[deps] Auth: Update Fido2.AspNet to v4

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
Fido2.AspNet	3.0.1 → 4.0.0

---

Release Notes

passwordless-lib/fido2-net-lib (Fido2.AspNet)

v4.0.0: - At last

I believe it's finally time to ship a new stable version, after shipping 17 betas of the 4.0.0 branch.

4.0 contains lots of breaking changes to the API, but also contains support for modern .net features and a lot of cleanups in terms of the webauthn implementation.

We wanted to include some refreshments to our MDS implementation and use of cache -- but we're punting it to a future release.

Here's a migration guide, authored by claude ai to get you started: https://github.com/passwordless-lib/fido2-net-lib/blob/main/Documentation/migration-guide-4.0.0.md

What's Changed

• Added draft of Vulnerability Disclosure Program by @​abergs in #​315
• Format Tests by @​iamcarbon in #​320
• fix: usernameless demos by @​imqdee in #​324
• Improve exception handling by @​iamcarbon in #​323
• Improve Code Quality by @​iamcarbon in #​326
• Updated sourcelink by @​abergs in #​327
• Fix serialization error in Demo. Fixes #​328 by @​abergs in #​329
• added [DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.PublicFields)] annotations to generic enums by @​filipw in #​330
• Check return value from Base64.DecodeFromUtf8InPlace(), throw if error by @​aseigler in #​331
• Implement support for apple-appattest attestation format by @​aseigler in #​322
• Add Mac and Linux to test pipeline by @​aseigler in #​332
• Pipelines fixes by @​abergs in #​333
• Support ResidentKeyRequirement by @​dIeGoLi in #​311
• Use file scoped namespaces by @​iamcarbon in #​343
• Fix TestAppleAppAttestProd test on macOS & Linux by @​iamcarbon in #​347
• Fixed clientDataJSON name by @​namespacedevbox in #​348
• Improve error handling by @​iamcarbon in #​344
• Update link in Readme by @​mlh758 in #​354
• Update tests to get clean CI by @​aseigler in #​355
• Fixes Fido2Configuration.FullyQualifiedOrigins contains a null entry when configured from a configuration section on .NET 7 in #​360
• Improve Code Quality by @​iamcarbon in #​352
• Fix Conformance Test by @​iamcarbon in #​363
• Strongly type AaGuid by @​iamcarbon in #​362
• SourceLink consolidation by @​Regenhardt in #​384
• WIP: Support device public key and passkeys by @​aseigler in #​356
• Simplify enum mapping & update specification links by @​iamcarbon in #​368
• Make Origins readonly by @​Regenhardt in #​393
• Feature/blazor wasm by @​Regenhardt in #​379
• Use correct Origin in Blazor example by @​abergs in #​408
• Support for PRF Extension by @​kspearrin in #​390
• Improve Code Quality by @​iamcarbon in #​405
• Fix demo project starting exception: change TargetFrameworks to TargetFramework by @​yedidyas in #​403
• Fix AuthenticationExtensionsClientInputs Example json prop name for conformance tests by @​yedidyas in #​404
• [WIP] Make AuthenticatorData immutable and strongly type throughout library by @​iamcarbon in #​412
• Add .bool to Output aswell by @​abergs in #​409
• Added Enterprise attestation by @​abergs in #​410
• Prefer Ed25519 when available by @​abergs in #​413
• Add CredentialPropertiesOuput (RK Support) by @​abergs in #​411
• Enable C# 11 and embed base64 encoded certificates as UTF-8 data by @​iamcarbon in #​414
• Cleanup by @​iamcarbon in #​417
• Improve Code Quality by @​iamcarbon in #​421
• [WIP] Improve Code Quality by @​iamcarbon in #​422
• dotnet format by @​abergs in #​425
• Breakout development services & improve naming by @​iamcarbon in #​427
• Add smart-card and hybrid transports by @​dbeinder in #​430
• Use DateTimeOffset by @​joegoldman2 in #​434
• Remove AuthenticatorSelection extension by @​joegoldman2 in #​435
• Rename Fido2NetLib.cs file to Fido2.cs in order to match with the class name by @​joegoldman2 in #​438
• Update to latest version of FIDO Metadata Service by @​joegoldman2 in #​442
• Fix GitHub repository url by @​joegoldman2 in #​451
• Update System.IdentityModel.Tokens.Jwt and xunit by @​iamcarbon in #​431
• Rename CredentialMakeResult to MakeNewCredentialResult and adjust its namespace by @​joegoldman2 in #​433
• Remove hardcoded Metadata Service BLOB url to allow users to override it by @​joegoldman2 in #​444
• Add some missing comments on public methods by @​joegoldman2 in #​440
