Hello, YubiKey, or phone-as-key (hybrid transport / cross-device QR).

Built on Fido2NetLib.

Install

dotnet add package Nedo.AspNet.Authentication.Local.Passkeys

Requires that Nedo.AspNet.Authentication.Local is already wired up (AddLocalAuthentication + AddLocalAuthStore).

Quickstart

using Nedo.AspNet.Authentication.Local.Passkeys;

builder.Services.AddPasskeys(opts =>
{
    // Bare host — no scheme, no port. MUST match the SPA's host exactly,
    // or browsers will reject every assertion as "not for this origin".
    opts.ServerDomain = "app.example.com";        // dev: "localhost"
    opts.ServerName   = "Acme Corp";              // shown by the authenticator UI
    opts.Origins      = new() { "https://app.example.com" };  // dev: "https://localhost:5173"
});

var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();
app.MapLocalAuth();
app.MapLocalAccount();
app.MapPasskeyEndpoints();    // /auth/passkey/* + /account/passkeys
app.Run();

The package registers IFido2, IMemoryCache (challenge state), and PasskeyService. The nedo_passkeys table is provisioned by AddLocalAuthStore itself — the entity + EF mapping ship in Local.

Endpoints

Method Path Auth Body
POST /auth/passkey/register/begin bearer { authenticatorAttachment? }CredentialCreateOptions JSON
POST /auth/passkey/register/finish bearer { attestationResponse, friendlyName? }
POST /auth/passkey/assertion/begin anon { username? } (omit for passwordless / discoverable) → AssertionOptions JSON
POST /auth/passkey/assertion/finish anon { assertionResponse, deviceInfo? }TokenResponse
GET /account/passkeys bearer — → list of registered credentials
DELETE /account/passkeys/{id} bearer

Frontend recipe (passwordless / discoverable)

// Sign-in
const opts = await fetch('/auth/passkey/assertion/begin', {
  method: 'POST',
  headers: { 'content-type': 'application/json' },
  body: JSON.stringify({}),  // omit username for the discoverable flow
}).then(r => r.json());

const assertion = await navigator.credentials.get({ publicKey: decodeB64Url(opts) });

const tokens = await fetch('/auth/passkey/assertion/finish', {
  method: 'POST',
  headers: { 'content-type': 'application/json' },
  body: JSON.stringify({ assertionResponse: encodeB64Url(assertion), deviceInfo: navigator.userAgent }),
}).then(r => r.json());
// → same TokenResponse shape as /auth/login

decodeB64Url / encodeB64Url are the standard WebAuthn helpers — see the bundled React sample's webauthn.ts for a copy-pasteable pair.

Pipeline integration

FinishAssertionAsync runs the same gates as a password sign-in:

  1. FIDO2 signature verification + counter regression check (cloned-authenticator detection).
  2. ILockoutPolicy.IsLockedOutAsync — passkey users lock out under the same policy.
  3. IMultiFactorChallenge.IsRequiredAsync — TOTP gating still applies.
  4. Every IPostLoginCheck — TOS / tenant / trial gates apply uniformly.
  5. SessionTokenIssuer.IssueNewSessionAsync — same TokenResponse shape, same refresh-token family bookkeeping.

So a passkey login is a true peer of password sign-in, not a side door.

Pitfalls

  • ServerDomain must match the SPA's host exactly (no scheme, no port). Common mistake: registering with "localhost" and signing in from "127.0.0.1".
  • Origins must include the scheme + port. https://app.example.com ✓ — app.example.com ✗.
  • Resident keys are required by default so credentials work in the discoverable / passwordless flow.
  • localhost works for same-device WebAuthn, but cross-device hybrid (iPhone scanning desktop QR) requires HTTPS + a hostname the iPhone can reach. Use ngrok https 5173 for dev and update ServerDomain + Origins to match.

Full guide: docs/providers/passkeys.md.

Package Role
Nedo.AspNet.Authentication.Local Required peer — provides IUserStore, SessionTokenIssuer, the EF schema.
Nedo.AspNet.Authentication.Totp Step-up MFA on top of passkey assertion.

License

MIT — see LICENSE.

Product Compatible and additional computed target framework versions.
.NET net9.0 is compatible.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 was computed.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
2.0.9 99 5/11/2026
2.0.8 86 5/6/2026
2.0.7 89 5/5/2026
2.0.6 90 5/5/2026
2.0.4 88 5/4/2026
2.0.3 89 5/4/2026
2.0.2 91 5/2/2026
2.0.1 86 5/2/2026
2.0.0 101 5/1/2026