Version 2.4.1

Changes:

• Added explicit version constraint on jackson-bom.

Fixes:

• Fixed incompatibility with Jackson version 2.15.0-rc1 and later.
• Fixed linking issue when running in Java 8.

Artifacts built with openjdk version "17.0.7" 2023-04-18.

Pre-release 2.4.1-RC4

Fixes:

• Re-introduced version constraints on individual Jackson modules.

Artifacts built with openjdk version "17.0.7" 2023-04-18.

Pre-release 2.4.1-RC3

Fixes:

• Fixed missing version number for jackson-bom dependencyManagement dependency.

Artifacts built with openjdk version "17.0.7" 2023-04-18.

Pre-release 2.4.1-RC2

Fixes:

• Added explicit dependencyManagement dependencies on jackson-bom and version constraint on jackson-bom.

Artifacts built with openjdk version "17.0.6" 2023-01-17.

Pre-release 2.4.1-RC1

Fixes:

• Removed version constraints on non-core Jackson modules; Jackson ships its own BOM constraints to align module versions.
• Fixed incompatibility with Jackson version 2.15.0-rc1 and later.
• Fixed linking issue when running in Java 8.

Artifacts built with openjdk version "17.0.6" 2023-01-17.

NOTE: The webauthn-server-attestation artifact of this version is not reliably reproducible; a single byte in MetadataStatement.class tends to differ between builds.

Version 2.4.0

webauthn-server-core:

New features:

• Added support for RS384 and RS512 signature algorithms.
  • Thanks to GitHub user JohnnyJayJay for the contribution, see #235
• Added userHandle field to AssertionRequest as part of the second bug fix below. userHandle is mutually exclusive with username. This was originally released in pre-release 1.12.3-RC3, but was accidentally left out of the 1.12.3 release.

Fixes:

• During RelyingParty.finishRegistration() if an attestationTrustSource is configured, if the aaguid in the authenticator data is zero, the call to AttestationTrustSource.findTrustRoots will fall back to reading the AAGUID from the attestation certificate if possible.
• Fixed bug in RelyingParty.finishAssertion where if StartAssertionOptions.userHandle was set, it did not propagate to RelyingParty.finishAssertion and caused an error saying username and user handle are both absent unless a user handle was returned by the authenticator. This was originally released in pre-release 1.12.3-RC3, but was accidentally left out of the 1.12.3 release.
• Fixed regression in PublicKeyCredentialCreationOptions.toCredentialsCreateJson(), which has not been emitting a requireResidentKey member since version 2.0.0. This meant the JSON output was not backwards compatible with browsers that only support the Level 1 version of the WebAuthn spec.

webauthn-server-attestation:

Fixes:

• findEntries and findTrustRoots methods in FidoMetadataService now attempt to read AAGUID from the attestation certificate if the aaguid argument is absent or zero.
• Method FidoMetadataService.Filters.allOf now has @SafeVarargs annotation.

Artifacts built with openjdk 17.0.6 2023-01-17.

Pre-release 2.4.0-RC2

Fixes:

• Fixed regression in PublicKeyCredentialCreationOptions.toCredentialsCreateJson(), which has not been emitting a requireResidentKey member since version 2.0.0. This meant the JSON output was not backwards compatible with browsers that only support the Level 1 version of the WebAuthn spec.

Artifacts built with openjdk 17.0.6 2023-01-17.

Pre-release 2.4.0-RC1

webauthn-server-core:

New features:

• Added support for RS384 and RS512 signature algorithms.
  • Thanks to GitHub user @JohnnyJayJay for the contribution, see #235
• Added userHandle field to AssertionRequest as part of the second bug fix below. userHandle is mutually exclusive with username. This was originally released in pre-release 1.12.3-RC3, but was accidentally left out of the 1.12.3 release.

Fixes:

• During RelyingParty.finishRegistration() if an attestationTrustSource is configured, if the aaguid in the authenticator data is zero, the call to AttestationTrustSource.findTrustRoots will fall back to reading the AAGUID from the attestation certificate if possible.
• Fixed bug in RelyingParty.finishAssertion where if StartAssertionOptions.userHandle was set, it did not propagate to RelyingParty.finishAssertion and caused an error saying username and user handle are both absent unless a user handle was returned by the authenticator. This was originally released in pre-release 1.12.3-RC3, but was accidentally left out of the 1.12.3 release.

webauthn-server-attestation:

Fixes:

• findEntries and findTrustRoots methods in FidoMetadataService now attempt to read AAGUID from the attestation certificate if the aaguid argument is absent or zero.
• Method FidoMetadataService.Filters.allOf now has @SafeVarargs annotation.

Artifacts built with openjdk 17.0.5 2022-10-18.

Version 2.3.0

New features:

• (Experimental) Added authenticatorAttachment property to response objects:
  • NOTE: Experimental features may receive breaking changes without a major version increase.
  • Added method getAuthenticatorAttachment() to PublicKeyCredential and corresponding builder method authenticatorAttachment(AuthenticatorAttachment).
  • Added method getAuthenticatorAttachment() to RegistrationResult and AssertionResult, which echo getAuthenticatorAttachment() from the corresponding PublicKeyCredential.
  • Thanks to GitHub user luisgoncalves for the contribution, see #250

Other:

• Fixed the README description of SemVer exceptions: @Deprecated features are still part of the public API unless they also have an EXPERIMENTAL: tag in JavaDoc.
• Brought com.yubico.webauthn package JavaDoc up to date with new library features.

Artifacts built with openjdk 17.0.5 2022-10-18.

Pre-release 2.3.0-RC1

New features:

• (Experimental) Added authenticatorAttachment property to response objects:
  • NOTE: Experimental features may receive breaking changes without a major version increase.
  • Added method getAuthenticatorAttachment() to PublicKeyCredential and corresponding builder method authenticatorAttachment(AuthenticatorAttachment).
  • Added method getAuthenticatorAttachment() to RegistrationResult and AssertionResult, which echo getAuthenticatorAttachment() from the corresponding PublicKeyCredential.
  • Thanks to @luisgoncalves for the contribution, see #250

Artifacts built with openjdk 17.0.5 2022-10-18.