Pre-release 2.0.0-RC1

This release removes deprecated APIs and changes some defaults to better align with the L2 version of the WebAuthn spec. It also adds a new major feature: optional integration with the FIDO Metadata Service for retrieving authenticator metadata and attestation trust roots. See below for details.

webauthn-server-core:

Breaking changes:

• Deleted deprecated icon field in RelyingPartyIdentity and UserIdentity, and its associated methods.
• Deleted deprecated AuthenticatorSelectionCriteria methods builder().requireResidentKey(boolean) and isRequireResidentKey().
• RelyingParty parameter allowUnrequestedExtensions removed. The library will now always accept unrequested extensions.
• Class ClientAssertionExtensionOutputs now silently ignores unknown extensions instead of rejecting them.
• webauthn-server-core-minimal module deleted.
• webauthn-server-core no longer depends on BouncyCastle and will no longer attempt to automatically fall back to it. Therefore, EdDSA keys are no longer supported by default in JDK 14 and earlier. The library will log warnings if configured for algorithms with no JCA provider available, in which case the dependent project may need to add additional dependencies and configure JCA providers externally.
• Enum value AttestationType.ECDAA removed without replacement.
• Deleted methods RegistrationResult.getWarnings() and AssertionResult.getWarnings() since they are now always empty.
• Framework for attestation metadata has been fully overhauled. See the webauthn-server-attestation module documentation for the new ways to work with attestation metadata:
  • Deleted method RegistrationResult.getAttestationMetadata().
  • Interface MetadataService replaced with AttestationTrustSource, and optional RelyingParty setting .metadataService(MetadataService) replaced with .attestationTrustSource(AttestationTrustSource).
  • Deleted types Attestation and Transport.
  • Deleted method AuthenticatorTransport.fromU2fTransport.
• RelyingParty.finishRegistration() now uses a JCA CertPathValidator to validate attestation certificate paths, if an attestation trust source has been configured. This requires a compatible JCA provider, but should already be available in most environments.
• Classes in package com.yubico.fido.metadata moved to com.yubico.webauthn.extension.uvm to avoid name clash with webauthn-server-attestation module in JPMS.
• Changed return type of PublicKeyCredentialRequestOptions.getUserVerification(), AuthenticatorSelectionCriteria.getUserVerification() and AuthenticatorSelectionCriteria.getResidentKey() to Optional, and changed defaults for userVerification and residentKey to empty. This means we won't inadvertently suppress warnings that browsers might issue in the browser console if for example userVerification is not set explicitly.

New features:

• Method getAaguid() added to RegistrationResult.
• Method getAttestationTrustPath() added to RegistrationResult.
• Setting .clock(Clock) added to RelyingParty. It is used for attestation path validation if an attestationTrustSource is configured.

webauthn-server-attestation:

Breaking changes:

• Types AttestationResolver, CompositeAttestationResolver, CompositeTrustResolver, DeviceMatcher, ExtensionMatcher, FingerprintMatcher, MetadataObject, SimpleAttestationResolver, SimpleTrustResolver, StandardMetadataService and TrustResolver deleted in favour of a new attestation metadata framework. Some of the functionality is retained as the new YubicoJsonMetadataService class in the webauthn-server-demo subproject in the library sources, but no longer exposed in either library module.
• Library no longer contains a /metadata.json resource.

New features:

• New types FidoMetadataService and FidoMetadataDownloader which integrate with the FIDO Metadata Service for retrieving authenticator metadata and attestation trust roots.

Artifacts built with openjdk 11.0.15 2022-04-19.

Pre-release 1.12.4-RC1

Deprecated features:

• Option RelyingParty.allowUnrequestedExtensions deprecated. The false setting (default) is not compatible with WebAuthn Level 2 since authenticators are now always allowed to add unsolicited extensions. The next major version release will remove this option and always behave as if the option had been set to true.
• Enum value AttestationType.ECDAA. ECDAA was removed in WebAuthn Level 2.
• Function TokenBindingStatus.fromJsonString(String) deprecated. It should not have been part of the public API to begin with.

Artifacts built with openjdk 11.0.15 2022-04-19.

Pre-release 1.12.3-RC1

Fixes:

• Fixed PublicKeyCredential failing to parse from JSON if an "authenticatorAttachment" attribute was present.

Artifacts built with openjdk 11.0.15 2022-04-19.

Version 1.12.2

Fixes:

• com.upokecenter:cbor dependency bumped to minimum version 4.5.1 due to a known vulnerability, see: GHSA-fj2w-wfgv-mwq6
• Fixed crash in AuthenticatorData deserialization with com.upokecenter:cbor versions later than 4.0.1

Artifacts built with openjdk 11.0.13 2021-10-19.

