Developer Experience changelog

Updated the GoogleSignIn library from 7.1.0 to 9.0.0.

Fixed an object deserialization issue.

Fixed missing stage, header, and description fields in callback requests.

Aligns the PingOneProtectInitalizeCallback with PingOne Protect Initialization Node.

Fixed an issue with bad export syntax in package.json.

Removed a shared array buffer type from the WebAuthn ParsedCredentials object.

Added support for PingOne Protect, by using the new PingProtect module. [SDKS-4069]

Added support for Android 16 and updated compileSdk to version 36 and minSdk to 29. [SDKS-4278]

Enhanced form handling in the DaVinci SDK to automatically reset form values after submission. [SDKS-4511]

Improved SDK storage configuration to simplify overrides. [SDKS-4109]

Enhanced Storage module with cache strategy support. [SDKS-4112]

Refactored logger initialization for session and cookie configurations. [SDKS-4358]

Updated PhoneNumberCollector to support new JSON format. [SDKS-4198]

Upgraded datastore library to version 1.1.7. [SDKS-4207]

Added support for the Ping Protect collector

Added support for pre-filled phone number and country code

Updated all targets to use the Swift 6 compiler. [SDKS-4499]

Fixed an issue in the PingProtect module causing a crash on iOS 17+ due to an incorrect actor executor assumption. [SDKS-4494]

Added support for PingOne Protect, by using the new PingProtect module. [SDKS-4073]

Updated to handle the country code format in the PhoneNumber collector. [SDKS-4199]

Redesigned and improved the PingExample app. [SDKS-4104]

Reverted the minimum support API level (minSdk) back to 23 from 28. [SDKS-4409]

Changed the default option for key generation to not use StrongBox. [SDKS-4420]

Resolved a crash on some devices by improving error handling of date fields and adding a fallback when retrieving a push device token. [SDKS-4392]

Added support for iOS 26 and Xcode 26

Renamed the Data extension bytes property to bytesArray to avoid Xcode 26 issues. [SDKS-4299]

Removed redundant completion call when using ASWebAuthentication. [SDKS-4345]

Updated Token Manager to revoke mismatched SSO sessions before storing a new token and then fetching a fresh access token. [SDKS-4349]

Fixed DeviceProfileCallback response structure on iOS to match the Ping SDK for Android behavior, preventing Device Match Node failures. [SDKS-4228]

Added support for Android 16 (API level 36) and updated the minimum support API level (minSdk) to 28. [SDKS-4278]

Updated the component used for root detection to be compliant with Google’s mandatory 16KB page size requirement, which comes into effect on 1st November, 2025. [SDKS-4163]

Updated the Ping SDK for Android to use okhttp3 version 5.1.0. [SDKS-4214]

Enhanced biometric authentication error handling to provide more detailed information to developers when biometric authentication fails. [SDKS-4272]

Updated the logic for handling expiration of push notification messages to match the Ping SDK for iOS, to ensure consistent cross-platform behavior. [SDKS-4286]

Updated bcpkix-jdk15on 1.58.0.0 to bcpkix-jdk18on 1.81. [SDKS-4298]

Updated nimbus-jose-jwt from 9.37.3 to 10.4.1. [SDKS-4298]

Updated security-crypto from 1.1.0-alpha to 1.1.0, and enforced com.google.code.gson version 2.13.1 to address potential stack-based buffer overflow vulnerabilities (CVE-2025-53864, CWE-121). [SDKS-4316]

Fixed a crash when a device is only configured for face unlock but not fingerprint-based biometrics. [SDKS-4190]

Fixed an exception when corrupted data is found in storage. The Ping SDK for Android now automatically clears corrupted data from storage, and explicitly uses UTF-8 encoding when saving and loading strings from storage. This helps ensure data consistency. [SDKS-4307]

Fixed the conditions for determining a session endpoint request when terminating Advanced Identity Cloud and PingAM sessions.

