Skip to content

Releases: Yubico/java-webauthn-server

Experimental release 2.6.0-alpha2

09 Nov 19:04
@emlun emlun
2.6.0-alpha2
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: 0F47E61493A9B8E5
Learn about vigilant mode.
85de45b
This commit was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: 0F47E61493A9B8E5
Learn about vigilant mode.
Compare
Choose a tag to compare
Experimental release 2.6.0-alpha2 Pre-release
Pre-release

New features:

  • Added public builder to CredentialPropertiesOutput.
  • Added public factory function LargeBlobRegistrationOutput.supported(boolean).
  • Added public factory functions to LargeBlobAuthenticationOutput.
  • (Experimental) Added a new suite of interfaces, starting with CredentialRepositoryV2. RelyingParty can now be configured with a CredentialRepositoryV2 instance instead of a CredentialRepository instance. This changes the result of the RelyingParty builder to RelyingPartyV2. CredentialRepositoryV2 and RelyingPartyV2 enable a suite of new features:
    • CredentialRepositoryV2 does not assume that the application has usernames, instead username support is modular. In addition to the CredentialRepositoryV2, RelyingPartyV2 can be optionally configured with a UsernameRepository as well. If a UsernameRepository is not set, then RelyingPartyV2.startAssertion(StartAssertionOptions) will fail at runtime if StartAssertionOptions.username is set.
    • CredentialRepositoryV2 uses a new interface CredentialRecord to represent registered credentials, instead of the concrete RegisteredCredential class (although RegisteredCredential also implements CredentialRecord). This provides implementations greater flexibility while also automating the type conversion to PublicKeyCredentialDescriptor needed in startRegistration() and startAssertion().
    • RelyingPartyV2.finishAssertion() returns a new type AssertionResultV2 with a new method getCredential(), which returns the CredentialRecord that was verified. The return type of getCredential() is generic and preserves the concrete type of CredentialRecord returned by the CredentialRepositoryV2 implementation.
    • NOTE: Experimental features may receive breaking changes without a major version increase.
  • (Experimental) Added property RegisteredCredential.transports.
    • NOTE: Experimental features may receive breaking changes without a major version increase.

Artifacts built with openjdk version "17.0.9" 2023-10-17.

Assets 4
Loading

Experimental release 2.6.0-alpha1

07 Jul 16:57
@emlun emlun
2.6.0-alpha1
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Learn about vigilant mode.
b62ee43
This commit was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Learn about vigilant mode.
Compare
Choose a tag to compare
Experimental release 2.6.0-alpha1 Pre-release
Pre-release

New features:

  • Added method getParsedPublicKey(): java.security.PublicKey to RegistrationResult and RegisteredCredential.
    • Thanks to Jakob Heher (A-SIT) for the contribution, see #299
  • (Experimental) Added option isSecurePaymentConfirmation(boolean) to FinishAssertionOptions. When set, RelyingParty.finishAssertion() will adapt the validation logic for a Secure Payment Confirmation (SPC) response instead of an ordinary WebAuthn response. See the JavaDoc for details.

Artifacts built with openjdk version "17.0.7" 2023-04-18.

Assets 4
Loading

Version 2.5.0

05 Jul 11:38
@emlun emlun
2.5.0
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Learn about vigilant mode.
345762b
This commit was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 2.5.0

webauthn-server-core:

Breaking changes to experimental features:

  • Added Jackson annotation @JsonProperty to method RegisteredCredential.isBackedUp(), changing the property name from backedUp to backupState. backedUp is still accepted during deserialization but will no longer be emitted during serialization.

New features:

  • Added method .isUserVerified() to RegistrationResult and AssertionResult as a shortcut for accessing the UV flag in authenticator data.
  • Updated README and JavaDoc to use the "passkey" term and provide more guidance around passkey use cases.
  • Added Automatic-Module-Name to jar manifest.

Fixes:

  • AuthenticatorAttestationResponse now tolerates and ignores properties "publicKey" and "publicKeyAlgorithm" during JSON deserialization. These properties are emitted by the PublicKeyCredential.toJSON() method added in WebAuthn Level 3.
  • Relaxed Guava dependency version constraint to include major version 32.
  • RelyingParty.finishAssertion now behaves the same if StartAssertionOptions.allowCredentials is explicitly set to a present, empty list as when absent.

webauthn-server-attestation:

New features:

  • Added option verifyDownloadsOnly(boolean) to FidoMetadataDownloader. When set to true, the BLOB signature will not be verified when loading a BLOB from cache or when explicitly given. Default setting is false, which preserves the previous behaviour.
  • Added Automatic-Module-Name to jar manifest.

Fixes:

  • Made Jackson setting PROPAGATE_TRANSIENT_MARKER unnecessary for JSON serialization with Jackson version 2.15.0-rc1 and later.

