[PM-2032] Server endpoints to support authentication with a passkey (#3361)

* [PM-2032] feat: add assertion options tokenable

* [PM-2032] feat: add request and response models

* [PM-2032] feat: implement `assertion-options` identity endpoint

* [PM-2032] feat: implement authentication with passkey

* [PM-2032] chore: rename to `WebAuthnGrantValidator`

* [PM-2032] fix: add missing subsitute

* [PM-2032] feat: start adding builder

* [PM-2032] feat: add support for KeyConnector

* [PM-2032] feat: add first version of TDE

* [PM-2032] chore: refactor WithSso

* [PM-2023] feat: add support for TDE feature flag

* [PM-2023] feat: add support for approving devices

* [PM-2023] feat: add support for hasManageResetPasswordPermission

* [PM-2032] feat: add support for hasAdminApproval

* [PM-2032] chore: don't supply device if not necessary

* [PM-2032] chore: clean up imports

* [PM-2023] feat: extract interface

* [PM-2023] chore: add clarifying comment

* [PM-2023] feat: use new builder in production code

* [PM-2032] feat: add support for PRF

* [PM-2032] chore: clean-up todos

* [PM-2023] chore: remove token which is no longer used

* [PM-2032] chore: remove todo

* [PM-2032] feat: improve assertion error handling

* [PM-2032] fix: linting issues

* [PM-2032] fix: revert changes to `launchSettings.json`

* [PM-2023] chore: clean up assertion endpoint

* [PM-2032] feat: bypass 2FA

* [PM-2032] fix: rename prf option to singular

* [PM-2032] fix: lint

* [PM-2032] fix: typo

* [PM-2032] chore: improve builder tests

Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>

* [PM-2032] chore: clarify why we don't require 2FA

* [PM-2023] feat: move `identityProvider` constant to common class

* [PM-2032] fix: lint

* [PM-2023] fix: move `IdentityProvider` to core.Constants

* [PM-2032] fix: missing import

* [PM-2032] chore: refactor token timespan to use `TimeSpan`

* [PM-2032] chore: make `StartWebAuthnLoginAssertion` sync

* [PM-2032] chore: use `FromMinutes`

* [PM-2032] fix: change to 17 minutes to cover webauthn assertion

* [PM-2032] chore: do not use `async void`

* [PM-2032] fix: comment saying wrong amount of minutes

* [PM-2032] feat: put validator behind feature flag

* [PM-2032] fix: lint

---------

Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>

src/Identity/IdentityServer/WebAuthnGrantValidator.cs

@@ -0,0 +1,150 @@
+using System.Security.Claims;
+using System.Text.Json;
+using Bit.Core;
+using Bit.Core.Auth.Enums;
+using Bit.Core.Auth.Identity;
+using Bit.Core.Auth.Models.Business.Tokenables;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+using Bit.Core.Tokens;
+using Fido2NetLib;
+using IdentityServer4.Models;
+using IdentityServer4.Validation;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Caching.Distributed;
+
+namespace Bit.Identity.IdentityServer;
+
+public class WebAuthnGrantValidator : BaseRequestValidator<ExtensionGrantValidationContext>, IExtensionGrantValidator
+{
+    public const string GrantType = "webauthn";
+
+    private readonly IDataProtectorTokenFactory<WebAuthnLoginAssertionOptionsTokenable> _assertionOptionsDataProtector;
+
+    public WebAuthnGrantValidator(
+        UserManager<User> userManager,
+        IDeviceRepository deviceRepository,
+        IDeviceService deviceService,
+        IUserService userService,
+        IEventService eventService,
+        IOrganizationDuoWebTokenProvider organizationDuoWebTokenProvider,
+        IOrganizationRepository organizationRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IApplicationCacheService applicationCacheService,
+        IMailService mailService,
+        ILogger<CustomTokenRequestValidator> logger,
+        ICurrentContext currentContext,
+        GlobalSettings globalSettings,
+        ISsoConfigRepository ssoConfigRepository,
+        IUserRepository userRepository,
+        IPolicyService policyService,
+        IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> tokenDataFactory,
+        IDataProtectorTokenFactory<WebAuthnLoginAssertionOptionsTokenable> assertionOptionsDataProtector,
+        IFeatureService featureService,
+        IDistributedCache distributedCache,
+        IUserDecryptionOptionsBuilder userDecryptionOptionsBuilder