Added support for native social login with Google and Facebook. [SDKS-3449]

Added support for PingOne Forms one-time passcode (MFA) components DEVICE_REGISTRATION, DEVICE_AUTHENTICATION, and PHONE_NUMBER. [SDKS-3562]

Added access to the previous ContinueNode node from an ErrorNode. [SDKS-3890]

Added access to the key attribute of LabelCollector. [SDKS-3957]

Added support for StrongBox when generating keys. [SDKS-4098]

Added support for native social login with Apple, Google, and Facebook. [SDKS-3450]

Added support for PingOne Forms one-time passcode (MFA) components DEVICE_REGISTRATION, DEVICE_AUTHENTICATION, and PHONE_NUMBER. [SDKS-3563]

Added access to the previous ContinueNode node from an ErrorNode. [SDKS-3891]

Added access to the key attribute of LabelCollector. [SDKS-3956]

Resolved an issue where cookies were incorrectly cleared from in-memory storage when requests contain a Set-Cookie header [SDKS-4189]

Renamed the PingExternal-idp module to PingExternalIdP. [SDKS-3958]

Added support for PingOne Forms one-time passcode (MFA) components DEVICE_REGISTRATION, DEVICE_AUTHENTICATION, and PHONE_NUMBER.

Added caching for KeyStore, Cipher, and Symmetric Key encryption and decryption, improving performance. [SDKS-4090]

Added a strongBoxPreferred=false parameter to allow conditional use of StrongBox for key storage. [SDKS-4090]

Added support for returning WebAuthn authenticator information in the updated WebAuthn authentication and registration callbacks introduced in PingAM and PingOne Advanced Identity Cloud. [SDKS-3843]

Added the ability to update the Firebase Cloud Messaging (FCM) device token for existing devices registered for push notifications. [SDKS-3684]

Improved logging for errors and warning exceptions. [SDKS-3990]

Fixed an issue causing a crash when the killing the app process in the background during the OIDC (centralized login) flow. [SDKS-3993]

Added the ability to update the Apple Push Notification Service (APNs) device token for existing devices registered for push notifications. [SDKS-3684]

Added support for returning WebAuthn authenticator information in the updated WebAuthn authentication and registration callbacks introduced in PingAM and PingOne Advanced Identity Cloud. [SDKS-3842]

Upgraded ReCAPTCHA Enterprise to version 18.7.0 (from 18.6.0) [SDKS-3927]

Resolved an issue where updating device biometrics didn’t enforce device re-binding as expected. [SDKS-3963]

Corrected the missing PingProtect scheme. [SDKS-3856]

Resolved a race condition in the device network collector that prevented NetworkReachabilityMonitor from completing. [SDKS-3827]

Added a flag to skip immediately to the OAuth 2.0 flow rather than attempting to get tokens without redirecting. [SDKS-3866]

Added support for signing out of PingOne by using an ID token. [SDKS-3757]

Removed an unneeded call to the /session endpoint. [SDKS-3757]

Added support for additional PingOne Form fields. [SDKS-3649]

Added an external-idp module to support social sign on with supported external IDPs by using browser redirects. [SDKS-3662]

Added Accept-Language header to support localization. [SDKS-3622]

Added ability to validate PingOne Form fields. [SDKS-3649]

Added support for default values in PingOne Form fields. [SDKS-3649]

Added an interface to access ErrorNode and validation errors. [SDKS-3649]

Added a browser module. [SDKS-3662]

Added dynamic environment switching in the test sample app. [SDKS-3642]

Fixed an issue affecting the global logger when configuring a logger in DaVinci client configuration. [SDKS-3616]

Added support for additional PingOne Form fields. [SDKS-3671, SDKS-3672]

Added an external-idp module to support social sign on with supported external IDPs by using browser redirects. [SDKS-3720, SDKS-3920]

Added Accept-Language header to support localization. [SDKS-3623]

Added ability to validate PingOne Form fields. [SDKS-3671, SDKS-3672]

Added support for default values in PingOne Form fields. [SDKS-3674]

Added a PingBrowser module. [SDKS-3920]

Added Swift 6 support. [SDKS-3728]

Added support for additional PingOne Form fields.

Added support for social sign on with supported external IDPs.

Added the ability to call start with query parameters which the DaVinci client appends to the /authorize call.

Added request middleware to amend outgoing HTTP requests, for example to override Accept-Language headers.

Added ability to validate PingOne Form fields.

Added support for default values in PingOne Form fields.

Updated dependency on @forgerock/javascript-sdk to 4.7.0.

Updated error node to now be submittable to help the app recover from an error state.

Updated the checks to determine what node state the DaVinci Client is in based on the response from PingOne.

Added support for user profile self-service. [SDKS-3409]

Added support for managing registered devices.

