Version 2.5.0

webauthn-server-core:

Breaking changes to experimental features:

• Added Jackson annotation @JsonProperty to method RegisteredCredential.isBackedUp(), changing the property name from backedUp to backupState. backedUp is still accepted during deserialization but will no longer be emitted during serialization.

New features:

• Added method .isUserVerified() to RegistrationResult and AssertionResult as a shortcut for accessing the UV flag in authenticator data.
• Updated README and JavaDoc to use the "passkey" term and provide more guidance around passkey use cases.
• Added Automatic-Module-Name to jar manifest.

Fixes:

• AuthenticatorAttestationResponse now tolerates and ignores properties "publicKey" and "publicKeyAlgorithm" during JSON deserialization. These properties are emitted by the PublicKeyCredential.toJSON() method added in WebAuthn Level 3.
• Relaxed Guava dependency version constraint to include major version 32.
• RelyingParty.finishAssertion now behaves the same if StartAssertionOptions.allowCredentials is explicitly set to a present, empty list as when absent.

webauthn-server-attestation:

New features:

• Added option verifyDownloadsOnly(boolean) to FidoMetadataDownloader. When set to true, the BLOB signature will not be verified when loading a BLOB from cache or when explicitly given. Default setting is false, which preserves the previous behaviour.
• Added Automatic-Module-Name to jar manifest.

Fixes:

• Made Jackson setting PROPAGATE_TRANSIENT_MARKER unnecessary for JSON serialization with Jackson version 2.15.0-rc1 and later.

Artifacts built with openjdk version "17.0.7" 2023-04-18.