From c983df74c05ae55ca462fd4c19c692df248a9857 Mon Sep 17 00:00:00 2001
From: ltanguy <loeiz.tanguy@gmail.com>
Date: Tue, 10 Jun 2025 14:56:13 +0200
Subject: [PATCH 1/5] Fix credential parameters conversion to WebAuthn4j

Replace comparison with != operator by an .equals() comparison based on text value.
The 2 objects have the same value in most setups, but not when used in conjunction with Spring Session for example, as the object in session is built for each request

Signed-off-by: ltanguy <loeiz.tanguy@gmail.com>
Signed-off-by: Loeiz TANGUY <loeiz.tanguy@gmail.com>
---
 .../webauthn/management/Webauthn4JRelyingPartyOperations.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/src/main/java/org/springframework/security/web/webauthn/management/Webauthn4JRelyingPartyOperations.java b/web/src/main/java/org/springframework/security/web/webauthn/management/Webauthn4JRelyingPartyOperations.java
index e1983079fc9..a7c368ec279 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/management/Webauthn4JRelyingPartyOperations.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/management/Webauthn4JRelyingPartyOperations.java
@@ -290,7 +290,7 @@ private List<com.webauthn4j.data.PublicKeyCredentialParameters> convertCredentia
 
 	private com.webauthn4j.data.PublicKeyCredentialParameters convertParamToWebauthn4j(
 			PublicKeyCredentialParameters parameter) {
-		if (parameter.getType() != PublicKeyCredentialType.PUBLIC_KEY) {
+		if (!PublicKeyCredentialType.PUBLIC_KEY.getValue().equals(parameter.getType().getValue())) {
 			throw new IllegalArgumentException(
 					"Cannot convert unknown credential type " + parameter.getType() + " to webauthn4j");
 		}

From 55ec42edd2a222371eb61f5c6c214bed5aa042bf Mon Sep 17 00:00:00 2001
From: Loeiz TANGUY <loeiz.tanguy@gmail.com>
Date: Mon, 21 Jul 2025 14:16:57 +0200
Subject: [PATCH 2/5] Makes all classes referenced in
 PublicKeyCredentialCreationOptions serializable

Signed-off-by: Loeiz TANGUY <loeiz.tanguy@gmail.com>
---
 .../web/webauthn/api/AttestationConveyancePreference.java | 4 +++-
 .../webauthn/api/AuthenticationExtensionsClientInput.java | 4 +++-
 .../api/AuthenticationExtensionsClientInputs.java         | 3 ++-
 .../web/webauthn/api/AuthenticatorSelectionCriteria.java  | 8 +++++++-
 .../springframework/security/web/webauthn/api/Bytes.java  | 7 ++++++-
 .../web/webauthn/api/COSEAlgorithmIdentifier.java         | 8 +++++++-
 .../CredProtectAuthenticationExtensionsClientInput.java   | 8 +++++++-
 .../api/ImmutableAuthenticationExtensionsClientInput.java | 8 +++++++-
 .../ImmutableAuthenticationExtensionsClientInputs.java    | 7 ++++++-
 .../api/ImmutablePublicKeyCredentialUserEntity.java       | 8 +++++++-
 .../webauthn/api/PublicKeyCredentialCreationOptions.java  | 7 ++++++-
 .../web/webauthn/api/PublicKeyCredentialDescriptor.java   | 7 ++++++-
 .../web/webauthn/api/PublicKeyCredentialParameters.java   | 8 +++++++-
 .../web/webauthn/api/PublicKeyCredentialRpEntity.java     | 8 +++++++-
 .../web/webauthn/api/PublicKeyCredentialType.java         | 8 +++++++-
 .../web/webauthn/api/PublicKeyCredentialUserEntity.java   | 4 +++-
 .../security/web/webauthn/api/ResidentKeyRequirement.java | 8 +++++++-
 .../web/webauthn/api/UserVerificationRequirement.java     | 8 +++++++-
 .../AuthenticationExtensionsClientInputsSerializer.java   | 4 ++++
 19 files changed, 109 insertions(+), 18 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AttestationConveyancePreference.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AttestationConveyancePreference.java
index 41164faf491..3960b40a3f4 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/AttestationConveyancePreference.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AttestationConveyancePreference.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serializable;
+
 /**
  * <a href="https://www.w3.org/TR/webauthn-3/#webauthn-relying-party">WebAuthn Relying
  * Parties</a> may use <a href=
@@ -26,7 +28,7 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class AttestationConveyancePreference {
+public final class AttestationConveyancePreference implements Serializable {
 
