Pre-release 2.1.0-alpha1

New features:

• Added method FidoMetadataDownloader.refreshBlob().

Artifacts built with openjdk 11.0.15 2022-04-19.

Version 2.0.0

This release removes deprecated APIs and changes some defaults to better align with the L2 version of the WebAuthn spec. It also adds a new major feature: optional integration with the FIDO Metadata Service for retrieving authenticator metadata and attestation trust roots. See below for details.

webauthn-server-core:

Breaking changes:

• Deleted deprecated icon field in RelyingPartyIdentity and UserIdentity, and its associated methods.
• Deleted deprecated AuthenticatorSelectionCriteria methods builder().requireResidentKey(boolean) and isRequireResidentKey().
• RelyingParty parameter allowUnrequestedExtensions removed. The library will now always accept unrequested extensions.
• Class ClientAssertionExtensionOutputs now silently ignores unknown extensions instead of rejecting them.
• webauthn-server-core-minimal module deleted.
• webauthn-server-core no longer depends on BouncyCastle and will no longer attempt to automatically fall back to it. Therefore, EdDSA keys are no longer supported by default in JDK 14 and earlier. The library will log warnings if configured for algorithms with no JCA provider available, in which case the dependent project may need to add additional dependencies and configure JCA providers externally.
• Enum value AttestationType.ECDAA removed without replacement.
• Deleted methods RegistrationResult.getWarnings() and AssertionResult.getWarnings() since they are now always empty.
• Framework for attestation metadata has been fully overhauled. See the webauthn-server-attestation module documentation for the new ways to work with attestation metadata:
  • Deleted method RegistrationResult.getAttestationMetadata().
  • Interface MetadataService replaced with AttestationTrustSource, and optional RelyingParty setting .metadataService(MetadataService) replaced with .attestationTrustSource(AttestationTrustSource).
  • Deleted types Attestation and Transport.
  • Deleted method AuthenticatorTransport.fromU2fTransport.
• RelyingParty.finishRegistration() now uses a JCA CertPathValidator to validate attestation certificate paths, if an attestation trust source has been configured. This requires a compatible JCA provider, but should already be available in most environments.
• Classes in package com.yubico.fido.metadata moved to com.yubico.webauthn.extension.uvm to avoid name clash with webauthn-server-attestation module in JPMS.
• Changed return type of PublicKeyCredentialRequestOptions.getUserVerification(), AuthenticatorSelectionCriteria.getUserVerification() and AuthenticatorSelectionCriteria.getResidentKey() to Optional, and changed defaults for userVerification and residentKey to empty. This means we won't inadvertently suppress warnings that browsers might issue in the browser console if for example userVerification is not set explicitly.

New features:

• Method getAaguid() added to RegistrationResult.
• Method getAttestationTrustPath() added to RegistrationResult.
• Setting .clock(Clock) added to RelyingParty. It is used for attestation path validation if an attestationTrustSource is configured.

webauthn-server-attestation:

Breaking changes:

• Types AttestationResolver, CompositeAttestationResolver, CompositeTrustResolver, DeviceMatcher, ExtensionMatcher, FingerprintMatcher, MetadataObject, SimpleAttestationResolver, SimpleTrustResolver, StandardMetadataService and TrustResolver deleted in favour of a new attestation metadata framework. Some of the functionality is retained as the new YubicoJsonMetadataService class in the webauthn-server-demo subproject in the library sources, but no longer exposed in either library module.
• Library no longer contains a /metadata.json resource.

New features:

• New types FidoMetadataService and FidoMetadataDownloader which integrate with the FIDO Metadata Service for retrieving authenticator metadata and attestation trust roots.

Artifacts built with openjdk 11.0.15 2022-04-19.

NOTICE: Psychic signatures in Java

In April 2022, a vulnerability was disclosed in Oracle's OpenJDK (and other JVMs derived from it) which can impact applications using java-webauthn-server. The impact is that for the most common type of WebAuthn credential, invalid signatures are accepted as valid, allowing authentication bypass for users with such a credential. Please read Oracle's advisory and make sure you are not using one of the impacted OpenJDK versions. If you are, we urge you to upgrade your Java deployment to a version that is safe.

Pre-release 2.0.0-RC2

Breaking changes:

• Method FidoMetadataDownloader.loadBlob() renamed to loadCachedBlob().

Artifacts built with openjdk 11.0.15 2022-04-19.

Version 1.12.4

Deprecated features:

• Option RelyingParty.allowUnrequestedExtensions deprecated. The false setting (default) is not compatible with WebAuthn Level 2 since authenticators are now always allowed to add unsolicited extensions. The next major version release will remove this option and always behave as if the option had been set to true.
• Enum value AttestationType.ECDAA. ECDAA was removed in WebAuthn Level 2.
• Function TokenBindingStatus.fromJsonString(String) deprecated. It should not have been part of the public API to begin with.

Artifacts built with openjdk 11.0.15 2022-04-19.

NOTICE: Psychic signatures in Java

In April 2022, a vulnerability was disclosed in Oracle's OpenJDK (and other JVMs derived from it) which can impact applications using java-webauthn-server. The impact is that for the most common type of WebAuthn credential, invalid signatures are accepted as valid, allowing authentication bypass for users with such a credential. Please read Oracle's advisory and make sure you are not using one of the impacted OpenJDK versions. If you are, we urge you to upgrade your Java deployment to a version that is safe.

Pre-release 1.12.4-RC2

This pre-release merges the changes from version 1.12.3 into the 1.12.4 release branch.

