Example fo Aspire implementing Level of Identification (LoI) and Level of Authentication (LoA) using swiyu passkeys authentication in Duende IdentityServer with ASP.NET Core Identity.
- Digital authentication and identity validation
- Set the amr claim when using passkeys authentication in ASP.NET Core
- Implementing Level of Authentication (LoA) with ASP.NET Core Identity and Duende
- Implementing Level of Identification (LoI) with ASP.NET Core Identity and Duende
- Force step up authentication in web applications
- Use client assertions in ASP.NET Core using OpenID Connect, OAuth DPoP and OAuth PAR
- Secure the swiyu container using a YARP proxy
- Add Application security to the swiyu generic management verifier APIs using OAuth
- loa.400 : passkeys, (public/private key certificate authentication)
- loa.300 : authenticator apps, OpenID verifiable credentials (E-ID, swiyu)
- loa.200 : SMS, email, TOTP, 2-step
- loa.100 : single factor, SAS key, API Keys, passwords, OTP
- loi.500 : Offline Human identification by trusted official in trustworthy organisation.
- loi.400 : OpenID verifiable credentials (E-ID, swiyu), government issued.
- loi.300 : Digital online check with person
- loi.200 : Digital video without person
- loi.100 : Email & SMS validation
The solution uses a web application which authenticates using OpenID Connect, OAuth PAR, OAuth DPoP. The IDP is implemented using Duende and ASP.NET Core Identity. When the user authenticates, passkeys are used for the user authentication. The server returns claims to the client application and the amr claim is returned with the "pop" value.
https://podman-desktop.io/docs/troubleshooting/troubleshooting-podman
podman machine startdotnet ef migrations add InitialCreate
dotnet ef database update- ImageMagick: https://github.com/manuelbl/QrCodeGenerator/tree/master/Demo-ImageMagick
- Microsoft Aspire: https://learn.microsoft.com/en-us/dotnet/aspire/get-started/aspire-overview
- Net.Codecrete.QrCodeGenerator: https://github.com/manuelbl/QrCodeGenerator/
- swiyu
- Duende
swiyu-admin-ch/swiyu-verifier#223
https://openid.net/specs/openid-connect-eap-acr-values-1_0-final.html
https://datatracker.ietf.org/doc/html/rfc8176
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/claims
https://damienbod.com/2025/12/20/digital-authentication-and-identity-validation/
https://github.com/DuendeSoftware/samples/tree/main/IdentityServer/v7/UserInteraction/StepUp
https://datatracker.ietf.org/doc/rfc9470/
https://www.rfc-editor.org/rfc/rfc8485.html
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf
https://www.eid.admin.ch/en/public-beta-e
https://learn.microsoft.com/en-us/dotnet/aspire/get-started/aspire-overview
https://www.npmjs.com/package/ngrok
https://swiyu-admin-ch.github.io/specifications/interoperability-profile/
https://andrewlock.net/converting-a-docker-compose-file-to-aspire/
https://swiyu-admin-ch.github.io/cookbooks/onboarding-generic-verifier/
https://github.com/orgs/swiyu-admin-ch/projects/2/views/2
https://identity.foundation/trustdidweb/
https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html
https://openid.net/specs/openid-4-verifiable-presentations-1_0.html
https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/
https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/
https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/