Added support for user profile self-service. [SDKS-3408]

Added support for managing registered devices.

Added support for signing-out of PingOne with an ID token. [SDKS-3423]

Improved compatibility with certain devices by implementing a fallback mechanism that uses asymmetric key generation if symmetric key generation in the AndroidKeyStore fails. [SDKS-3467]

Fixed an issue that caused duplicate PUSH notifications in the Authenticator module. [SDKS-3533]

Added support for Android 15. [SDKS-3098]

Added the ability to customize how the SDK stores tokens and data. [SDKS-3378]

Added support for Android App Links that use the http/https scheme for redirect URIs in centralized login apps. [SDKS-3433]

Added support for the PingOne Protect Marketplace nodes. [SDKS-3297]

Exposed the realm and success URL values within SSOToken. [SDKS-3351]

Added client-side support for the upcoming ReCaptchaEnterpriseCallback callback. [SDKS-2499]

Updated the SDK to ignore any type 4 TextOutputCallback callbacks, as these contain JavaScript that Android cannot execute. [SDKS-3227]

Fixed a potential ServiceConnection leak in CustomTabManager. [SDKS-3346]

Added support for signing off from PingOne to the centralized login flow. [SDKS-3020]

Added the ability to dynamically configure the SDK by collecting values from the server’s OpenID Connect .well-known endpoint. [SDKS-3022]

Resolved security vulnerability warnings related to the commons-io-2.6.jar and bcprov-jdk15on-1.68.jar libraries. [SDKS-3072, SDKS-3073]

Fixed a NullPointerException in the centralized login flow. [SDKS-3079]

Improved multi-threaded performance when caching access tokens. [SDKS-3104]

Synchronized the encryption and decryption block to avoid keystore crashes. [SDKS-3199]

Fixed an issue related to handling HiddenValueCallback if isMinifyEnabled is set to true. [SDKS-3201]

Fixed an issue where device binding using an application PIN was failing when Arabic language was used. [SDKS-3221]

Fixed an issue where browser sessions were not properly signed out when a non-default browser was used in centralized login. [SDKS-3276]

Fixed an unexpected behavior in the authentication flow caused by AppAuthConfiguration settings being ignored during centralized login. [SDKS-3277]

Fixed the FRUser.revokeAccessToken() method to not end the user’s session during the centralized login flow. [SDKS-3282]

Added a new module for integration with PingOne Protect. [SDKS-2900]

Added support for the TextInput callback. [SDKS-545]

Added an interface for customizing the biometric UI prompts when device binding or signing. [SDKS-2991]

Added x-requested-with: forgerock-sdk and x-requested-platform: android immutable HTTP headers to each outgoing request. [SDKS-3033]

Addressed a null pointer exception during centralized login by using ActivityResultContract in place of the deprecated onActivityResult method. [SDKS-3079]

Addressed nimbus-jose-jwt:9.25 library security vulnerability (CVE-2023-52428). [SDKS-2988]

Fixed an issue where the SDK crashes during device binding on Android 9 devices. [SDKS-2948]

Added ability to customize cookie headers in outgoing requests from the SDK. [SDKS-2780]

Added ability to add custom claims when verifying signatures from bound devices. [SDKS-2787]

Added client-side support for the upcoming AppIntegrity callback. [SDKS-2631]

The SDK now uses auth-per-use keys for Device Binding. [SDKS-2797]

Improved handling of WebAuthn cancellations. [SDKS-2819]

The forgerock_url, forgerock_realm, and forgerock_cookie_name parameters are now mandatory when dynamically configuring the SDK. [SDKS-2782]

Addressed woodstox-core:6.2.4 library security vulnerability CVE-2022-40152. [SDKS-2751]

Added Gradle 8 and JDK 17 support. [SDKS-2451]

Added Android 14 support. [SDKS-2636]

Added verification of key pairs during device binding enrollment by using Google Key Attestation. [SDKS-2412]

Added issued at (iat) and not before (nbf) claims to JSON Web tokens used for device binding and signing verification. [SDKS-2747]

Added support for interceptors in the authenticator module. [SDKS-2544]

Added an interface for refreshing access tokens. [SDKS-2567]

Added support for policy advice from IG in JSON format. [SDKS-2240]

Fixed an issue with parsing the issuer value in the URI provided by the combined MFA registration node. [SDKS-2542]

Added an error message about duplicated accounts while using the combined MFA registration node. [SDKS-2627]

Fixed an issue that caused loss of WebAuthn credentials when upgrading the SDK from 4.0.0-beta4 to newer versions. [SDKS-2576]

Upgraded the Google Fido client to support Passkeys. [SDKS-2243]

Added the FRWebAuthn interface to remove WebAuthn reference keys. [SDKS-2272]

Added an interface to specify a device name during WebAuthn registration. [SDKS-2296]

Added DeviceBinding callback support. [SDKS-1747]

Added DeviceSigningVerifier callback support. [SDKS-2022]

Added support for combined MFA registration in the Authenticator SDK. [SDKS-1972]

Added support for enforcing policies in the Authenticator SDK. [SDKS-2166]

Fixed WebAuthn authentication on devices that use a full-screen biometric prompt. [SDKS-2340]

Fixed functionality of the NetworkCollector method. [SDKS-2445]

Removed support for native single sign-on (SSO).

