privacyidea · nilsbehlen · Dec 1, 2025 · Oct 20, 2025 · Oct 28, 2025 · Oct 28, 2025
diff --git a/pom.xml b/pom.xml
@@ -5,7 +5,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.privacyidea</groupId>
     <artifactId>privacyidea-java-client</artifactId>
-    <version>1.4.0</version>
+    <version>1.5.0</version>
     <packaging>jar</packaging>
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -83,16 +83,16 @@
             <version>4.13.2</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>com.squareup.okhttp3</groupId>
-            <artifactId>okhttp</artifactId>
-            <version>4.12.0</version>
-        </dependency>
         <dependency>
             <groupId>org.jetbrains.kotlin</groupId>
             <artifactId>kotlin-stdlib</artifactId>
             <version>1.9.0</version>
         </dependency>
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>okhttp</artifactId>
+            <version>4.12.0</version>
+        </dependency>
         <dependency>
             <groupId>com.squareup.okio</groupId>
             <artifactId>okio</artifactId>

diff --git a/src/main/java/org/privacyidea/AsyncRequestCallable.java b/src/main/java/org/privacyidea/AsyncRequestCallable.java
@@ -24,6 +24,7 @@
 import okhttp3.Call;
 import okhttp3.Callback;
 import okhttp3.Response;
+import okhttp3.ResponseBody;
 import org.jetbrains.annotations.NotNull;
 
 import static org.privacyidea.PIConstants.ENDPOINT_AUTH;
@@ -76,15 +77,22 @@ public void onFailure(@NotNull Call call, @NotNull IOException e)
     @Override
     public void onResponse(@NotNull Call call, @NotNull Response response) throws IOException
     {
-        if (response.body() != null)
+        // Only response.body() is available in OkHttp; ensure it is closed and consumed only once to prevent resource leaks.
+        // The body can only be consumed once.
+        try (ResponseBody responseBody = response.body())
         {
-            String s = response.body().string();
-            if (!privacyIDEA.logExcludedEndpoints().contains(path) && !ENDPOINT_AUTH.equals(path))
+            if (responseBody != null)
             {
-                privacyIDEA.log(path + ":\n" + privacyIDEA.parser.formatJson(s));
+                String s = responseBody.string();
+                if (!privacyIDEA.logExcludedEndpoints().contains(path) && !ENDPOINT_AUTH.equals(path))
+                {
+                    privacyIDEA.log(path + " (" + response.code() + "):\n" + privacyIDEA.parser.formatJson(s));
+                }
+                callbackResult[0] = s;
             }
-            callbackResult[0] = s;
         }
-        latch.countDown();
+        finally {
+            latch.countDown();
+        }
     }
 }
diff --git a/src/main/java/org/privacyidea/JSONParser.java b/src/main/java/org/privacyidea/JSONParser.java
@@ -73,6 +73,7 @@
 import static org.privacyidea.PIConstants.TIME;
 import static org.privacyidea.PIConstants.TOKEN;
 import static org.privacyidea.PIConstants.TOKENS;
+import static org.privacyidea.PIConstants.TOKEN_TYPE_PASSKEY;
 import static org.privacyidea.PIConstants.TOKEN_TYPE_WEBAUTHN;
 import static org.privacyidea.PIConstants.TRANSACTION_ID;
 import static org.privacyidea.PIConstants.TYPE;
@@ -277,6 +278,7 @@ else if ("interactive".equals(modeFromResponse))
                                     });
             }
 
+            // Multichallenge
             JsonArray arrChallenges = detail.getAsJsonArray(MULTI_CHALLENGE);
             if (arrChallenges != null)
             {
@@ -311,6 +313,10 @@ else if ("interactive".equals(modeFromResponse))
                             webauthnSignRequests.add(webauthnSignRequest);
                         }
                     }
+                    else if (TOKEN_TYPE_PASSKEY.equals(type))
+                    {
+                        response.passkeyChallenge = challenge.toString();
-                        response.passkeyChallenge = challenge.toString();
+                        response.passkeyChallenge = challenge.getAsString();
-                        response.passkeyChallenge = challenge.toString();
+                        response.passkeyChallenge = challenge.getAsString();
+                    }
                     else
                     {
                         response.multiChallenge.add(new Challenge(serial, message, clientMode, image, transactionID, type));

diff --git a/src/main/java/org/privacyidea/PIResponse.java b/src/main/java/org/privacyidea/PIResponse.java
@@ -124,6 +124,17 @@ public String pushTransactionId() {
         return null;
     }
 
+    public boolean hasChallenges()
+    {
+        return (multiChallenge != null && !multiChallenge.isEmpty()) ||
+               isNotBlank(mergedSignRequest()) ||
+               isNotBlank(passkeyChallenge);
+    }
+
+    private boolean isNotBlank(String str) {
+        return str != null && !str.trim().isEmpty();
+    }
+
     /**
      * Get the messages of all token that require an input field (HOTP, TOTP, SMS, Email...) reduced to a single string.
      *