Artifacts built with openjdk 11.0.15 2022-04-19.

Version 1.12.3

Fixes:

• Fixed PublicKeyCredential failing to parse from JSON if an "authenticatorAttachment" attribute was present.
• Bumped Jackson dependency to version [2.13.2.1,3) in response to CVE-2020-36518
• Fixed bug in RelyingParty.finishAssertion that would throw a nondescript NoSuchElementException if username and user handle are both absent, instead of an IllegalArgumentException with a better error message.

Artifacts built with openjdk 11.0.15 2022-04-19.

Pre-release 1.12.3-RC3

Fixes:

• Fixed bug in RelyingParty.finishAssertion where if StartAssertionOptions.userHandle was set, it did not propagate to RelyingParty.finishAssertion and caused an error saying username and user handle are both absent unless a user handle was returned by the authenticator.

New features:

• Added userHandle field to AssertionRequest as part of above bug fix. userHandle is mutually exclusive with username.

Artifacts built with openjdk 11.0.15 2022-04-19.

Pre-release 1.12.3-RC2

Fixes:

• Bumped Jackson dependency to version [2.13.2.1,3) in response to CVE-2020-36518
• Fixed bug in RelyingParty.finishAssertion that would throw a nondescript NoSuchElementException if username and user handle are both absent, instead of an IllegalArgumentException with a better error message.

Artifacts built with openjdk 11.0.15 2022-04-19.

Pre-release 2.0.0-RC1

This release removes deprecated APIs and changes some defaults to better align with the L2 version of the WebAuthn spec. It also adds a new major feature: optional integration with the FIDO Metadata Service for retrieving authenticator metadata and attestation trust roots. See below for details.

webauthn-server-core:

Breaking changes:

• Deleted deprecated icon field in RelyingPartyIdentity and UserIdentity, and its associated methods.
• Deleted deprecated AuthenticatorSelectionCriteria methods builder().requireResidentKey(boolean) and isRequireResidentKey().
• RelyingParty parameter allowUnrequestedExtensions removed. The library will now always accept unrequested extensions.
• Class ClientAssertionExtensionOutputs now silently ignores unknown extensions instead of rejecting them.
• webauthn-server-core-minimal module deleted.
• webauthn-server-core no longer depends on BouncyCastle and will no longer attempt to automatically fall back to it. Therefore, EdDSA keys are no longer supported by default in JDK 14 and earlier. The library will log warnings if configured for algorithms with no JCA provider available, in which case the dependent project may need to add additional dependencies and configure JCA providers externally.
• Enum value AttestationType.ECDAA removed without replacement.
• Deleted methods RegistrationResult.getWarnings() and AssertionResult.getWarnings() since they are now always empty.
• Framework for attestation metadata has been fully overhauled. See the webauthn-server-attestation module documentation for the new ways to work with attestation metadata:
  • Deleted method RegistrationResult.getAttestationMetadata().
  • Interface MetadataService replaced with AttestationTrustSource, and optional RelyingParty setting .metadataService(MetadataService) replaced with .attestationTrustSource(AttestationTrustSource).
  • Deleted types Attestation and Transport.
  • Deleted method AuthenticatorTransport.fromU2fTransport.
• RelyingParty.finishRegistration() now uses a JCA CertPathValidator to validate attestation certificate paths, if an attestation trust source has been configured. This requires a compatible JCA provider, but should already be available in most environments.
• Classes in package com.yubico.fido.metadata moved to com.yubico.webauthn.extension.uvm to avoid name clash with webauthn-server-attestation module in JPMS.
• Changed return type of PublicKeyCredentialRequestOptions.getUserVerification(), AuthenticatorSelectionCriteria.getUserVerification() and AuthenticatorSelectionCriteria.getResidentKey() to Optional, and changed defaults for userVerification and residentKey to empty. This means we won't inadvertently suppress warnings that browsers might issue in the browser console if for example userVerification is not set explicitly.

New features:

• Method getAaguid() added to RegistrationResult.
• Method getAttestationTrustPath() added to RegistrationResult.
• Setting .clock(Clock) added to RelyingParty. It is used for attestation path validation if an attestationTrustSource is configured.

webauthn-server-attestation:

Breaking changes:

• Types AttestationResolver, CompositeAttestationResolver, CompositeTrustResolver, DeviceMatcher, ExtensionMatcher, FingerprintMatcher, MetadataObject, SimpleAttestationResolver, SimpleTrustResolver, StandardMetadataService and TrustResolver deleted in favour of a new attestation metadata framework. Some of the functionality is retained as the new YubicoJsonMetadataService class in the webauthn-server-demo subproject in the library sources, but no longer exposed in either library module.
• Library no longer contains a /metadata.json resource.

New features:

• New types FidoMetadataService and FidoMetadataDownloader which integrate with the FIDO Metadata Service for retrieving authenticator metadata and attestation trust roots.

Artifacts built with openjdk 11.0.15 2022-04-19.

Pre-release 1.12.4-RC1

Deprecated features:

• Option RelyingParty.allowUnrequestedExtensions deprecated. The false setting (default) is not compatible with WebAuthn Level 2 since authenticators are now always allowed to add unsolicited extensions. The next major version release will remove this option and always behave as if the option had been set to true.
• Enum value AttestationType.ECDAA. ECDAA was removed in WebAuthn Level 2.
• Function TokenBindingStatus.fromJsonString(String) deprecated. It should not have been part of the public API to begin with.

Artifacts built with openjdk 11.0.15 2022-04-19.