Changed the signature for a number of methods.

Dynamic SDK Configuration. [SDKS-1759]

Android 13 support. [SDKS-1944]

Changed activity type used as parameter in PushNotification.accept. [SDKS-1968]

Updated deserialization of objects to use a class allowlist to prevent access to untrusted data. [SDKS-1818]

Updated the Authenticator module and sample app to handle the new POST_NOTIFICATIONS permission in Android 13. [SDKS-2033]

Fixed an issue where the DefaultTokenManager was not caching the AccessToken in memory upon retrieval from Shared Preferences. [SDKS-2066]

Deprecated the forgerock_enable_cookie configuration. [SDKS-2069]

Align forgerock_logout_endpoint configuration name with the Ping SDK for iOS. [SDKS-2085]

Allow leading slash on custom endpoint path. [SDKS-2074]

Fixed bug where the state parameter value was not being verified upon calling the Authorize endpoint. [SDKS-2078]

Updated the version of the com.squareup.okhttp3 library in the SDK to 4.10.0 [SDKS-1957]

Interface for log management [SDKS-1864]

Support SSL pinning [SDKS-80]

Restore session token when it is out of sync with the session token that bound with the access token [SDKS-1664]

Session token should be included in the header instead of request parameter for /authorize endpoint [SDKS-1670]

Support to broadcast logout event to clear application tokens when user logout the app [SDKS-1663]

Obtain timestamp from new PushNotification payload [SDKS-1666]

Add new payload attributes to the PushNotification [SDKS-1776]

Allow processing of push notifications without device token [SDKS-1844]

Dispose AuthorizationService when no longer required [SDKS-1636]

Authenticator sample app crash after scanning push mechanism [SDKS-1454]

Google Sign-In Security Enhancement.

Fix for WebAuthn Registration & Authentication prompt.

Disable native SSO when the SDK fails to access the Android AccountManager.

Support for Android 12.

Unlocked device is not required for data decryption.

Introduced FRLifecycle interface and exposed interfaces to allow custom native SSO implementation.

Added support for user profile self-service. [SDKS-3409]

Added support for managing registered devices.

Added support for signing-out of PingOne with an ID token. [SDKS-3424]

Updated jailbreak detectors to reduce false-positive detections. [SDKS-3693]

Fixed an issue that caused duplicate PUSH notifications in the Authenticator module. [SDKS-3533]

Added support for the PingOne Protect Marketplace nodes. [SDKS-3296]

Exposed the realm, success URL, and failure URL values within Token. [SDKS-3352]

Added client-side support for the upcoming ReCaptchaEnterpriseCallback callback. [SDKS-3324]

Added support for Device Binding in iOS simulators, by setting Authentication Type in the Device Binding node to None.

Updated the SDK to skip any type 4 TextOutputCallback callbacks, as these contain JavaScript that iOS cannot execute. [SDKS-3226]

Made PolicyAdviceCreator public. [SDKS-3349]

Fixed missing UIKit import issue for SPM. [SDKS-3348]

Fixed an issued preventing SSL pinning from working with root certificates. [SDKS-3334]

Fixed a build failure because FRCore.swiftmodule is not built for arm64. [SDKS-3347]

Added support for signing off from PingOne when using the centralized login flow with OAuth 2.0. [SDKS-3021]

Added the ability to dynamically configure the SDK by collecting values from the server’s OpenID Connect .well-known endpoint. [SDKS-3023]

Fixed issue causing SSL pinning configuration to be ignored in FRURLProtocol class. [SDKS-3239]

Removed scope validation from AccessToken initialization. [SDKS-3305]

Added privacy manifest files to Ping SDK for iOS modules. [SDKS-3086]

Updated PingOne Signals (Protect) SDK to version 5.2.3. [SDKS-3086]

Updated Google SDK to version 7.1.0. [SDKS-3086]

Removed storage field from the HardwareCollector class. [SDKS-3086]

Added a new module for integration with PingOne Protect. [SDKS-2901]

Prevented the operation of device binding and signing features on simulators. [SDKS-2995]

Added client-side support for the upcoming AppIntegrity callback. [SDKS-2630/SDKS-2761]

Added a new ephemeralAuthSession browser type for iOS13 and later. [SDKS-2707]