Added support for signing-out of PingOne with an ID token. [SDKS-3424]

Updated jailbreak detectors to reduce false-positive detections. [SDKS-3693]

Fixed an issue that caused duplicate PUSH notifications in the Authenticator module. [SDKS-3533]

Added support for user profile self-service. [SDKS-3408]

Added support for managing registered devices.

Added support for signing-out of PingOne with an ID token. [SDKS-3423]

Improved compatibility with certain devices by implementing a fallback mechanism that uses asymmetric key generation if symmetric key generation in the AndroidKeyStore fails. [SDKS-3467]

Fixed an issue that caused duplicate PUSH notifications in the Authenticator module. [SDKS-3533]

Added a device client module to manage registered devices.

Prioritized displayName field over userName when saving a WebAuthn or passkey to an account. Previously the SDK displayed a UUID for saved credentials rather than the user’s name. [SDKS-3473]

Initial release of the DaVinci client, for Android, iOS and JavaScript.

Added support for Android 15. [SDKS-3098]

Added the ability to customize how the SDK stores tokens and data. [SDKS-3378]

Added support for Android App Links that use the http/https scheme for redirect URIs in centralized login apps. [SDKS-3433]

Added support for the PingOne Protect Marketplace nodes. [SDKS-3297]

Exposed the realm and success URL values within SSOToken. [SDKS-3351]

Added client-side support for the upcoming ReCaptchaEnterpriseCallback callback. [SDKS-2499]

Updated the SDK to ignore any type 4 TextOutputCallback callbacks, as these contain JavaScript that Android cannot execute. [SDKS-3227]

Fixed a potential ServiceConnection leak in CustomTabManager. [SDKS-3346]

Added support for the PingOne Protect Marketplace nodes. [SDKS-3296]

Exposed the realm, success URL, and failure URL values within Token. [SDKS-3352]

Added client-side support for the upcoming ReCaptchaEnterpriseCallback callback. [SDKS-3324]

Added support for Device Binding in iOS simulators, by setting Authentication Type in the Device Binding node to None.

Updated the SDK to skip any type 4 TextOutputCallback callbacks, as these contain JavaScript that iOS cannot execute. [SDKS-3226]

Made PolicyAdviceCreator public. [SDKS-3349]

Fixed missing UIKit import issue for SPM. [SDKS-3348]

Fixed an issued preventing SSL pinning from working with root certificates. [SDKS-3334]

Fixed a build failure because FRCore.swiftmodule is not built for arm64. [SDKS-3347]

Added centralized login support for PingFederate servers. [SDKS-3250]

Added client-side support for the upcoming ReCaptchaEnterpriseCallback callback. [SDKS-3326]

Added support for the PingOne Protect Marketplace nodes. [SDKS-3298]

Refactored authorize URL utilities for upcoming DaVinci module. [SDKS-3183]

Updated allowed message list to include PingFederate "requires consent" response. [SDKS-3478]

Changed the PKCE utility to return a storage function.

Added support for signing off from PingOne when using the centralized login flow with OAuth 2.0. [SDKS-3021]

Added the ability to dynamically configure the SDK by collecting values from the server’s OpenID Connect .well-known endpoint. [SDKS-3023]

Fixed issue causing SSL pinning configuration to be ignored in FRURLProtocol class. [SDKS-3239]

Removed scope validation from AccessToken initialization. [SDKS-3305]

Added support for signing off from PingOne to the centralized login flow. [SDKS-3020]

Added the ability to dynamically configure the SDK by collecting values from the server’s OpenID Connect .well-known endpoint. [SDKS-3022]

Resolved security vulnerability warnings related to the commons-io-2.6.jar and bcprov-jdk15on-1.68.jar libraries. [SDKS-3072, SDKS-3073]

Fixed a NullPointerException in the centralized login flow. [SDKS-3079]

Improved multi-threaded performance when caching access tokens. [SDKS-3104]

Synchronized the encryption and decryption block to avoid keystore crashes. [SDKS-3199]

Fixed an issue related to handling HiddenValueCallback if isMinifyEnabled is set to true. [SDKS-3201]

Fixed an issue where device binding using an application PIN was failing when Arabic language was used. [SDKS-3221]

Fixed an issue where browser sessions were not properly signed out when a non-default browser was used in centralized login. [SDKS-3276]

Fixed an unexpected behavior in the authentication flow caused by AppAuthConfiguration settings being ignored during centralized login. [SDKS-3277]

Fixed the FRUser.revokeAccessToken() method to not end the user’s session during the centralized login flow. [SDKS-3282]

Added support for integration with PingOne Protect.

