Pre-release 2.5.1-RC3

Changes:

• Reverted exclusion of Jackson version 2.17.0-rc1 from dependency resolution.
• Fixed incompatibility with Jackson version 2.17.0-rc1.

Artifacts built with openjdk version "17.0.10" 2024-01-16.

Pre-release 2.5.1-RC2

Changes:

• Excluded Jackson version 2.17.0-rc1 from dependency resolution due to an incompatible regression.

Artifacts built with openjdk version "17.0.10" 2024-01-16.

Pre-release 2.5.1-RC1

Changes:

• Dropped dependency on COSE-Java.

Artifacts built with openjdk version "17.0.10" 2024-01-16.

Experimental release 2.6.0-alpha4

Re-release with no code changes to fix the reproducible binary workflow on GitHub Actions.

Artifacts built with openjdk version "17.0.9" 2023-10-17.

Experimental release 2.6.0-alpha3

New features:

• Added enum parsing functions:
  • AuthenticatorAttachment.fromValue(String): Optional<AuthenticatorAttachment>
  • PublicKeyCredentialType.fromId(String): Optional<PublicKeyCredentialType>
  • ResidentKeyRequirement.fromValue(String): Optional<ResidentKeyRequirement>
  • TokenBindingStatus.fromValue(String): Optional<TokenBindingStatus>
  • UserVerificationRequirement.fromValue(String): Optional<UserVerificationRequirement>

Artifacts built with openjdk version "17.0.9" 2023-10-17.

Experimental release 2.6.0-alpha2

New features:

• Added public builder to CredentialPropertiesOutput.
• Added public factory function LargeBlobRegistrationOutput.supported(boolean).
• Added public factory functions to LargeBlobAuthenticationOutput.
• (Experimental) Added a new suite of interfaces, starting with CredentialRepositoryV2. RelyingParty can now be configured with a CredentialRepositoryV2 instance instead of a CredentialRepository instance. This changes the result of the RelyingParty builder to RelyingPartyV2. CredentialRepositoryV2 and RelyingPartyV2 enable a suite of new features:
  • CredentialRepositoryV2 does not assume that the application has usernames, instead username support is modular. In addition to the CredentialRepositoryV2, RelyingPartyV2 can be optionally configured with a UsernameRepository as well. If a UsernameRepository is not set, then RelyingPartyV2.startAssertion(StartAssertionOptions) will fail at runtime if StartAssertionOptions.username is set.
  • CredentialRepositoryV2 uses a new interface CredentialRecord to represent registered credentials, instead of the concrete RegisteredCredential class (although RegisteredCredential also implements CredentialRecord). This provides implementations greater flexibility while also automating the type conversion to PublicKeyCredentialDescriptor needed in startRegistration() and startAssertion().
  • RelyingPartyV2.finishAssertion() returns a new type AssertionResultV2 with a new method getCredential(), which returns the CredentialRecord that was verified. The return type of getCredential() is generic and preserves the concrete type of CredentialRecord returned by the CredentialRepositoryV2 implementation.
  • NOTE: Experimental features may receive breaking changes without a major version increase.
• (Experimental) Added property RegisteredCredential.transports.
  • NOTE: Experimental features may receive breaking changes without a major version increase.

Artifacts built with openjdk version "17.0.9" 2023-10-17.

Experimental release 2.6.0-alpha1

New features:

• Added method getParsedPublicKey(): java.security.PublicKey to RegistrationResult and RegisteredCredential.
  • Thanks to Jakob Heher (A-SIT) for the contribution, see #299
• (Experimental) Added option isSecurePaymentConfirmation(boolean) to FinishAssertionOptions. When set, RelyingParty.finishAssertion() will adapt the validation logic for a Secure Payment Confirmation (SPC) response instead of an ordinary WebAuthn response. See the JavaDoc for details.

Artifacts built with openjdk version "17.0.7" 2023-04-18.

Version 2.5.0

webauthn-server-core:

Breaking changes to experimental features:

• Added Jackson annotation @JsonProperty to method RegisteredCredential.isBackedUp(), changing the property name from backedUp to backupState. backedUp is still accepted during deserialization but will no longer be emitted during serialization.

New features:

• Added method .isUserVerified() to RegistrationResult and AssertionResult as a shortcut for accessing the UV flag in authenticator data.
• Updated README and JavaDoc to use the "passkey" term and provide more guidance around passkey use cases.
• Added Automatic-Module-Name to jar manifest.

Fixes:

• AuthenticatorAttestationResponse now tolerates and ignores properties "publicKey" and "publicKeyAlgorithm" during JSON deserialization. These properties are emitted by the PublicKeyCredential.toJSON() method added in WebAuthn Level 3.
• Relaxed Guava dependency version constraint to include major version 32.
• RelyingParty.finishAssertion now behaves the same if StartAssertionOptions.allowCredentials is explicitly set to a present, empty list as when absent.

webauthn-server-attestation:

New features:

• Added option verifyDownloadsOnly(boolean) to FidoMetadataDownloader. When set to true, the BLOB signature will not be verified when loading a BLOB from cache or when explicitly given. Default setting is false, which preserves the previous behaviour.
• Added Automatic-Module-Name to jar manifest.

Fixes:

• Made Jackson setting PROPAGATE_TRANSIENT_MARKER unnecessary for JSON serialization with Jackson version 2.15.0-rc1 and later.

Artifacts built with openjdk version "17.0.7" 2023-04-18.

Pre-release 2.5.0-RC3

Fixes:

• RelyingParty.finishAssertion now behaves the same if StartAssertionOptions.allowCredentials is explicitly set to a present, empty list as when absent.

Artifacts built with openjdk version "17.0.7" 2023-04-18.

Pre-release 2.5.0-RC2

Fixes:

• Relaxed Guava dependency version constraint to include major version 32.

Artifacts built with openjdk version "17.0.7" 2023-04-18.