Version 1.12.1

Fixes:

• RelyingParty.finishAssertion() no longer makes multiple (redundant) calls to CredentialRepository.lookup().

Artifacts built with openjdk 11.0.13 2021-10-19.

Pre-release 1.12.1-RC1

Fixes:

• RelyingParty.finishAssertion() no longer makes multiple (redundant) calls to CredentialRepository.lookup().

Artifacts built with openjdk 11.0.13 2021-10-19.

Version 1.12.0

New features:

• New method RegisteredCredential.builder().publicKeyEs256Raw(ByteArray). This is a mutually exclusive alternative to .publicKeyCose(ByteArray), for easier backwards-compatibility with U2F-formatted (Raw ANSI X9.62) public keys.
• "Migrating from U2F" section added to project README

Artifacts built with openjdk 11.0.13 2021-10-19.

Pre-release 1.12.0-RC1

New features:

• New method RegisteredCredential.builder().publicKeyEs256Raw(ByteArray). This is a mutually exclusive alternative to .publicKeyCose(ByteArray), for easier backwards-compatibility with U2F-formatted (Raw ANSI X9.62) public keys.
• "Migrating from U2F" section added to project README

Artifacts built with openjdk 11.0.12 2021-07-20.

Version 1.11.0

Deprecated features:

• AuthenticatorSelectionCriteria methods builder().requireResidentKey(boolean) and isRequireResidentKey() deprecated in favor of a new option, see below.
• The icon field in RelyingPartyIdentity and UserIdentity, and its associated methods, are now deprecated. The corresponding property was removed in WebAuthn Level 2.

Deprecated features will be removed in the next major version release.

Changes:

• RelyingParty.startAssertion() no longer overwrites the appid extension input in the StartAssertionOptions argument.
• RelyingParty.appId setting now also activates the appidExclude extension in addition to the appid extension.
• RelyingParty.startRegistration() now enables the credProps extension by default. The extension output, if any, is available as RegistrationResult.isDiscoverable() and RegistrationResult.getClientExtensionOutputs().getCredProps().

New features:

• RegistrationResult.keyId() now includes transports if any were included in the AuthenticatorAttestatationResponse. To get transports passed through, call PublicKeyCredential.response.getTransports() on the client side after successful registration, and add the result as the property response.transports in the JSON passed into PublicKeyCredential.parseRegistrationResponseJson. See the project README for an example.
• Added support for the appidExclude, credProps, largeBlob and uvm extensions.
• Added support for the new authenticatorSelectionCriteria.residentKey option:
  • Added method AuthenticatorSelectionCriteria.builder().residentKey(ResidentKeyRequirement).
  • Added method AuthenticatorSelectionCriteria.getResidentKey().
  • Methods builder().requireResidentKey(boolean) and isRequireResidentKey() deprecated in favor of the above two new methods.
  • The builder methods requireResidentKey(boolean) and residentKey(ResidentKeyRequirement) both control one shared setting, which sets both the requireResidentKey and residentKey options simultaneously and in agreement with each other for backwards compatibility with older browsers.
• Added methods PublicKeyCredentialCreationOptions.toCredentialsCreateJson(), PublicKeyCredentialRequestOptions.toCredentialsGetJson() and AssertionRequest.toCredentialsGetJson() for serializing to JSON without having to use Jackson directly.
• Added methods PublicKeyCredentialCreationOptions.toJson() and .fromJson(String) suitable for encoding to and decoding from JSON.
• Added methods AssertionRequest.toJson() and .fromJson(String) suitable for encoding to and decoding from JSON.
• Added methods StartAssertionOptions.builder().userHandle(ByteArray) and .userHandle(Optional<ByteArray>) as alternatives to .username(String) and .username(Optional<String>). The userHandle methods fill the same function as, and are mutually exclusive with, the username methods.

Fixes:

• Added missing JavaDoc for id and name methods of initial RelyingPartyIdentityBuilder stages.
• Added and improved JavaDoc for required builder methods.
• Javadoc for TokenBindingInfo.id incorrectly stated that the value is base64url encoded.
• Javadoc for TokenBindingStatus.PRESENT incorrectly referenced its own (private) id member instead of TokenBindingInfo.id.
• Improved JavaDoc for StartRegistrationOptions.authenticatorSelection
• Improved JavaDoc for RelyingParty.appid
• Make the RelyingParty.validateSignatureCounter JavaDoc also cover the success case where stored and received signature count are both zero.

Artifacts built with openjdk 11.0.12 2021-07-20.

Pre-release 1.11.0-RC5

Changes:

• RelyingParty.startRegistration() no longer overwrites the appidExclude and credProps extension inputs in the StartRegistrationOptions argument.
• RelyingParty.startAssertion() no longer overwrites the appid extension input in the StartAssertionOptions argument.

Artifacts built with openjdk 11.0.12 2021-07-20.