Spring Security Make WebAuthnAuthenticationTokenRequest Serializable

WebAuthAuthenticationTokenRequest should be serializable. It isn't, however, since some of its components aren't serializable. Either they should also be serializable or marked as transient.

Comment From: franticticktick

Hi @jzheaux, could you assign this ticket to me please?

Comment From: jzheaux

Sure thing, @franticticktick. Will you please add it on the 6.4.x branch, please?

Comment From: franticticktick

@jzheaux there seems to be some confusion here. WebAuthnAuthenticationRequestToken contains RelyingPartyAuthenticationRequest, and it already contains PublicKeyCredentialRequestOptions. This issue should be solved here, and I see that this ticket is still in progress. Besides, it was not introduced as a bug, which means the changes will be merged into main. Therefore, we need to decide which branch to add these changes to.

Comment From: jzheaux

My concern here is that WebAuthnAuthenticationRequestToken already implements Serializable and is thus at risk of having that ID change should any of its internals change in 6.5. It would mean that folks using Java serialization for this component would break when moving from 6.4 to 6.5. I'd rather mitigate that risk by adding an ID in 6.4.x. I double-checked with @rwinch and we are on the same page.

As such the work in https://github.com/spring-projects/spring-security/issues/16431 will need to be repeated in 6.4.x as part of this ticket.

So, let's please continue with the plan to target 6.4.x for this fix.

Comment From: franticticktick

@jzheaux thanks for the explanation :) I can make serializable WebAuthnAuthenticationRequestToken and its related classes like RelyingPartyAuthenticationRequest, PublicKeyCredential, AuthenticatorAssertionResponse etc. PublicKeyCredentialRequestOptions will remain as is, since it will be made serializable via https://github.com/spring-projects/spring-security/issues/16431. But we must remember that some classes are already serializable and are located in the main branch, for example, Bytes. We need to make a backport to 6.4.x. And this should be taken into account now in https://github.com/spring-projects/spring-security/issues/16431

Comment From: re1709

Has https://github.com/spring-projects/spring-security/issues/16431 been merged as part of this into 6.4.3? As i'm failing to see the changes to make creation options serializable in 6.4.X or 6.5? Could anyone shed some light please?