Version 1.12.0

New features:

• New method RegisteredCredential.builder().publicKeyEs256Raw(ByteArray). This is a mutually exclusive alternative to .publicKeyCose(ByteArray), for easier backwards-compatibility with U2F-formatted (Raw ANSI X9.62) public keys.
• "Migrating from U2F" section added to project README

Artifacts built with openjdk 11.0.13 2021-10-19.

Pre-release 1.12.0-RC1

New features:

• New method RegisteredCredential.builder().publicKeyEs256Raw(ByteArray). This is a mutually exclusive alternative to .publicKeyCose(ByteArray), for easier backwards-compatibility with U2F-formatted (Raw ANSI X9.62) public keys.
• "Migrating from U2F" section added to project README

Artifacts built with openjdk 11.0.12 2021-07-20.

Version 1.11.0

Deprecated features:

• AuthenticatorSelectionCriteria methods builder().requireResidentKey(boolean) and isRequireResidentKey() deprecated in favor of a new option, see below.
• The icon field in RelyingPartyIdentity and UserIdentity, and its associated methods, are now deprecated. The corresponding property was removed in WebAuthn Level 2.

Deprecated features will be removed in the next major version release.

Changes:

• RelyingParty.startAssertion() no longer overwrites the appid extension input in the StartAssertionOptions argument.
• RelyingParty.appId setting now also activates the appidExclude extension in addition to the appid extension.
• RelyingParty.startRegistration() now enables the credProps extension by default. The extension output, if any, is available as RegistrationResult.isDiscoverable() and RegistrationResult.getClientExtensionOutputs().getCredProps().

New features:

• RegistrationResult.keyId() now includes transports if any were included in the AuthenticatorAttestatationResponse. To get transports passed through, call PublicKeyCredential.response.getTransports() on the client side after successful registration, and add the result as the property response.transports in the JSON passed into PublicKeyCredential.parseRegistrationResponseJson. See the project README for an example.
• Added support for the appidExclude, credProps, largeBlob and uvm extensions.
• Added support for the new authenticatorSelectionCriteria.residentKey option:
  • Added method AuthenticatorSelectionCriteria.builder().residentKey(ResidentKeyRequirement).
  • Added method AuthenticatorSelectionCriteria.getResidentKey().
  • Methods builder().requireResidentKey(boolean) and isRequireResidentKey() deprecated in favor of the above two new methods.
  • The builder methods requireResidentKey(boolean) and residentKey(ResidentKeyRequirement) both control one shared setting, which sets both the requireResidentKey and residentKey options simultaneously and in agreement with each other for backwards compatibility with older browsers.
• Added methods PublicKeyCredentialCreationOptions.toCredentialsCreateJson(), PublicKeyCredentialRequestOptions.toCredentialsGetJson() and AssertionRequest.toCredentialsGetJson() for serializing to JSON without having to use Jackson directly.
• Added methods PublicKeyCredentialCreationOptions.toJson() and .fromJson(String) suitable for encoding to and decoding from JSON.
• Added methods AssertionRequest.toJson() and .fromJson(String) suitable for encoding to and decoding from JSON.
• Added methods StartAssertionOptions.builder().userHandle(ByteArray) and .userHandle(Optional<ByteArray>) as alternatives to .username(String) and .username(Optional<String>). The userHandle methods fill the same function as, and are mutually exclusive with, the username methods.

Fixes:

• Added missing JavaDoc for id and name methods of initial RelyingPartyIdentityBuilder stages.
• Added and improved JavaDoc for required builder methods.
• Javadoc for TokenBindingInfo.id incorrectly stated that the value is base64url encoded.
• Javadoc for TokenBindingStatus.PRESENT incorrectly referenced its own (private) id member instead of TokenBindingInfo.id.
• Improved JavaDoc for StartRegistrationOptions.authenticatorSelection
• Improved JavaDoc for RelyingParty.appid
• Make the RelyingParty.validateSignatureCounter JavaDoc also cover the success case where stored and received signature count are both zero.

Artifacts built with openjdk 11.0.12 2021-07-20.

Pre-release 1.11.0-RC5

Changes:

• RelyingParty.startRegistration() no longer overwrites the appidExclude and credProps extension inputs in the StartRegistrationOptions argument.
• RelyingParty.startAssertion() no longer overwrites the appid extension input in the StartAssertionOptions argument.

Artifacts built with openjdk 11.0.12 2021-07-20.

