This commit applies the following changes:
* Added local Content-Security-Policy with script-src nonce directive
* Removed form-redirect.js and associated changes
* Renamed to FormPostRedirectStrategy
* Removed HtmlUtils usage
* Moved to same package as DefaultRedirectStrategy
FormRedirectStrategy redirects using an autosubmitting HTML form using the POST method versus DefaultRedirectStrategy which redirects using the GET method.
Can be used to implement POST binding for relying party initiated OIDC logout by setting FormRedirectStrategy as the redirection strategy on OidcClientInitiatedLogoutSuccessHandler.
Closes gh-13002
Signed-off-by: Craig Andrews <candrews@integralblue.com>
- Move to the web.authentication.session package since it is only needed
by web.authentication.session elements and does not access any other web
element itself.
- Add Kotlin support
- Add documentation
Issue gh-16206
This places the new functionality behind a setting so that
we can remain passive until we can change the setting in
the next major release.
Issue gh-7273
The attestation option in PublicKeyCredentialCreationOptions is a
parameter that controls whether to request attestation from the security key.
However, Spring Security Passkeys currently doesn't implement attestation verification.
Therefore, requesting attestation is unnecessary.
Specifying `direct` to request attestation may trigger browsers to
display additional privacy related dialog to users, so it is best to
avoid specifying `direct` unnecessarily.
The webauthn support previously did not pass the transports to webauthn4j.
This meant that the result of
Webauthn4jRelyingPartyOperations.registerCredential did not have any
transports either.
This commit ensures that the transports are passed to the webauth4j lib
and then returned in the result of registerCredential.
Closes gh-16084
