- Encryption and decryption performance has been enhanced through the implementation of caching for the KeyStore, Cipher, and Symmetric Key. Additionally, developers now have the flexibility to enable or disable StrongBox during key generation. [SDKS-4090]
- Support for new response payload in WebAuthn authentication and registration [SDKS-3843]
- Ability to update Firebase Cloud Messaging (FCM) device token for existing push mechanisms [SDKS-3684]
- Improved logging for errors and warning exceptions [SDKS-3990]
- Fixed an issue causing a crash when the app process was killed in the background during the centralized login flow [SDKS-3993]
- A fallback mechanism that uses an asymmetric key if symmetric key generation in the Android Keystore fails [SDKS-3467]
- Support for Self-Service [SDKS-3408]
- Support for Sign-out with ID Token in the PingOne Platform [SDKS-3423]
- Prevent duplicate PUSH notifications in the Authenticator module [SDKS-3533]
- Fixed an issue where, in some cases, a user's session was not invalidated upon re-authentication [SDKS-3772]
- Allow developers to customize SDK storage [SDKS-3378]
- Support PingOne Protect Marketplace nodes [SDKS-3297]
- Support reCAPTCHA Enterprise node [SDKS-3325]
- Expose Realm, Success Url with SSOToken [SDKS-3351]
- Support Android 15 [SDKS-3098]
- Support http/https scheme for Centralize Login redirect [SDKS-3433]
- Skip Type 4 TextOutputCallback [SDKS-3227]
- Potential CustomTabManager ServiceConnection leak [SDKS-3346]
- access_token api call triggered twice on force refresh [SDKS-3254]
- Allow http/https as redirect scheme in centralize login flow [SDKS-3433]
- Added SDK support for deleting registered WebAuthn devices from the server. [SDKS-1710]
- Added support for signing off from PingOne to the centralized login flow. [SDKS-3020]
- Added the ability to dynamically configure the SDK by collecting values from the server's OpenID Connect
.well-knownendpoint. [SDKS-3022]
- Resolved security vulnerability warnings related to the
commons-io-2.6.jarandbcprov-jdk15on-1.68.jarlibraries. [SDKS-3072, SDKS-3073] - Fixed a
NullPointerExceptionin the centralized login flow. [SDKS-3079] - Improved multi-threaded performance when caching access tokens. [SDKS-3104]
- Synchronized the encryption and decryption block to avoid keystore crashes. [SDKS-3199]
- Fixed an issue related to handling
HiddenValueCallbackifisMinifyEnabledis set totrue. [SDKS-3201] - Fixed an issue where device binding using an application PIN was failing when Arabic language was used. [SDKS-3221]
- Fixed an issue where browser sessions were not properly signed out when a non-default browser was used in centralized login. [SDKS-3276]
- Fixed an unexpected behavior in the authentication flow caused by
AppAuthConfigurationsettings being ignored during centralized login. [SDKS-3277] - Fixed the
FRUser.revokeAccessToken()method to not end the user's session during the centralized login flow. [SDKS-3282]
- Added
TextInputcallback support [SDKS-545] - Added a new module for integration with
PingOne Protect[SDKS-2900] - Added interface allowing developers to customize the biometric prompt for device binding\signing [SDKS-2991]
- Added immutable HTTP headers on each request
x-requested-with: forgerock-sdkandx-requested-platform: android[SDKS-3033]
- Addressed
nimbus-jose-jwt:9.25library security vulnerability (CVE-2023-52428) [SDKS-2988] - NullPointerException for Centralize Login, Replace deprecated onActivityResult with ActivityResultContract [SDKS-3079]
- Fixed an issue where the SDK was crashing during device binding on Android 9 devices [SDKS-2948]
- Added the ability to customize cookie headers in outgoing requests from the SDK [SDKS-2780]
- Added the ability to insert custom claims when performing device signing verification [SDKS-2787]
- Added client-side support for the
AppIntegritycallback [SDKS-2631]