• Rename AuthenticatorAttestationRawResponse.ResponseData to AttestationResponse by @​joegoldman2 in #​455
• Rename clientDataJson to clientDataJSON by @​joegoldman2 in #​450
• Align MSBuild properties across all projects by @​joegoldman2 in #​437
• Update timeout data type to ulong by @​joegoldman2 in #​462
• Rename origChallenge parameter in Fido2.MakeNewCredentialAsync by @​joegoldman2 in #​460
• Added github workflow for building, testing and packing by @​abergs in #​464
• Removed publishing step from PRs by @​abergs in #​475
• Use net8.0 SDK by @​iamcarbon in #​468
• Map authenticator transports on server side by @​joegoldman2 in #​453
• List<PublicKeyCredentialDescriptor>/IEnumerable<PublicKeyCredentialDescriptor> to IReadOnlyList<PublicKeyCredentialDescriptor> by @​joegoldman2 in #​447
• Update AttestationVerifier api to Async by @​iamcarbon in #​458
• Remove binary serialization by @​iamcarbon in #​465
• Change List<byte[]> storedDevicePublicKeys to IReadOnlyList<byte[]> by @​joegoldman2 in #​477
• Publish packages to nuget by @​abergs in #​479
• Pubhlish to nuget by @​abergs in #​481
• Pubhlish to nuget by @​abergs in #​483
• Pubhlish to nuget by @​abergs in #​484
• Rename 'extensions' to 'clientExtensionResults' for deserialization by @​jonashendrickx in #​474
• Rename extensions to clientExtensionResults by @​joegoldman2 in #​485
• [Draft] Add credProtect extension to Fido2.Models by @​dbeinder in #​448
• Migrate to Microsoft.IdentityModel.JsonWebTokens by @​iamcarbon in #​476
• Tidy up tests by @​iamcarbon in #​494
• Review lifecycle of services registered in the DI container by @​joegoldman2 in #​459
• Drop assertion-time attestation by @​joegoldman2 in #​499
• Generate XML documentation file by @​joegoldman2 in #​502
• Tidying by @​iamcarbon in #​500
• Update to .NET 8 by @​joegoldman2 in #​503
• Rename Base64Converter.cs to Base64UrlConverter.cs by @​joegoldman2 in #​506
• NuGet.org signatures have been updated - Fix Build by @​jonashendrickx in #​525
• Added authenticatorDisplayName to ClientPropertiesOutput by @​aritma-fredrikef in #​526
• Improve Code Quality by @​iamcarbon in #​509
• Add support for largeBlob extension by @​geel9 in #​508
• Missing nullable enable due to merges by @​abergs in #​527
• Implement PublicKeyCredentialHint for WebAuthn L3 by @​jonashendrickx in #​524
• Resolve StoredCredential.Descriptor at access(?) by @​abergs in #​528
• Remove base-class, Status and ErrorMessage by @​abergs in #​529
• Update MetadataStatement to include friendly names by @​joegoldman2 in #​544
• conformance 1.7.20 4 by @​abergs in #​531
• Fixing demo project makeAssertionOptions.status processing by @​Fasjeit in #​551
• Move Test folder to Tests/Fido2.Tests by @​joegoldman2 in #​549
• Various cleanup by @​joegoldman2 in #​558
• Wrap arguments into classes by @​abergs in #​556
• README.md Medium link fixed by @​jiiggy in #​539
• Supporting attestation formats by @​jonashendrickx in #​530
• Drop support for device public key (dpk) by @​abergs in #​567
• Update Dependencies by @​iamcarbon in #​569
• Change TPM manufacturer sting comparison handling by @​aseigler in #​568
• Move KeyTypeParameter validation from CredentialPublicKey.Verify() into constructors by @​aseigler in #​571
• use coerceToArrayBuffer to post-process assertion options in Demo js by @​dradovic in #​467
• AuthenticatorSelection Default to discourage UV by @​abergs in #​564
• Fix attestationObj camelCase by @​abergs in #​576
• Change AuthenticatorSelection.Default ResidentKey from discouraged to Preferred by @​abergs in #​563
• Use BCL Base64Url implementation by @​iamcarbon in #​575
• Introduce wrapping objects for Options-methods by @​abergs in #​562
• Explain EnableRelaxedDecoding by @​abergs in #​578
• Allow customised pubKeyCredParams by @​abergs in #​579
• [Models] Enable nullable (1 of x) by @​iamcarbon in #​581
• [Models] Enable nullable (2 of 2) by @​iamcarbon in #​585
• Update Github actions by @​Regenhardt in #​590
• Base64Url Id instead of byte[] by @​Regenhardt in #​586
• Update Dependencies by @​ektrah in #​595
• Allow github push to fail while pushing to nuget by @​abergs in #​596
• fix nuget force by @​abergs in #​597
• Conformance fix: Remove trustpath subject-issuer comparison by @​abergs in #​555