Added iat and nbf claims to the device binding JWS payload. [SDKS-2748]

Added ability to insert custom claims when performing device signing verification. [SDKS-2788]

Fixed an issue where the issuer parameter was not properly parsed when using PingAM 7.2.x. [SDKS-2653]

Fixed an issue related to inadequate cache control. [SDKS-2700]

Fixed an issue when the sfViewController setting in centralized login had entersReaderIfAvailable set to true. [SDKS-2746]

Fixed an issue with the device profile collector that affected phones with multiple sim cards in iOS 16.3 and earlier. [SDKS-2776]

Fixed an issue with device binding API access levels. [SDKS-2886]

Fixed an issue with removing a userkey from the local device repo. [SDKS-2887]

Updated the detection of Jailbreak status. [SDKS-2796]

Improved unit and end-to-end tests. [SDKS-2637]

Added support for interceptors in the authenticator module. [SDKS-2545]

Added support for mfauth deep links in the authenticator sample app. [SDKS-2524]

Added an interface for refreshing access tokens. [SDKS-2563]

Added support for policy advice from IG in JSON format. [SDKS-2239]

Fixed an issue with parsing the issuer value in the URI provided by the combined MFA registration node. [SDKS-2542]

Added an error message about duplicated accounts while using the combined MFA registration node. [SDKS-2627]

Added support for Passkeys. [SDKS-2140]

Added DeviceBinding callback support. [SDKS-1748]

Added DeviceSigningVerifier callback support. [SDKS-2023]

Added support for combined MFA registration in the Authenticator SDK. [SDKS-1972]

Added support for enforcing policies in the Authenticator SDK. [SDKS-2166]

Added an interface for listing and deleting WebAuthn credentials from the device. [SDKS-2279]

Added an interface to specify a device name during WebAuthn registration. [SDKS-2297]

Added a SwiftUI quick start example. [SDKS-2405]

Added error message description to the WebAuthnError enum. [SDKS-2226]

Updated the order of presenting the registered WebAuthN keys on the device. [SDKS-2251]

Updated Facebook SDK version to 16.0.1. [SDKS-1839]

Updated Google SDK version to 7.0.0. [SDKS-2426]

Changed the signature for a number of methods.

Updated legacy encryption algorithm used for generation of cryptographic keys stored in Secure Enclave [SDKS-1994]

Fixed an issue related to push notifications timeout [SDKS-2164]

Fixed an unexpected error occurring during the decoding of some push notifications [SDKS-2199]

Dynamic SDK Configuration [SDKS-1760]

iOS 16 Support [SDKS-1932]

Fixed build errors on Xcode 14 [SDKS-2073]

Fixed bug where the state parameter value was not verified upon calling the Authorize endpoint [SDKS-2077]

Interface for log management [SDKS-1863]

Fixed memory leak in the NetworkCollector class [SDKS-1931]

Add PushType.biometric support and BiometricAuthentication class for biometric authentication. Updated sample app to handle new Push types [SDKS-1865]

Fixed the bug when refreshing the access token we return the old token [SDKS-1824]

Fixed bug when multiple threads are trying to access the same resource in the deviceCollector and ProfileCollector [SDKS-1912]

SSL pinning support [SDKS-1627]

Obtain timestamp from new push notification payload [SDKS-1665]

Add new payload attributes in the push notification [SDKS-1775]

Apple Sign In enhancements to get user profile info [SDKS-1632]

Remove "Accept: application/x-www-form-urlencoded" header from /authorize endpoint for GET requests [SDKS-1729]

Remove iPlanetDirectoryPro (or session cookie name) from the query parameter, and inject it into the header instead [SDKS-1708]

Fix issue when expired push notification displayed as "Approved" in the notification history list [SDKS-1491]

Fix issues with registering TOTP accounts with invalid period [SDKS-1405]

Updated GoogleSignIn library to the latest version 6.1.0.

FRGoogleSignIn is now available through SPM.

Added custom implementation for HTTPCookie for iOS 11+ devices, to support NSSecureCoding for storing cookies.

Changed all instances of Archiving/Unarchiving to use NSSecureCoding.

SecuredKey initializer now supports passing a Keychain accessibility flag.

SecuredKey now has the same default Keychain accessibility flag as the KeychainService ".afterFirstUnlock".

Fixed an issue where the MetadataCallback was overriding the stage property of a node.

Fixed an issue which was affecting the centralized login feature.

Various bug fixes and enhancements for the Authenticator SDK.

Added a device client module to manage registered devices.

Prioritized displayName field over userName when saving a WebAuthn or passkey to an account. Previously the SDK displayed a UUID for saved credentials rather than the user’s name.