- The SDK now uses
auth-per-usekeys for Device Binding [SDKS-2797] - Improved handling of WebAuthn cancellations [SDKS-2819]
- Made
forgerock_url,forgerock_realm, andforgerock_cookie_nameparams mandatory when dynamically configuring the SDK [SDKS-2782] - Addressed
woodstox-core:6.2.4library security vulnerability (CVE-2022-40152) [SDKS-2751]
- Gradle 8 and JDK 17 support [SDKS-2451]
- Android 14 support [SDKS-2636]
- Key pair verification with key attestation during device binding enrollment [SDKS-2412]
- Added
iatandnbfclaims in the Device Binding and Device Signed JWT [SDKS-2747]
- Interceptor support for the Authenticator module [SDKS-2544]
- Interface for access_token refresh [SDKS-2567]
- Ability to process new JSON format of IG policy advice [SDKS-2240]
- Fixed an issue on parsing
issuerfrom combined MFA registration uri [SDKS-2542] - Added error message about duplicated accounts while performing combined MFA registration [SDKS-2627]
- Fixed an issue related to "lost" WebAuthn credentials upon upgrade from 4.0.0-beta4 to newer version [SDKS-2576]
- Upgrade Google Fido Client to support PassKey [SDKS-2243]
- FRWebAuthn interface to remove WebAuthn Reference Keys [SDKS-2272]
- Interface to set Device Name during WebAuthn Registration [SDKS-2296]
DeviceBindingcallback support [SDKS-1747]DeviceSigningVerifiercallback support [SDKS-2022]- Support for combined MFA in the Authenticator SDK [SDKS-2166]
- Support for policy enforcement in the Authenticator SDK [SDKS-2166]
- Fix for WebAuthn authentication for devices which use full screen biometric prompt [SDKS-2340]
- Fixed functionality for NetworkCollector [SDKS-2445]
public void WebAuthnRegistrationCallback.register(Node node,FRListener<Void> listener)tosuspend fun register(context: Context, node: Node)public void WebAuthAuthenticationCallback.authenticate(@NonNull Fragment fragment, @NonNull Node node, @Nullable WebAuthnKeySelector selector, FRListener<Void> listener)tosuspend fun authenticate(context: Context, node: Node, selector: WebAuthnKeySelector = WebAuthnKeySelector.DEFAULT)FRAClient.updateAccountnow throwsAccountLockExceptionupon attempt to update a locked account [SDKS-2166]OathMechanism.getOathTokenCode(),HOTPMechanism.getOathTokenCode()andTOTPMechanism.getOathTokenCode()now throwsAccountLockExceptionupon attempt to get an OATH token for a locked account [SDKS-2166]
- Removed support for native single sign-on (SSO) [SDKS-2260], [SDKS-1367]
- Dynamic SDK Configuration [SDKS-1759]
- Android 13 support. [SDKS-1944]
- Changed Activity type used as parameter in
PushNotification.accept. [SDKS-1968] - Deserializing an object with whitelist to prevent deserialization of untrusted data. [SDKS-1818]
- Updated the
Authenticatormodule and sample app to handle the newPOST_NOTIFICATIONSpermission in Android 13. [SDKS-2033] - Fixed issue where the
DefaultTokenManagerwas not caching theAccessTokenin memory upon retrieval from Shared Preferences. [SDKS-2066] - Deprecated the
forgerock_enable_cookieconfiguration [SDKS-2069] - Align
forgerock_logout_endpointconfiguration name with the ForgeRock iOS SDK [SDKS-2085] - Allow leading slash on custom endpoint path [SDKS-2074]
- Fixed bug where
stateparameter value was not being verified upon calling theAuthorizeendpoint [SDKS-2078]
- Bumped the version of the com.squareup.okhttp3 library to 4.10.0 [SDKS-1957]
- Interface for log management [SDKS-1864]
- Support SSL Pinning [SDKS-80]
- Restore SSO Token when it is out of sync with the SSO Token that bound with the Access Token [SDKS-1664]
- SSO Token should be included in the header instead of request parameter for /authorize endpoint [SDKS-1670]
- Support to broadcast logout event to clear application tokens when user logout the app [SDKS-1663]
- Obtain timestamp from new PushNotification payload [SDKS-1666]
- Add new payload attributes to the PushNotification [SDKS-1776]