New Contributors

• @​imqdee made their first contribution in #​324
• @​filipw made their first contribution in #​330
• @​namespacedevbox made their first contribution in #​348
• @​mlh758 made their first contribution in #​354
• @​Regenhardt made their first contribution in #​384
• @​kspearrin made their first contribution in #​390
• @​yedidyas made their first contribution in #​403
• @​dbeinder made their first contribution in #​430
• @​joegoldman2 made their first contribution in #​434
• @​jonashendrickx made their first contribution in #​474
• @​aritma-fredrikef made their first contribution in #​526
• @​geel9 made their first contribution in #​508
• @​Fasjeit made their first contribution in #​551
• @​jiiggy made their first contribution in #​539
• @​dradovic made their first contribution in #​467
• @​ektrah made their first contribution in #​595

Full Changelog: passwordless-lib/fido2-net-lib@v3.0.1...4.0.0

---

Configuration

📅 Schedule: Branch creation - "every 2nd week starting on the 2 week of the year before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bitwarden-bot]

Internal tracking:

• ID: PM-25806
• Link: https://bitwarden.atlassian.net/browse/PM-25806

[abergs]

Yeah this version bump requires a few updates to the interfaces. We probably need a ticket to track this work @ike-kottlowski.

[claude]

Claude finished @renovate[bot]'s task in 1m 55s —— View job

---

Code Review Summary

Reviewed PR: [deps] Auth: Update Fido2.AspNet to v4 (#6328)

Overview

This Renovate-generated PR updates the Fido2.AspNet package from 3.0.1 to 4.0.0. The change is limited to a single line in src/Core/Core.csproj.

Assessment

This PR is incomplete and will not build in its current state.

As noted by @abergs, Fido2.AspNet 4.0.0 contains numerous breaking API changes. The version bump alone, without corresponding code updates, will cause compilation failures.

Breaking Changes Requiring Migration

Based on analysis of the codebase's Fido2 usage (21 files), the following breaking changes from the migration guide will require attention:

1. Status/ErrorMessage properties removed
The result types no longer have Status and ErrorMessage properties. Failures now throw Fido2VerificationException. Affected files:

• /home/runner/work/server/server/src/Core/Auth/Identity/TokenProviders/WebAuthnTokenProvider.cs (line 122: res.Status == "ok")
• /home/runner/work/server/server/src/Core/Auth/UserFeatures/WebAuthnLogin/Implementations/AssertWebAuthnLoginCredentialCommand.cs (lines 56-58: assertionVerificationResult.Status != "ok")

2. API method signature changes
Methods like RequestNewCredential, GetAssertionOptions, MakeNewCredentialAsync, and MakeAssertionAsync have updated signatures with wrapped parameter objects.

3. Type changes

• CredentialMakeResult renamed to MakeNewCredentialResult
• byte[] to Base64Url type changes for credential IDs
• AaGuid is now a strongly typed struct

4. Callback delegate changes
IsCredentialIdUniqueToUserAsyncDelegate and IsUserHandleOwnerOfCredentialIdAsync may have updated signatures.

Files Requiring Updates

The following files use Fido2 types and will likely need modification:

• src/Core/Auth/Identity/TokenProviders/WebAuthnTokenProvider.cs
• src/Core/Auth/UserFeatures/WebAuthnLogin/Implementations/*Command.cs (4 files)
• src/Core/Auth/UserFeatures/WebAuthnLogin/I*Command.cs (4 interface files)
• src/Core/Services/Implementations/UserService.cs
• src/Core/Auth/Models/TwoFactorProvider.cs
• src/Api/Auth/Controllers/TwoFactorController.cs
• Various request/response models

Recommendation

This PR should remain open as a tracking mechanism but requires significant implementation work before merging. The migration should:

1. Update all Fido2 API call sites to match the new 4.0 signatures
2. Replace Status == "ok" checks with try-catch for Fido2VerificationException
3. Update type usages for renamed/changed types
4. Add or update unit tests to cover the migration changes
5. Verify WebAuthn registration and authentication flows work end-to-end

The internal ticket (PM-25806) should track this implementation work.

---

Automated code review by Claude

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[github-actions]

Checkmarx One – Scan Summary & Details – 9191bf3a-d80d-421d-abb4-bd39569ab083

Great job! No new security vulnerabilities introduced in this pull request