Skip to content

Version 1.12.4

Compare
Choose a tag to compare
@emlun emlun released this 02 May 11:41
1.12.4
e95b7f6

Deprecated features:

  • Option RelyingParty.allowUnrequestedExtensions deprecated. The false setting (default) is not compatible with WebAuthn Level 2 since authenticators are now always allowed to add unsolicited extensions. The next major version release will remove this option and always behave as if the option had been set to true.
  • Enum value AttestationType.ECDAA. ECDAA was removed in WebAuthn Level 2.
  • Function TokenBindingStatus.fromJsonString(String) deprecated. It should not have been part of the public API to begin with.

Artifacts built with openjdk 11.0.15 2022-04-19.

NOTICE: Psychic signatures in Java

In April 2022, a vulnerability was disclosed in Oracle's OpenJDK (and other JVMs derived from it) which can impact applications using java-webauthn-server. The impact is that for the most common type of WebAuthn credential, invalid signatures are accepted as valid, allowing authentication bypass for users with such a credential. Please read Oracle's advisory and make sure you are not using one of the impacted OpenJDK versions. If you are, we urge you to upgrade your Java deployment to a version that is safe.