v2.7.0

Changes:

• The webauthn.helpers.options_to_json_dict helper has a new, optional bytes_encoder argument that accepts a Callable[[bytes], Any] method. This enables the use of custom encoding logic when serializing bytes values. When this argument is unspecified, bytes values will continue to be encoded into Base64URL (#257)

v2.6.0

Changes:

• The new webauthn.helpers.options_to_json_dict helper can be used to simplify registration and authentication options into a simple Dict[str, Any] value (#256)

v2.5.3

Changes:

• More X.509 validation exceptions will include the cause of the exception as reported by the third-party library handling the validation (#255)

v2.5.2

Changes:

• Update project to cryptography==44.0.2 and pyOpenSSL==25.0.0 (#250)

v2.5.1

Changes:

• Prevented "android-key" attestation tests from failing when it's after February 2nd (#244)

v2.5.0

Changes:

• A new require_user_presence argument has been added to verify_registration_response() to enable verification of WebAuthn responses generated through use of conditional create where the up bit in authData.flags will be False (#236, h/t @bschoenmaeckers)
• verify_authentication_response() has been updated to return user_verified as well to indicate whether or not the user performed user verification (#235, h/t @ggirol-rc)
• Verification of "android-key" attestation statements has been modernized in light of Android's latest observable behavior (#240)
• Verification of "android-safetynet" attestation statements now enforces the "basicIntegrity" flag instead of the "ctsProfileMatch" flag when determining device integrity (#241)
• The list of known TPM manufacturers has been updated (#242)

v2.4.0

Changes:

• An optional hints argument has been added to generate_registration_options() to specify one or more categories of authenticators for the browser to prioritize registration of. See webauthn.helpers.structs.PublicKeyCredentialHint for more information (#234)

v2.3.0

Changes:

• The minimum supported version of Python has been bumped up to Python 3.9, with ongoing testing from Python 3.9 through Python 3.13. Dependencies have been updated as well, including upgrading to cryptography==43.0.3 (#233, with thanks to @ds-cbo)

v2.2.0

Changes:

• All exceptions in webauthn.helpers.exceptions now subclass the new webauthn.helpers.exceptions.WebAuthnException base exception (#219, h/t @bschoenmaeckers)
• Support has been added for the new "smart-card" transport (#221)

v2.1.0

Changes:

• New webauthn.helpers.parse_registration_options_json() and webauthn.helpers.parse_authentication_options_json() methods have been added to help replace use of Pydantic's .parse_obj() on this library's PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions classes in projects upgrading to webauthn>=2.0.0. See Refactor Guidance below for more info (#210)
• Updated dependencies to cryptography==42.0.5 (#212)

Refactor Guidance

Taking an example from registration: imagine a py_webauthn v1.11.1 scenario in which a project using this library wanted to retrieve output from generate_registration_options(), serialized to JSON using webauthn.helpers.options_to_json() and then stored in a cache or DB, and turn it back into an instance of PublicKeyCredentialCreationOptions:

# webauthn==1.11.1
json_reg_options: dict = get_stored_registration_options(session_id)
parsed_reg_options = PublicKeyCredentialCreationOptions.parse_obj(
    json_reg_options,
)

py_webauthn v2.0.0+ removed use of Pydantic so .parse_obj() is no longer available on PublicKeyCredentialCreationOptions. It will become possible to refactor away this use of .parse_obj() with the new webauthn.helpers.parse_registration_options_json() in this release:

# webauthn==2.1.0
from webauthn.helpers import parse_registration_options_json

json_reg_options: dict = get_stored_registration_options(session_id)
parsed_reg_options: PublicKeyCredentialCreationOptions = parse_registration_options_json(
    json_reg_options,
)

This same logic applies to calls to PublicKeyCredentialRequestOptions.parse_obj() - these calls can be replaced with the new webauthn.helpers.parse_authentication_options_json() in this release as well.