Version 2.7.0

New features:

• Added overloaded setter RelyingPartyBuilder.origins(Optional<Set<String>>).
• Added support for the CTAP2 credProtect extension.
• Added support for the prf extension.
• (Experimental) Added option FinishRegistrationOptions.isConditionalCreate to allow UP=0 in registration response for registration ceremonies with mediation: "conditional".
  • NOTE: Experimental features may receive breaking changes without a major version increase.

Fixes:

• Excluded CVE-2025-27820 vulnerable versions of Apache httpclient5 from dependency resolution. Note that this might only affect consumers using Gradle module metadata.

Artifacts built with openjdk version "17.0.15" 2025-04-15.

Experimental release 2.8.0-alpha3

Ported changes from pre-release 2.7.0-RC3:

Fixes:

• Excluded CVE-2025-27820 vulnerable versions of Apache httpclient5 from dependency resolution. Note that this might only affect consumers using Gradle module metadata.

Artifacts built with openjdk version "17.0.15" 2025-04-15.

Pre-release 2.7.0-RC3

Fixes:

• Excluded CVE-2025-27820 vulnerable versions of Apache httpclient5 from dependency resolution. Note that this might only affect consumers using Gradle module metadata.

Artifacts built with openjdk version "17.0.15" 2025-04-15.

Experimental release 2.8.0-alpha2

Ported changes from pre-release 2.7.0-RC2:

Fixes:

• Fixed JSON encoding of credProtect extension inputs.

Artifacts built with openjdk version "17.0.14" 2025-01-21.

Pre-release 2.7.0-RC2

Fixes:

• Fixed JSON encoding of credProtect extension inputs.

Artifacts built with openjdk version "17.0.14" 2025-01-21.

Experimental release 2.8.0-alpha1

Re-introduced changes that were reverted between 2.7.0-alpha1 and 2.7.0-RC1:

New features:

• (Experimental) Added a new suite of interfaces, starting with CredentialRepositoryV2. RelyingParty can now be configured with a CredentialRepositoryV2 instance instead of a CredentialRepository instance. This changes the result of the RelyingParty builder to RelyingPartyV2. CredentialRepositoryV2 and RelyingPartyV2 enable a suite of new features:
  • CredentialRepositoryV2 does not assume that the application has usernames, instead username support is modular. In addition to the CredentialRepositoryV2, RelyingPartyV2 can be optionally configured with a UsernameRepository as well. If a UsernameRepository is not set, then RelyingPartyV2.startAssertion(StartAssertionOptions) will fail at runtime if StartAssertionOptions.username is set.
  • CredentialRepositoryV2 uses a new interface CredentialRecord to represent registered credentials, instead of the concrete RegisteredCredential class (although RegisteredCredential also implements CredentialRecord). This provides implementations greater flexibility while also automating the type conversion to PublicKeyCredentialDescriptor needed in startRegistration() and startAssertion().
  • RelyingPartyV2.finishAssertion() returns a new type AssertionResultV2 with a new method getCredential(), which returns the CredentialRecord that was verified. The return type of getCredential() is generic and preserves the concrete type of CredentialRecord returned by the CredentialRepositoryV2 implementation.
  • NOTE: Experimental features may receive breaking changes without a major version increase.
• (Experimental) Added property RegisteredCredential.transports.
  • NOTE: Experimental features may receive breaking changes without a major version increase.

Artifacts built with openjdk version "17.0.14" 2025-01-21.

Pre-release 2.7.0-RC1

Changes since 2.7.0-alpha1

Breaking changes:

• Removed the suite of experimental interfaces related with CredentialRepositoryV2. These will be postponed to minor release 2.8 instead.
• Removed property RegisteredCredential.transports.

Changes since 2.6.0

New features:

• Added overloaded setter RelyingPartyBuilder.origins(Optional<Set<String>>).
• Added support for the CTAP2 credProtect extension.
• Added support for the prf extension.
• (Experimental) Added option FinishRegistrationOptions.isConditionalCreate to allow UP=0 in registration response for registration ceremonies with mediation: "conditional".
  • NOTE: Experimental features may receive breaking changes without a major version increase.

Artifacts built with openjdk version "17.0.14" 2025-01-21.

Experimental release 2.7.0-alpha1

Re-introduced changes that were reverted between 2.6.0-alpha8 and 2.6.0-RC1:

• (Experimental) Added a new suite of interfaces, starting with CredentialRepositoryV2. RelyingParty can now be configured with a CredentialRepositoryV2 instance instead of a CredentialRepository instance. This changes the result of the RelyingParty builder to RelyingPartyV2. CredentialRepositoryV2 and RelyingPartyV2 enable a suite of new features:
  • CredentialRepositoryV2 does not assume that the application has usernames, instead username support is modular. In addition to the CredentialRepositoryV2, RelyingPartyV2 can be optionally configured with a UsernameRepository as well. If a UsernameRepository is not set, then RelyingPartyV2.startAssertion(StartAssertionOptions) will fail at runtime if StartAssertionOptions.username is set.
  • CredentialRepositoryV2 uses a new interface CredentialRecord to represent registered credentials, instead of the concrete RegisteredCredential class (although RegisteredCredential also implements CredentialRecord). This provides implementations greater flexibility while also automating the type conversion to PublicKeyCredentialDescriptor needed in startRegistration() and startAssertion().
  • RelyingPartyV2.finishAssertion() returns a new type AssertionResultV2 with a new method getCredential(), which returns the CredentialRecord that was verified. The return type of getCredential() is generic and preserves the concrete type of CredentialRecord returned by the CredentialRepositoryV2 implementation.
  • NOTE: Experimental features may receive breaking changes without a major version increase.
• (Experimental) Added property RegisteredCredential.transports.
  • NOTE: Experimental features may receive breaking changes without a major version increase.