Added the name of the device to the recovery codes page.

Corrected an issue that prevented use of the logLevel parameter in the Ping (ForgeRock) Login Widget configuration.

Fixed an issue with configuration literals that caused ZodError messages in the console.

Added a logoutRedirectUri parameter to the FRUser.logout() method.

Added a platformHeader configuration property to control whether the SDK adds the X-Requested-Platform header to all outgoing connections.

Updated the embedded PingOne Signals (Protect) SDK to the latest version.

Updated the SDK to import the PingOne Signals (Protect) SDK dynamically and start it with a method call rather than on load.

Updated the build system to use Vite.

Wrapped the PingOne Signals (Protect) SDK to protect it from being called when running server-side.

Added privacy manifest files to Ping SDK for iOS modules. [SDKS-3086]

Updated PingOne Signals (Protect) SDK to version 5.2.3. [SDKS-3086]

Updated Google SDK to version 7.1.0. [SDKS-3086]

Removed storage field from the HardwareCollector class. [SDKS-3086]

Added a new module for integration with PingOne Protect. [SDKS-2901]

Prevented the operation of device binding and signing features on simulators. [SDKS-2995]

Added a new module for integration with PingOne Protect. [SDKS-2900]

Added support for the TextInput callback. [SDKS-545]

Added an interface for customizing the biometric UI prompts when device binding or signing. [SDKS-2991]

Added x-requested-with: forgerock-sdk and x-requested-platform: android immutable HTTP headers to each outgoing request. [SDKS-3033]

Addressed a null pointer exception during centralized login by using ActivityResultContract in place of the deprecated onActivityResult method. [SDKS-3079]

Addressed nimbus-jose-jwt:9.25 library security vulnerability (CVE-2023-52428). [SDKS-2988]

Added a new module for integration with PingOne Protect. [SDKS-2902]

Added the ability to include the supplied device name when displaying recovery codes. [SDKS-2536]

Added the ability to use the OpenID Connect .well-known endpoint to override the default path configuration. [SDKS-2966]

Added StepOptions type to the public API.

Fixed a naming collision when using sessionStorage for tokens, state, and PKCE data and performing centralized login. [SDKS-2945]

Fixed an issue where the SDK crashes during device binding on Android 9 devices. [SDKS-2948]

Support for CAPTCHA nodes.

Added ability to override default prefix string given to storage keys.

Added an FRQRCode utility class to determine if a step has a QR code and handle the data to display.

Fixed undefined main and module fields in package.json.

Added ability to customize cookie headers in outgoing requests from the SDK. [SDKS-2780]

Added ability to add custom claims when verifying signatures from bound devices. [SDKS-2787]

Added client-side support for the upcoming AppIntegrity callback. [SDKS-2631]

The SDK now uses auth-per-use keys for Device Binding. [SDKS-2797]

Improved handling of WebAuthn cancellations. [SDKS-2819]

The forgerock_url, forgerock_realm, and forgerock_cookie_name parameters are now mandatory when dynamically configuring the SDK. [SDKS-2782]

Addressed woodstox-core:6.2.4 library security vulnerability CVE-2022-40152. [SDKS-2751]

Added client-side support for the upcoming AppIntegrity callback. [SDKS-2630/SDKS-2761]

Added a new ephemeralAuthSession browser type for iOS13 and later. [SDKS-2707]

Added iat and nbf claims to the device binding JWS payload. [SDKS-2748]

Added ability to insert custom claims when performing device signing verification. [SDKS-2788]

Fixed an issue where the issuer parameter was not properly parsed when using PingAM 7.2.x. [SDKS-2653]

Fixed an issue related to inadequate cache control. [SDKS-2700]

Fixed an issue when the sfViewController setting in centralized login had entersReaderIfAvailable set to true. [SDKS-2746]

Fixed an issue with the device profile collector that affected phones with multiple sim cards in iOS 16.3 and earlier. [SDKS-2776]

Fixed an issue with device binding API access levels. [SDKS-2886]

Fixed an issue with removing a userkey from the local device repo. [SDKS-2887]

Updated the detection of Jailbreak status. [SDKS-2796]

Improved unit and end-to-end tests. [SDKS-2637]

Added Gradle 8 and JDK 17 support. [SDKS-2451]

Added Android 14 support. [SDKS-2636]

Added verification of key pairs during device binding enrollment by using Google Key Attestation. [SDKS-2412]

Added issued at (iat) and not before (nbf) claims to JSON Web tokens used for device binding and signing verification. [SDKS-2747]

Added a requirement to declare a list of URLs in the Token Vault Proxy configuration. These generate an allowlist of origins to which the proxy can forward requests.