Artifacts built with openjdk version "17.0.7" 2023-04-18.

Assets 4
Loading
0 Join discussion

Pre-release 2.5.0-RC3

04 Jul 15:22
@emlun emlun
2.5.0-RC3
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Learn about vigilant mode.
e1ed27c
This commit was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Learn about vigilant mode.
Compare
Choose a tag to compare
Pre-release 2.5.0-RC3 Pre-release
Pre-release

Fixes:

  • RelyingParty.finishAssertion now behaves the same if StartAssertionOptions.allowCredentials is explicitly set to a present, empty list as when absent.

Artifacts built with openjdk version "17.0.7" 2023-04-18.

Assets 4
Loading

Pre-release 2.5.0-RC2

27 Jun 12:00
@emlun emlun
2.5.0-RC2
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Learn about vigilant mode.
1c8a8ad
This commit was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Learn about vigilant mode.
Compare
Choose a tag to compare
Pre-release 2.5.0-RC2 Pre-release
Pre-release

Fixes:

  • Relaxed Guava dependency version constraint to include major version 32.

Artifacts built with openjdk version "17.0.7" 2023-04-18.

Assets 4
Loading

Pre-release 2.5.0-RC1

26 Jun 15:40
@emlun emlun
2.5.0-RC1
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: 0F47E61493A9B8E5
Learn about vigilant mode.
864a1dc
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Pre-release 2.5.0-RC1 Pre-release
Pre-release

webauthn-server-core:

Breaking changes to experimental features:

  • Added Jackson annotation @JsonProperty to method RegisteredCredential.isBackedUp(), changing the property name from backedUp to backupState. backedUp is still accepted during deserialization but will no longer be emitted during serialization.

New features:

  • Added method .isUserVerified() to RegistrationResult and AssertionResult as a shortcut for accessing the UV flag in authenticator data.
  • Updated README and JavaDoc to use the "passkey" term and provide more guidance around passkey use cases.
  • Added Automatic-Module-Name to jar manifest.

Fixes:

  • AuthenticatorAttestationResponse now tolerates and ignores properties "publicKey" and "publicKeyAlgorithm" during JSON deserialization. These properties are emitted by the PublicKeyCredential.toJSON() method added in WebAuthn Level 3.

webauthn-server-attestation:

New features:

  • Added option verifyDownloadsOnly(boolean) to FidoMetadataDownloader. When set to true, the BLOB signature will not be verified when loading a BLOB from cache or when explicitly given. Default setting is false, which preserves the previous behaviour.
  • Added Automatic-Module-Name to jar manifest.

Fixes:

  • Made Jackson setting PROPAGATE_TRANSIENT_MARKER unnecessary for JSON serialization with Jackson version 2.15.0-rc1 and later.

Artifacts built with openjdk version "17.0.7" 2023-04-18.

Assets 4
Loading

Version 2.4.1

04 May 13:32
@emlun emlun
2.4.1
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Learn about vigilant mode.
2bebcbb
This commit was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 2.4.1

Changes:

  • Added explicit version constraint on jackson-bom.

Fixes:

  • Fixed incompatibility with Jackson version 2.15.0-rc1 and later.
  • Fixed linking issue when running in Java 8.

Artifacts built with openjdk version "17.0.7" 2023-04-18.

Assets 4
Loading
0 Join discussion

Pre-release 2.4.1-RC4

03 May 13:27
@emlun emlun
2.4.1-RC4
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Learn about vigilant mode.
cdaa2ed
This commit was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Learn about vigilant mode.
Compare
Choose a tag to compare
Pre-release 2.4.1-RC4 Pre-release
Pre-release

Fixes:

  • Re-introduced version constraints on individual Jackson modules.

Artifacts built with openjdk version "17.0.7" 2023-04-18.

Assets 4
Loading

Pre-release 2.4.1-RC3

03 May 11:14
@emlun emlun
2.4.1-RC3
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Learn about vigilant mode.
74dd748
This commit was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Learn about vigilant mode.
Compare
Choose a tag to compare
Pre-release 2.4.1-RC3 Pre-release
Pre-release

Fixes:

  • Fixed missing version number for jackson-bom dependencyManagement dependency.

Artifacts built with openjdk version "17.0.7" 2023-04-18.

Assets 4
Loading

Pre-release 2.4.1-RC2

02 May 14:15
@emlun emlun
2.4.1-RC2
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: 0F47E61493A9B8E5
Learn about vigilant mode.
5a19899
This commit was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: 0F47E61493A9B8E5
Learn about vigilant mode.
Compare
Choose a tag to compare
Pre-release 2.4.1-RC2 Pre-release
Pre-release

Fixes:

  • Added explicit dependencyManagement dependencies on jackson-bom and version constraint on jackson-bom.

Artifacts built with openjdk version "17.0.6" 2023-01-17.

Assets 4
Loading