Artifacts built with openjdk version "17.0.13" 2024-10-15.

Version 2.6.0

webauthn-server-core:

New features:

• Added method getParsedPublicKey(): java.security.PublicKey to
  RegistrationResult and RegisteredCredential.
  • Thanks to Jakob Heher (A-SIT) for the contribution, see #299
• Added enum parsing functions:
  • AuthenticatorAttachment.fromValue(String): Optional<AuthenticatorAttachment>
  • PublicKeyCredentialType.fromId(String): Optional<PublicKeyCredentialType>
  • ResidentKeyRequirement.fromValue(String): Optional<ResidentKeyRequirement>
  • TokenBindingStatus.fromValue(String): Optional<TokenBindingStatus>
  • UserVerificationRequirement.fromValue(String): Optional<UserVerificationRequirement>
• Added public builder to CredentialPropertiesOutput.
• Added public factory function LargeBlobRegistrationOutput.supported(boolean).
• Added public factory functions to LargeBlobAuthenticationOutput.
• Added hints property to StartRegistrationOptions, StartAssertionOptions, PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions, and class PublicKeyCredentialHint to support them, to support the hints parameter introduced in WebAuthn L3: https://www.w3.org/TR/2023/WD-webauthn-3-20230927/#dom-publickeycredentialcreationoptions-hints
• (Experimental) Added option isSecurePaymentConfirmation(boolean) to FinishAssertionOptions. When set, RelyingParty.finishAssertion() will adapt the validation logic for a Secure Payment Confirmation (SPC) response instead of an ordinary WebAuthn response. See the JavaDoc for details.
  • NOTE: Experimental features may receive breaking changes without a major version increase.

webauthn-server-attestation:

New features:

• FidoMetadataDownloader now parses the CRLDistributionPoints extension on the application level, so the com.sun.security.enableCRLDP=true system property setting is no longer necessary.
• Added helper function CertificateUtil.parseFidoSernumExtension for parsing serial number from enterprise attestation certificates.

Artifacts built with openjdk version "17.0.13" 2024-10-15.

Pre-release 2.6.0-RC1

Changes since 2.6.0-alpha8

webauthn-server-core:

Breaking changes:

• Removed the suite of experimental interfaces related with CredentialRepositoryV2. These will be postponed to minor release 2.7 instead.
• Removed property RegisteredCredential.transports.
• Removed property credProps.authenticatorDisplayName.
• Removed credProps extension from assertion extension outputs.

webauthn-server-attestation:

New features:

• FidoMetadataDownloader now parses the CRLDistributionPoints extension on the application level, so the com.sun.security.enableCRLDP=true system property setting is no longer necessary.
• Added helper function CertificateUtil.parseFidoSernumExtension for parsing serial number from enterprise attestation certificates.

Changes since 2.5.4

webauthn-server-core:

New features:

• Added method getParsedPublicKey(): java.security.PublicKey to RegistrationResult and RegisteredCredential.
  • Thanks to Jakob Heher (A-SIT) for the contribution, see #299
• Added enum parsing functions:
  • AuthenticatorAttachment.fromValue(String): Optional<AuthenticatorAttachment>
  • PublicKeyCredentialType.fromId(String): Optional<PublicKeyCredentialType>
  • ResidentKeyRequirement.fromValue(String): Optional<ResidentKeyRequirement>
  • TokenBindingStatus.fromValue(String): Optional<TokenBindingStatus>
  • UserVerificationRequirement.fromValue(String): Optional<UserVerificationRequirement>
• Added public builder to CredentialPropertiesOutput.
• Added public factory function LargeBlobRegistrationOutput.supported(boolean).
• Added public factory functions to LargeBlobAuthenticationOutput.
• Added hints property to StartRegistrationOptions, StartAssertionOptions, PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions, and class PublicKeyCredentialHint to support them, to support the hints parameter introduced in WebAuthn L3: https://www.w3.org/TR/2023/WD-webauthn-3-20230927/#dom-publickeycredentialcreationoptions-hints
• (Experimental) Added option isSecurePaymentConfirmation(boolean) to FinishAssertionOptions. When set, RelyingParty.finishAssertion() will adapt the validation logic for a Secure Payment Confirmation (SPC) response instead of an ordinary WebAuthn response. See the JavaDoc for details.
  • NOTE: Experimental features may receive breaking changes without a major version increase.

webauthn-server-attestation:

New features:

• FidoMetadataDownloader now parses the CRLDistributionPoints extension on the application level, so the com.sun.security.enableCRLDP=true system property setting is no longer necessary.
• Added helper function CertificateUtil.parseFidoSernumExtension for parsing serial number from enterprise attestation certificates.

Artifacts built with openjdk version "17.0.13" 2024-10-15.