Version 1.12.4
Deprecated features:
- Option
RelyingParty.allowUnrequestedExtensions
deprecated. Thefalse
setting (default) is not compatible with WebAuthn Level 2 since authenticators are now always allowed to add unsolicited extensions. The next major version release will remove this option and always behave as if the option had been set totrue
. - Enum value
AttestationType.ECDAA
. ECDAA was removed in WebAuthn Level 2. - Function
TokenBindingStatus.fromJsonString(String)
deprecated. It should not have been part of the public API to begin with.
Artifacts built with openjdk 11.0.15 2022-04-19
.
NOTICE: Psychic signatures in Java
In April 2022, a vulnerability was disclosed in Oracle's OpenJDK (and other JVMs derived from it) which can impact applications using java-webauthn-server. The impact is that for the most common type of WebAuthn credential, invalid signatures are accepted as valid, allowing authentication bypass for users with such a credential. Please read Oracle's advisory and make sure you are not using one of the impacted OpenJDK versions. If you are, we urge you to upgrade your Java deployment to a version that is safe.