swiyu Duende IDP MFA Aspire ASP.NET Core

Getting started:

• swiyu
• Dev docs
• Changelog

Blogs

• Issue and verify credentials using the Swiss Digital identity public beta, ASP.NET Core and .NET Aspire
• Use swiyu, the Swiss E-ID to authenticate users with Duende and .NET Aspire
• Implement MFA using swiyu, the Swiss E-ID with Duende IdentityServer, ASP.NET Core Identity and .NET Aspire
• Implement forgot your password using swiyu, ASP.NET Core Identity and Aspire

Blogs loa, loi

• Digital authentication and identity validation
• Set the amr claim when using passkeys authentication in ASP.NET Core
• Implementing Level of Authentication (LoA) with ASP.NET Core Identity and Duende
• Implementing Level of Identification (LoI) with ASP.NET Core Identity and Duende
• Force step up authentication in web applications
• Use client assertions in ASP.NET Core using OpenID Connect, OAuth DPoP and OAuth PAR
• Secure the swiyu container using a YARP proxy
• Add Application security to the swiyu generic management verifier APIs using OAuth

Overview

A Duende identity server is used as an OpenID Connect server for web applications. When the user authenticates, the Swiss E-ID can be used as a second factor to authenticate. The applications are implemented using Aspire, ASP.NET Core and the Swiss public beta generic containers. The containers implement the OpenID verifiable credential standards and provide a simple API to integrate applications. Using swiyu is simple, but not a good way of doing authentication as it is not phishing resistant.

Used OSS packages, containers, repositories

• ImageMagick: https://github.com/manuelbl/QrCodeGenerator/tree/master/Demo-ImageMagick
• Microsoft Aspire: https://learn.microsoft.com/en-us/dotnet/aspire/get-started/aspire-overview
• Net.Codecrete.QrCodeGenerator: https://github.com/manuelbl/QrCodeGenerator/
• swiyu https://github.com/swiyu-admin-ch/swiyu-verifier

Register Flow (Authentication Flow using password and MFA (swiyu direct))

Used data: given_name, family_name, birth_date and birth_place.

1. User has already an account and would like to attach an E-ID for authentication
2. User registers MFA swiyu
3. User validates authentication using E-ID
4. User authenticates using password and swiyu

Note: authentication uses E-ID is NOT phishing resistant. Passkeys would be better.

Login Flow

1. User enters username (email)
2. User enters email
3. User verifies using swiyu, validates against DB
4. Sign-in and create cookie

Authentication Flow (swiyu direct)

Note: authentication uses E-ID is NOT phishing resistant. Passkeys would be better.

Recovery flow (name change)

2FA flow

See Pages/Account/Manage/Swiyu.cshtml

Details in blog.

Password reset flow

See ForgotPasswordSwiyu Razor page.

Details in blog.

Onboarding Flow (swiyu generic verifier)

Use Swiyu together with passkeys

Step up authentication

Links

https://swiyu-admin-ch.github.io/cookbooks/how-to-use-beta-id/

https://swiyu-admin-ch.github.io/cookbooks/onboarding-generic-verifier/

https://damienbod.com/2022/10/17/is-scanning-qr-codes-for-authentication-safe/

https://damienbod.com/2022/02/14/problems-with-online-user-authentication-when-using-self-sovereign-identity/