+        )
+        : base(userManager, deviceRepository, deviceService, userService, eventService,
+            organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
+            applicationCacheService, mailService, logger, currentContext, globalSettings,
+            userRepository, policyService, tokenDataFactory, featureService, ssoConfigRepository, distributedCache, userDecryptionOptionsBuilder)
+    {
+        _assertionOptionsDataProtector = assertionOptionsDataProtector;
+    }
+
+    string IExtensionGrantValidator.GrantType => "webauthn";
+
+    public async Task ValidateAsync(ExtensionGrantValidationContext context)
+    {
+        if (!FeatureService.IsEnabled(FeatureFlagKeys.PasswordlessLogin, CurrentContext))
+        {
+            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
+            return;
+        }
+
+        var rawToken = context.Request.Raw.Get("token");
+        var rawDeviceResponse = context.Request.Raw.Get("deviceResponse");
+        if (string.IsNullOrWhiteSpace(rawToken) || string.IsNullOrWhiteSpace(rawDeviceResponse))
+        {
+            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
+            return;
+        }
+
+        var verified = _assertionOptionsDataProtector.TryUnprotect(rawToken, out var token) &&
+            token.TokenIsValid(WebAuthnLoginAssertionOptionsScope.Authentication);
+        var deviceResponse = JsonSerializer.Deserialize<AuthenticatorAssertionRawResponse>(rawDeviceResponse);
+
+        if (!verified)
+        {
+            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest);
+            return;
+        }
+
+        var (user, credential) = await _userService.CompleteWebAuthLoginAssertionAsync(token.Options, deviceResponse);
+        var validatorContext = new CustomValidatorRequestContext
+        {
+            User = user,
+            KnownDevice = await KnownDeviceAsync(user, context.Request)
+        };
+
+        UserDecryptionOptionsBuilder.WithWebAuthnLoginCredential(credential);
+
+        await ValidateAsync(context, context.Request, validatorContext);
+    }
+
+    protected override Task<bool> ValidateContextAsync(ExtensionGrantValidationContext context,
+        CustomValidatorRequestContext validatorContext)
+    {
+        if (validatorContext.User == null)
+        {
+            return Task.FromResult(false);
+        }
+
+        return Task.FromResult(true);
+    }
+
+    protected override Task SetSuccessResult(ExtensionGrantValidationContext context, User user,
+        List<Claim> claims, Dictionary<string, object> customResponse)
+    {
+        context.Result = new GrantValidationResult(user.Id.ToString(), "Application",
+            identityProvider: Constants.IdentityProvider,
+            claims: claims.Count > 0 ? claims : null,
+            customResponse: customResponse);
+        return Task.CompletedTask;
+    }
+
+    protected override ClaimsPrincipal GetSubject(ExtensionGrantValidationContext context)
+    {
+        return context.Result.Subject;
+    }
+
+    protected override Task<Tuple<bool, Organization>> RequiresTwoFactorAsync(User user, ValidatedTokenRequest request)
+    {
+        // We consider Fido2 userVerification a second factor, so we don't require a second factor here.
+        return Task.FromResult(new Tuple<bool, Organization>(false, null));
+    }
+
+    protected override void SetTwoFactorResult(ExtensionGrantValidationContext context,
+        Dictionary<string, object> customResponse)
+    {
+        context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Two factor required.",
+            customResponse);
+    }
+
+    protected override void SetSsoResult(ExtensionGrantValidationContext context,
+        Dictionary<string, object> customResponse)
+    {
+        context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Sso authentication required.",
+            customResponse);
+    }
+
+    protected override void SetErrorResult(ExtensionGrantValidationContext context,
+        Dictionary<string, object> customResponse)
+    {
+        context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, customResponse: customResponse);
+    }
+}