Pre-release 1.11.0-RC4

Pre-release 1.11.0-RC3 mistakenly included an unversioned file in the webauthn-server-attestation artifact, which broke signature reproducibility. 1.11.0-RC4 is a rebuild from the same sources but without that additional file.

Artifacts built with openjdk 11.0.12 2021-07-20.

Pre-release 1.11.0-RC3

Note: This release has a defective webauthn-server-attestation artifact. Please use version 1.11.0-RC4 instead.

Breaking changes from 1.11.0-RC2:

• Class UserVerificationMethod converted to enum
• Class KeyProtectionType converted to enum
• Class MatcherProtectionType converted to enum

Fixes:

• Javadoc for TokenBindingInfo.id incorrectly stated that the value is base64url encoded.
• Javadoc for TokenBindingStatus.PRESENT incorrectly referenced its own (private) id member instead of TokenBindingInfo.id.
• Improved JavaDoc for StartRegistrationOptions.authenticatorSelection
• Improved JavaDoc for RelyingParty.appid
• Made the RelyingParty.validateSignatureCounter JavaDoc also cover the success case where stored and received signature count are both zero.

Artifacts built with openjdk 11.0.12 2021-07-20.

Pre-release 1.11.0-RC2

New features:

• Added methods PublicKeyCredentialCreationOptions.toJson() and .fromJson(String) suitable for encoding to and decoding from JSON.
• Added methods AssertionRequest.toJson() and .fromJson(String) suitable for encoding to and decoding from JSON.
• Added methods StartAssertionOptions.builder().userHandle(ByteArray) and .userHandle(Optional<ByteArray>) as alternatives to .username(String) and .username(Optional<String>). The userHandle methods fill the same function as, and are mutually exclusive with, the username methods.

Fixes:

• Added and improved JavaDoc for required builder methods.

Artifacts built with openjdk 11.0.12 2021-07-20.

Pre-release 1.11.0-RC1

Deprecated features:

• AuthenticatorSelectionCriteria methods builder().requireResidentKey(boolean) and isRequireResidentKey() deprecated in favor of a new option, see below.
• The icon field in RelyingPartyIdentity and UserIdentity, and its associated methods, are now deprecated. The corresponding property was removed in WebAuthn Level 2.

Deprecated features will be removed in the next major version release.

Changes:

• RelyingParty.appId setting now also activates the appidExclude extension in addition to the appid extension.
• RelyingParty.startRegistration() now enables the credProps extension by default. The extension output, if any, is available as RegistrationResult.isDiscoverable() and RegistrationResult.getClientExtensionOutputs().getCredProps().

New features:

• RegistrationResult.keyId() now includes transports if any were included in the AuthenticatorAttestatationResponse. To get transports passed through, call PublicKeyCredential.response.getTransports() on the client side after successful registration, and add the result as the property response.transports in the JSON passed into PublicKeyCredential.parseRegistrationResponseJson. See the project README for an example.
• Added support for the appidExclude, credProps, largeBlob and uvm extensions.
• Added support for the new authenticatorSelectionCriteria.residentKey option:
  • Added method AuthenticatorSelectionCriteria.builder().residentKey(ResidentKeyRequirement).
  • Added method AuthenticatorSelectionCriteria.getResidentKey().
  • Methods builder().requireResidentKey(boolean) and isRequireResidentKey() deprecated in favor of the above two new methods.
  • The builder methods requireResidentKey(boolean) and residentKey(ResidentKeyRequirement) both control one shared setting, which sets both the requireResidentKey and residentKey options simultaneously and in agreement with each other for backwards compatibility with older browsers.
• Added methods PublicKeyCredentialCreationOptions.toCredentialsCreateJson(), PublicKeyCredentialRequestOptions.toCredentialsGetJson() and AssertionRequest.toCredentialsGetJson() for serializing to JSON without having to use Jackson directly.

Fixes:

• Added missing JavaDoc for id and name methods of initial RelyingPartyIdentityBuilder stages.

Artifacts built with openjdk 11.0.12 2021-07-20.

Version 1.10.1

webauthn-server-attestation:

• Fixed name of YubiKey Bio - FIDO edition in attestation metadata.

Artifacts built with openjdk 11.0.12 2021-07-20.

Version 1.10.0

webauthn-server-attestation:

• Added attestation metadata for YubiKey Bio.

Artifacts built with openjdk 11.0.11 2021-04-20.