Spring Security Support for JWT integration with Spring Security WebAuthn (instead of sessions)

Subject: WebAuthn + JWT Integration with webauthn4j-spring-security

Hi Spring Security Team,

I’m currently working on an authentication system using Spring Security WebAuthn with webauthn4j, and I want to integrate it with JWT tokens instead of using the default session-based authentication.

My setup:

Spring Boot + Spring Security (latest stable version)

webauthn4j-spring-security-core (0.11.2.RELEASE)

Frontend running on https://aali.loca.lt

Custom TempJwtFilter for handling JWTs

Goal: When a user successfully authenticates with WebAuthn (fingerprint/biometric), I want the server to return a signed JWT to the client. This token will then be used for subsequent API requests (stateless, no session cookies).

Here’s a simplified version of my SecurityConfig (Maven project):

@Configuration @EnableWebSecurity(debug = true) public class SecurityConfig {

@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http,
                                        AuthenticationManager authManager,
                                        TempJwtFilter tempJwtFilter) throws Exception {

    WebAuthnAuthenticationFilter webAuthnFilter = new WebAuthnAuthenticationFilter();
    webAuthnFilter.setAuthenticationManager(authManager);

    webAuthnFilter.setAuthenticationSuccessHandler((request, response, authentication) -> {
        String jwt = "dummy-token"; // TODO: generate real JWT
        response.setContentType("application/json");
        response.getWriter().write("""
            { "authenticated": true, "token": "%s" }
            """.formatted(jwt));
    });

    webAuthnFilter.setAuthenticationFailureHandler((request, response, exception) -> {
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        response.getWriter().write("{\"authenticated\": false}");
    });

    return http
            .cors(cors -> cors.configurationSource(corsConfigurationSource()))
            .csrf(csrf -> csrf.disable())
            .addFilterBefore(tempJwtFilter, UsernamePasswordAuthenticationFilter.class)
            .webAuthn(auth -> auth.rpId("aali.loca.lt"))
            .build();
}

}

The Problem

The current WebAuthnAuthenticationFilter + WebAuthnAuthenticationProvider work seamlessly with session management.

However, if I try to integrate JWT (stateless auth), there’s no clear documentation or examples on how to replace the session with JWT handling.

I can hack it by writing a success handler that generates a JWT, but then I’m unsure what the recommended way is to:

Replace SecurityContext population with a JWT-based mechanism.

Avoid session persistence entirely.

Keep the WebAuthn flow compliant with Spring Security conventions.

Feature Request

Could you provide:

Guidance (or official documentation) on how to integrate WebAuthn with JWT tokens in Spring Security?

Possibly an extension/example project where successful WebAuthn authentication issues a JWT instead of establishing a session.

Clarification on whether this is supported out of the box, or if custom filters/providers are the only path.

Thank you for your time and help!