Added centralized login support for PingFederate servers. [SDKS-3250]

Added client-side support for the upcoming ReCaptchaEnterpriseCallback callback. [SDKS-3326]

Added support for the PingOne Protect Marketplace nodes. [SDKS-3298]

Refactored authorize URL utilities for upcoming DaVinci module. [SDKS-3183]

Updated allowed message list to include PingFederate "requires consent" response. [SDKS-3478]

Changed the PKCE utility to return a storage function.

Added a logoutRedirectUri parameter to the FRUser.logout() method.

Added a platformHeader configuration property to control whether the SDK adds the X-Requested-Platform header to all outgoing connections.

Updated the embedded PingOne Signals (Protect) SDK to the latest version.

Updated the SDK to import the PingOne Signals (Protect) SDK dynamically and start it with a method call rather than on load.

Updated the build system to use Vite.

Wrapped the PingOne Signals (Protect) SDK to protect it from being called when running server-side.

Added a new module for integration with PingOne Protect. [SDKS-2902]

Added the ability to include the supplied device name when displaying recovery codes. [SDKS-2536]

Added the ability to use the OpenID Connect .well-known endpoint to override the default path configuration. [SDKS-2966]

Added StepOptions type to the public API.

Fixed a naming collision when using sessionStorage for tokens, state, and PKCE data and performing centralized login. [SDKS-2945]

Added ability to override default prefix string given to storage keys.

Added an FRQRCode utility class to determine if a step has a QR code and handle the data to display.

Fixed undefined main and module fields in package.json.

Added a logLevel configuration property to specify the level of logging the SDK performs.

Added a customLogger configuration property to specify a replacement for the native console.log that the SDK uses by default.

Added support in preparation for upcoming Token Vault.

Fixed an issue with the getTokens() method failing if no parameters are provided and you perform certain down-leveling of code in the build process.

Added support in the HTTPClient for receiving transactional authorization advice in JSON format.

Improved types when using strict mode with TypeScript.

Added the ability to provide a device name when registering WebAuthN devices.

Updated ESModule (ESM) bundle.

Updated tags in the GitHub repo to be prefixed with the package name. For example, javascript-sdk-${tag}.

Inserted a prompt=none parameter into OAuth 2.0 calls to the /authorize endpoint to prevent console error about frames.

No longer provides Universal Module Definition (UMD) support

Updated Policy types

Removed duplicate modules

JavaScript support configuration property deprecated.

Fixed HTTP headers by capitalizing all header names

Added support for TextInput callback

Updated device profile collection code:

Added Angular sample app.

Added token threshold feature.

Added support for additional PingOne Form fields. [SDKS-3649]

Added an external-idp module to support social sign on with supported external IDPs by using browser redirects. [SDKS-3662]

Added Accept-Language header to support localization. [SDKS-3622]

Added ability to validate PingOne Form fields. [SDKS-3649]

Added support for default values in PingOne Form fields. [SDKS-3649]

Added an interface to access ErrorNode and validation errors. [SDKS-3649]

Added a browser module. [SDKS-3662]

Added dynamic environment switching in the test sample app. [SDKS-3642]

Fixed an issue affecting the global logger when configuring a logger in DaVinci client configuration. [SDKS-3616]

Added support for additional PingOne Form fields. [SDKS-3671, SDKS-3672]

Added an external-idp module to support social sign on with supported external IDPs by using browser redirects. [SDKS-3720, SDKS-3920]

Added Accept-Language header to support localization. [SDKS-3623]

Added ability to validate PingOne Form fields. [SDKS-3671, SDKS-3672]

Added support for default values in PingOne Form fields. [SDKS-3674]

Added a PingBrowser module. [SDKS-3920]

Added Swift 6 support. [SDKS-3728]

Added support for additional PingOne Form fields.

Added support for social sign on with supported external IDPs.

Added the ability to call start with query parameters which the DaVinci client appends to the /authorize call.

Added request middleware to amend outgoing HTTP requests, for example to override Accept-Language headers.

Added ability to validate PingOne Form fields.

Added support for default values in PingOne Form fields.

Updated dependency on @forgerock/javascript-sdk to 4.7.0.

Updated error node to now be submittable to help the app recover from an error state.

Updated the checks to determine what node state the DaVinci Client is in based on the response from PingOne.

Initial release of the DaVinci client, for Android, iOS and JavaScript.

Added support for integration with PingOne Protect.

Added the name of the device to the recovery codes page.

Corrected an issue that prevented use of the logLevel parameter in the Ping (ForgeRock) Login Widget configuration.

Fixed an issue with configuration literals that caused ZodError messages in the console.

Support for CAPTCHA nodes.

Support for device profiling callbacks (DeviceProfileCallback)

Support for web authentication (WebAuthn) journeys and trees.

First public release

Added a requirement to declare a list of URLs in the Token Vault Proxy configuration. These generate an allowlist of origins to which the proxy can forward requests.

Initial release of Token Vault.