FIXED: The registration and authentication response endpoints now correctly return UAF status code 1492 Unacceptable Authenticator in case the UAF policy does not allow the authenticator, instead of UAF status code 1498 Unacceptable Content. (NEVISFIDO-1940)
CHANGED: Errors occurring during the final challenge parameter validation in the authentication response service resulting in UAF status code 1491 Request Invalid are now logged on ERROR level. This can help to identify configuration problems (such as an incorrect appID in the Facets configuration) more quickly. (NEVISFIDO-2099)
FIXED: The HTTP Client used to connect to nevisIdm REST service and the Firebase Cloud Messaging service was in some cases incorrectly configured limiting the maximum allowed connections per route to 5. The intended default 50 is now properly used. (NEVISFIDO-2103)
FIXED: FIDO2 credentials that were not active in the credential repository were not being excluded during the authentication ceremony. (NEVISFIDO-2110)
CHANGE: The PublicKeyCredentialOptions stored in the FIDO2 session (webauthn_sessions) changed its format. Because of the serialisation used, it's not backward compatible. Ongoing registration or authentication ceremonies (started before upgrading) will fail. (NEVISFIDO-2006)
FIXED: The session store incorrectly storing time data in certain cases when using MariaDB. This caused an error during daylight saving time switch in spring while 1 hour disappears from time. MariaDB JDBC driver defaulting to the server timezone caused to double convert from local timezone to UTC. Normally this does not cause any issue for nevisFIDO as the read/write uses the same logic. During the daylight saving time switch this causes a validation error at db that we try to insert a not existing (valid) time. Database connection session is now using UTC timezone to avoid this. Note that because of this change Sessions will expire earlier with the timezone offset. If this is not acceptable you can fix the data in the DB like this: update uaf_sessions set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR), created = DATE_ADD(created, INTERVAL 2 HOUR), status_updated = DATE_ADD(status_updated, INTERVAL 2 HOUR); update token_sessions set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR), created = DATE_ADD(created, INTERVAL 2 HOUR), status_updated = DATE_ADD(status_updated, INTERVAL 2 HOUR); update webauthn_sessions set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR), created = DATE_ADD(created, INTERVAL 2 HOUR), status_updated_at = DATE_ADD(status_updated_at, INTERVAL 2 HOUR); update jws_requests set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR); These statements assume Central European Time and that the data was created in Summer time. (With winter time you have to add only 1 hour) In case of getting an error like Unknown or incorrect time zone: 'UTC' afterwards that means your database did not have the timezone database initilized. You have to run mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql -p to verifiy the result of that you can run SELECT * FROM mysql.time_zone_name;. Note that this will only impact you if you upgrading from the java8 els versions or any rolling version >= 2.4.0.7. Upgrading from LTS21 is not impacted as LTS21 does not have this issue yet as it was introduced in NEVISFIDO-1817. (NEVISFIDO-2080)
UPGRADED: We upgraded the Apache Http Client third-party dependencies to version 5.3.1. (NEVISFIDO-2006)
UPGRADED: We upgraded the Apache Http Core third-party dependencies to version 5.2.4. (NEVISFIDO-2006)
UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.78. (NEVISFIDO-2062)
UPGRADED: We upgraded the google-api-client third-party dependency to version 2.4.0. (NEVISFIDO-2006)
UPGRADED: We upgraded the google-auth-library third-party dependency to version 1.23.0. (NEVISFIDO-2006)
UPGRADED: We upgraded the guava third-party dependency to version 33.1.0-jre. (NEVISFIDO-2006)
UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.0. (NEVISFIDO-2006)
UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 7.2405.0.x. (NEVISFIDO-2006)
UPGRADED: We upgraded the Jakarta servlet api third-party dependency to version 6.0 (NEVISFIDO-2012)
UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.7. (NEVISFIDO-2012)
UPGRADED: We upgraded the log4j third-party dependencies to version 2.23.1. (NEVISFIDO-2006)
UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.3.3. (NEVISFIDO-2006)
UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.37.0. (NEVISFIDO-2006)
UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.3. (NEVISFIDO-2017)
UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.12. (NEVISFIDO-2006)
UPGRADED: We upgraded the Spring-boot third-party dependency to version 3.2.4. (NEVISFIDO-2065)
UPGRADED: We upgraded Spring third-party dependencies to version 6.1.6. (NEVISFIDO-2065)
UPGRADED: We upgraded the Webauthn4j api third-party dependency to version 0.23.0.RELEASE. (NEVISFIDO-2006)
UPGRADED: We upgraded the ZXing third-party dependency to version 3.5.3. (NEVISFIDO-2006)
FIXED: Dispatch target and the UAF credential is only linked for the first authenticator registration of a user but not for additional ones. (NEVISFIDO-2043)
FIXED: Session update operations did not check if the update was successful. (NEVISFIDO-2050)
FIXED: UAF credential login information in nevisIdm was incorrectly updated for all UAF credentials of the user during authentication instead of only the credential used for the current authentication operation. (NEVISFIDO-2047)
EXPERIMENTAL: The device credential management endpoint returns a WWW-Authenticate header in case of expired device signature. (NEVISFIDO-2028)