ForgeRock Developer Experience

SDK for Android changelog

Android SDK 4.5.0

July 12, 2024

Added

  • Added support for signing off from PingOne to the centralized login flow. [SDKS-3020]

  • Added the ability to dynamically configure the SDK by collecting values from the server’s OpenID Connect .well-known endpoint. [SDKS-3022]

Fixed

  • Resolved security vulnerability warnings related to the commons-io-2.6.jar and bcprov-jdk15on-1.68.jar libraries. [SDKS-3072, SDKS-3073]

  • Fixed a NullPointerException in the centralized login flow. [SDKS-3079]

  • Improved multi-threaded performance when caching access tokens. [SDKS-3104]

  • Synchronized the encryption and decryption block to avoid keystore crashes. [SDKS-3199]

  • Fixed an issue related to handling HiddenValueCallback if isMinifyEnabled is set to true. [SDKS-3201]

  • Fixed an issue where device binding using an application PIN was failing when Arabic language was used. [SDKS-3221]

  • Fixed an issue where browser sessions were not properly signed out when a non-default browser was used in centralized login. [SDKS-3276]

  • Fixed an unexpected behavior in the authentication flow caused by AppAuthConfiguration settings being ignored during centralized login. [SDKS-3277]

  • Fixed the FRUser.revokeAccessToken() method to not end the user’s session during the centralized login flow. [SDKS-3282]

Android SDK 4.4.0

March 28, 2024

Added

  • Added a new module for integration with PingOne Protect. [SDKS-2900]

  • Added support for the TextInput callback. [SDKS-545]

  • Added an interface for customizing the biometric UI prompts when device binding or signing. [SDKS-2991]

  • Added x-requested-with: forgerock-sdk and x-requested-platform: android immutable HTTP headers to each outgoing request. [SDKS-3033]

Fixed

  • Addressed a null pointer exception during centralized login by using ActivityResultContract in place of the deprecated onActivityResult method. [SDKS-3079]

  • Addressed nimbus-jose-jwt:9.25 library security vulnerability (CVE-2023-52428). [SDKS-2988]

Android SDK 4.3.1

February 9, 2024

Fixed

  • Fixed an issue where the SDK crashes during device binding on Android 9 devices. [SDKS-2948]

Android SDK 4.3.0

December 28, 2023

Added

  • Added ability to customize cookie headers in outgoing requests from the SDK. [SDKS-2780]

  • Added ability to add custom claims when verifying signatures from bound devices. [SDKS-2787]

  • Added client-side support for the upcoming AppIntegrity callback. [SDKS-2631]

Updated

  • The SDK now uses auth-per-use keys for Device Binding. [SDKS-2797]

  • Improved handling of WebAuthn cancellations. [SDKS-2819]

  • The forgerock_url, forgerock_realm, and forgerock_cookie_name parameters are now mandatory when dynamically configuring the SDK. [SDKS-2782]

  • Addressed woodstox-core:6.2.4 library security vulnerability CVE-2022-40152. [SDKS-2751]

Android SDK 4.2.0

October 3, 2023

Added

  • Added Gradle 8 and JDK 17 support. [SDKS-2451]

  • Added Android 14 support. [SDKS-2636]

  • Added verification of key pairs during device binding enrollment by using Google Key Attestation. [SDKS-2412]

  • Added issued at (iat) and not before (nbf) claims to JSON Web tokens used for device binding and signing verification. [SDKS-2747]

Android SDK 4.1.0

July 31, 2023

Added

  • Added support for interceptors in the authenticator module. [SDKS-2544]

  • Added an interface for refreshing access tokens. [SDKS-2567]

  • Added support for policy advice from IG in JSON format. [SDKS-2240]

Fixed

  • Fixed an issue with parsing the issuer value in the URI provided by the combined MFA registration node. [SDKS-2542]

  • Added an error message about duplicated accounts while using the combined MFA registration node. [SDKS-2627]

  • Fixed an issue that caused loss of WebAuthn credentials when upgrading the SDK from 4.0.0-beta4 to newer versions. [SDKS-2576]

Android SDK 4.0.0

May 30, 2023

Added

  • Upgraded the Google Fido client to support Passkeys. [SDKS-2243]

  • Added the FRWebAuthn interface to remove WebAuthn reference keys. [SDKS-2272]

  • Added an interface to specify a device name during WebAuthn registration. [SDKS-2296]

  • Added DeviceBinding callback support. [SDKS-1747]

  • Added DeviceSigningVerifier callback support. [SDKS-2022]

  • Added support for combined MFA registration in the Authenticator SDK. [SDKS-1972]

  • Added support for enforcing policies in the Authenticator SDK. [SDKS-2166]

Fixed

  • Fixed WebAuthn authentication on devices that use a full-screen biometric prompt. [SDKS-2340]

  • Fixed functionality of the NetworkCollector method. [SDKS-2445]

Incompatible changes

  • Removed support for native single sign-on (SSO).

  • Changed the signature for a number of methods.

For more information, refer to Incompatible changes.

Android SDK 3.4.0

September 29, 2022

Added

  • Dynamic SDK Configuration. [SDKS-1759]

  • Android 13 support. [SDKS-1944]

Changed

  • Changed activity type used as parameter in PushNotification.accept. [SDKS-1968]

  • Updated deserialization of objects to use a class allowlist to prevent access to untrusted data. [SDKS-1818]

  • Updated the Authenticator module and sample app to handle the new POST_NOTIFICATIONS permission in Android 13. [SDKS-2033]

  • Fixed an issue where the DefaultTokenManager was not caching the AccessToken in memory upon retrieval from Shared Preferences. [SDKS-2066]

  • Deprecated the forgerock_enable_cookie configuration. [SDKS-2069]

  • Align forgerock_logout_endpoint configuration name with the ForgeRock SDK for iOS. [SDKS-2085]

  • Allow leading slash on custom endpoint path. [SDKS-2074]

  • Fixed bug where the state parameter value was not being verified upon calling the Authorize endpoint. [SDKS-2078]

Android SDK 3.3.3

June 22, 2022

Changed

  • Updated the version of the com.squareup.okhttp3 library in the SDK to 4.10.0 [SDKS-1957]

Android SDK 3.3.2

June 21, 2022

Added

  • Interface for log management [SDKS-1864]

Android SDK 3.3.0

May 18, 2022

Added

  • Support SSL pinning [SDKS-80]

  • Restore session token when it is out of sync with the session token that bound with the access token [SDKS-1664]

  • Session token should be included in the header instead of request parameter for /authorize endpoint [SDKS-1670]

  • Support to broadcast logout event to clear application tokens when user logout the app [SDKS-1663]

  • Obtain timestamp from new PushNotification payload [SDKS-1666]

  • Add new payload attributes to the PushNotification [SDKS-1776]

  • Allow processing of push notifications without device token [SDKS-1844]

Fixed

  • Dispose AuthorizationService when no longer required [SDKS-1636]

  • Authenticator sample app crash after scanning push mechanism [SDKS-1454]

Android SDK 3.2.0

January 26, 2022

Features

  • Google Sign-In Security Enhancement.

  • Fix for WebAuthn Registration & Authentication prompt.

Android SDK 3.1.2

October 28, 2021

Features

  • Disable native SSO when the SDK fails to access the Android AccountManager.

Android SDK 3.1.1

September 09, 2021

Features

  • Support for Android 12.

  • Unlocked device is not required for data decryption.

  • Introduced FRLifecycle interface and exposed interfaces to allow custom native SSO implementation.