Problem with Jackson including null values in PublicKeyCredentialCreationOptions during Passkey Registration

[daaddo]

Hello, this is my first issue — I’m not even sure if it’s entirely correct, so please feel free to be harsh.

I’m using Spring Boot and trying to implement Passkey authentication.

Spring Boot version: 3.5.6
webauthn4j version: 2.7.0
Brave version: 1.83.118 Chromium: 141.0.7390.108

Client browser: Brave

I’ve encountered a problem while configuring the Registration Ceremony, specifically in step 2:

Send registration parameters to the client and call navigator.credentials.create()
.

I’m using a mostly default configuration, and the issue I found is that the PublicKeyCredentialCreationOptions object returned to the client is, by default, serialized by Jackson with all null values included.

This means the response body looks like this:

{
  "rp": {
    "name": "Example Application",
    "id": "localhost"
  },
  "user": {
    "name": "adsa",
    "displayName": "adsa",
    "id": "AAAAEA"
  },
  "challenge": "ZamQn4dZpY9Gq0NJhkC6Dr-jocQteoVdLnVEC3fQy1o",
  "pubKeyCredParams": [
    { "alg": -7, "type": "public-key" },
    { "alg": -8, "type": "public-key" },
    { "alg": -35, "type": "public-key" },
    { "alg": -36, "type": "public-key" },
    { "alg": -257, "type": "public-key" },
    { "alg": -258, "type": "public-key" },
    { "alg": -259, "type": "public-key" }
  ],
  "timeout": null,
  "hints": [],
  "excludeCredentials": [],
  "authenticatorSelection": null,
  "attestation": "none",
  "extensions": {
    "appidExclude": null,
    "credProps": true,
    "credentialProtectionPolicy": null,
    "enforceCredentialProtectionPolicy": null,
    "largeBlob": null,
    "prf": null,
    "uvm": null
  }
}

When calling navigator.credentials.create(BODY), it fails with the following error:

The appidExclude extension value is neither empty/null nor a valid URL.

If I remove the extensions field client-side, other null values cause different issues.

I was able to fix this by adding the following property to my configuration:

spring.jackson.default-property-inclusion=NON_ABSENT

However, this setting is global, so it affects all JSON serialization in my application.
I would prefer to configure this behavior only for this dependency (or for the specific data classes used in the Passkey registration flow).

I’m sorry if this is the default behavior, or if I’m misunderstanding something, but I thought it might be useful to share in case others run into the same problem.