- Allow processing of Push Notifications without device token [SDKS-1844]
- Dispose AuthorizationService when no longer required [SDKS-1636]
- Authenticator sample app crash after scan push mechanism [SDKS-1454]
- Google Sign-In Security Enhancement [SDKS-1255]
- WebAuthn Registration & Authentication prompt not shown on second invocation on Single Activity App [SDKS-1297]
- AbstractValidatedCallback is not serializable [SDKS-1486]
- Provide Build-in Binary Protection to avoid Memory Corruption Attack [SDKS-1368]
- Disable native SSO if failed to access Android AccountManager [SDKS-1304]
- Introduce
FRLifecycleand exposed interfaces to allow custom Native SSO implementation. [SDKS-1140] - Unlock device is not required for data decryption. [SDKS-1141]
- Support Android 12. [SDKS-1141]
- Social Login support for Google and Facebook
- Biometric Authentication with WebAuthn
- Exposed Revoke access token method [SDKS-980] - 'FRUser.getCurrentUser().revokeAccessToken(Listener)'
- Support Apple SignIn
- Remove deprecated methods (Config.getInstance(Context), FRAuth Builder, FRUserViewModel)
- Centralize Login (
AppAuthIntegration) [SDKS-330]
- Refresh Token is not persisted when refresh_token grant is not issuing new Refresh Token [SDKS-649]
- org.forgerock.android.auth.FRUser.getAccessToken() clean up tokens in the following conditions: [SDKS-701] -- When Refresh Token Grant Types is used, Server returns invalid_grant (Refresh Token expired), and failed to acquire OAuth2 Tokens with Session Token -- When Refresh Token Grant Types is not used, and failed to acquire OAuth2 Tokens with Session Token
- Properly cache and reuse OKHttpClient [SDKS-770]
- Fix HostOnly Cookie handling [SDKS-808]
- Support NumberAttributeInputCallback [SDKS-495]
- Support BooleanAttributeInputCallback [SDKS-497]
- Access to the Page Node's header and description property [SDKS-518]
- Support Email Suspend Node [SDKS-505]
- Security Enhancement for Android 28+ Device [SDKS-571]
Set Persistent Cookie Nodeis now supported to persist and manage Cookie [SDKS-182]Device Profile Collector Nodeis now supported [SDKS-293]MetadataCallbackis now supported. For AM 6.5.2, whenMetadataCallbackis returned with stage value, SDK automatically parsesMetadataCallbackinto Node's stage property. [SDKS-305]- Allow server url paths to be configurable, Custom URL paths can be configured through
String.xmlorServerConfig[SDKS-307] - Support
Authentication by ServerandTransaction Authenticate to Treein Policy Environment. [SDKS-88] - Interface alignment with other platforms and introduce FRSession to authenticate against Authentication Tree in AM, persist and manage Session Token [SDKS-177]
- Allow developers to customize SDK outbound request, for example customize url to provide query parameters or adding/removing headers [SDKS-308]
- Allow developers to configure the cookie name [SDKS-364]
- New
forgerock-authenticatormodule added to the SDK. This module allows developers to easily incorporate One-Time Password and Push Authentication capabilities in their apps [SDKS-225]
FRUser.login&FRUser.registernow throwsAlreadyAuthenticatedExceptionwhen there is already authenticated user sessions [SDKS-177]- When Session Token is updated through
FRSession.authenticateorFRUser.login, previously granted OAuth2 token set will automatically be revoked. [SDKS-177] - Rename device browser
agentattribute touserAgentforFRDevice[SDKS-371]
- Fix Instrument Test. [SDKS-162]
- Fix Refresh of Access Token with Threshold not working consistently. [SDKS-476]
FRAuth.next()is now deprecated, useFRSession.authenticateinstead [SDKS-177]
- General Availability release for SDKs
- Changed OAuth2 authorization request to POST [SDKS-125]
- Store SSO token even SSO is disabled [SDKS-166]
- Initial release for forgerock-auth sdk
- Initial release for forgerock-auth-ui sdk