Added a logLevel configuration property to specify the level of logging the SDK performs.

Added a customLogger configuration property to specify a replacement for the native console.log that the SDK uses by default.

Added support for interceptors in the authenticator module. [SDKS-2544]

Added an interface for refreshing access tokens. [SDKS-2567]

Added support for policy advice from IG in JSON format. [SDKS-2240]

Fixed an issue with parsing the issuer value in the URI provided by the combined MFA registration node. [SDKS-2542]

Added an error message about duplicated accounts while using the combined MFA registration node. [SDKS-2627]

Fixed an issue that caused loss of WebAuthn credentials when upgrading the SDK from 4.0.0-beta4 to newer versions. [SDKS-2576]

Added support for interceptors in the authenticator module. [SDKS-2545]

Added support for mfauth deep links in the authenticator sample app. [SDKS-2524]

Added an interface for refreshing access tokens. [SDKS-2563]

Added support for policy advice from IG in JSON format. [SDKS-2239]

Fixed an issue with parsing the issuer value in the URI provided by the combined MFA registration node. [SDKS-2542]

Added an error message about duplicated accounts while using the combined MFA registration node. [SDKS-2627]

Initial release of Token Vault.

Added support in preparation for upcoming Token Vault.

Fixed an issue with the getTokens() method failing if no parameters are provided and you perform certain down-leveling of code in the build process.

Support for device profiling callbacks (DeviceProfileCallback)

Support for web authentication (WebAuthn) journeys and trees.

Added support in the HTTPClient for receiving transactional authorization advice in JSON format.

Improved types when using strict mode with TypeScript.

Added support for Passkeys. [SDKS-2140]

Added DeviceBinding callback support. [SDKS-1748]

Added DeviceSigningVerifier callback support. [SDKS-2023]

Added support for combined MFA registration in the Authenticator SDK. [SDKS-1972]

Added support for enforcing policies in the Authenticator SDK. [SDKS-2166]

Added an interface for listing and deleting WebAuthn credentials from the device. [SDKS-2279]

Added an interface to specify a device name during WebAuthn registration. [SDKS-2297]

Added a SwiftUI quick start example. [SDKS-2405]

Added error message description to the WebAuthnError enum. [SDKS-2226]

Updated the order of presenting the registered WebAuthN keys on the device. [SDKS-2251]

Updated Facebook SDK version to 16.0.1. [SDKS-1839]

Updated Google SDK version to 7.0.0. [SDKS-2426]

Changed the signature for a number of methods.

Upgraded the Google Fido client to support Passkeys. [SDKS-2243]

Added the FRWebAuthn interface to remove WebAuthn reference keys. [SDKS-2272]

Added an interface to specify a device name during WebAuthn registration. [SDKS-2296]

Added DeviceBinding callback support. [SDKS-1747]

Added DeviceSigningVerifier callback support. [SDKS-2022]

Added support for combined MFA registration in the Authenticator SDK. [SDKS-1972]

Added support for enforcing policies in the Authenticator SDK. [SDKS-2166]

Fixed WebAuthn authentication on devices that use a full-screen biometric prompt. [SDKS-2340]

Fixed functionality of the NetworkCollector method. [SDKS-2445]

Removed support for native single sign-on (SSO).

Changed the signature for a number of methods.

Added the ability to provide a device name when registering WebAuthN devices.

Updated ESModule (ESM) bundle.

Updated tags in the GitHub repo to be prefixed with the package name. For example, javascript-sdk-${tag}.

Inserted a prompt=none parameter into OAuth 2.0 calls to the /authorize endpoint to prevent console error about frames.

No longer provides Universal Module Definition (UMD) support

Updated Policy types

Removed duplicate modules

JavaScript support configuration property deprecated.

First public release