 	/**
 	 * The <a href=
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInput.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInput.java
index f3fb229af1b..a46dfd3b858 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInput.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInput.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serializable;
+
 /**
  * A <a href="https://www.w3.org/TR/webauthn-3/#client-extension-input">client extension
  * input</a> entry in the {@link AuthenticationExtensionsClientInputs}.
@@ -25,7 +27,7 @@
  * @since 6.4
  * @see ImmutableAuthenticationExtensionsClientInput
  */
-public interface AuthenticationExtensionsClientInput<T> {
+public interface AuthenticationExtensionsClientInput<T> extends Serializable {
 
 	/**
 	 * Gets the <a href="https://www.w3.org/TR/webauthn-3/#extension-identifier">extension
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInputs.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInputs.java
index 44a26a41c12..acd9513af18 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInputs.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInputs.java
@@ -16,6 +16,7 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serializable;
 import java.util.List;
 
 /**
@@ -31,7 +32,7 @@
  * @since 6.4
  * @see PublicKeyCredentialCreationOptions#getExtensions()
  */
-public interface AuthenticationExtensionsClientInputs {
+public interface AuthenticationExtensionsClientInputs extends Serializable {
 
 	/**
 	 * Gets all of the {@link AuthenticationExtensionsClientInput}.
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorSelectionCriteria.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorSelectionCriteria.java
index 6ff7c98600e..46b4b35da9a 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorSelectionCriteria.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorSelectionCriteria.java
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * <a href=
  * "https://www.w3.org/TR/webauthn-3/#dictdef-authenticatorselectioncriteria">AuthenticatorAttachment</a>
@@ -31,7 +34,10 @@
  * @since 6.4
  * @see PublicKeyCredentialCreationOptions#getAuthenticatorSelection()
  */
-public final class AuthenticatorSelectionCriteria {
+public final class AuthenticatorSelectionCriteria implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = 6295924992300524641L;
 
 	private final AuthenticatorAttachment authenticatorAttachment;
 
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java b/web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java
index 6fbcc3596c6..816c0ce2ea4 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
 import java.security.SecureRandom;
 import java.util.Arrays;
 import java.util.Base64;
@@ -28,7 +30,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class Bytes {
+public final class Bytes implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = -7420539646106189663L;
 
 	private static final SecureRandom RANDOM = new SecureRandom();
 
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/COSEAlgorithmIdentifier.java b/web/src/main/java/org/springframework/security/web/webauthn/api/COSEAlgorithmIdentifier.java
index 0cafd9309bd..49847fa4f56 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/COSEAlgorithmIdentifier.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/COSEAlgorithmIdentifier.java
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * <a href=
  * "https://www.w3.org/TR/webauthn-3/#sctn-alg-identifier">COSEAlgorithmIdentifier</a> is
@@ -25,7 +28,10 @@
  * @since 6.4
  * @see PublicKeyCredentialParameters#getAlg()
  */
-public final class COSEAlgorithmIdentifier {
+public final class COSEAlgorithmIdentifier implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = -7174114312834239069L;
 
 	public static final COSEAlgorithmIdentifier EdDSA = new COSEAlgorithmIdentifier(-8);
 
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/CredProtectAuthenticationExtensionsClientInput.java b/web/src/main/java/org/springframework/security/web/webauthn/api/CredProtectAuthenticationExtensionsClientInput.java
index 22372717595..1342bf5f145 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/CredProtectAuthenticationExtensionsClientInput.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/CredProtectAuthenticationExtensionsClientInput.java
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * Implements <a href=
  * "https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321.html#sctn-credProtect-extension">
@@ -25,7 +28,10 @@
  * @since 6.4
  */
 public class CredProtectAuthenticationExtensionsClientInput
-		implements AuthenticationExtensionsClientInput<CredProtectAuthenticationExtensionsClientInput.CredProtect> {
+		implements AuthenticationExtensionsClientInput<CredProtectAuthenticationExtensionsClientInput.CredProtect>, Serializable {
+
+	@Serial
+	private static final long serialVersionUID = 1594370832009118794L;
 
 	private final CredProtect input;
 
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInput.java b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInput.java
index eb656c3cdfb..b337660364c 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInput.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInput.java
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * An immutable {@link AuthenticationExtensionsClientInput}.
  *
@@ -24,7 +27,10 @@
  * @since 6.4
  * @see AuthenticationExtensionsClientInputs
  */
-public class ImmutableAuthenticationExtensionsClientInput<T> implements AuthenticationExtensionsClientInput<T> {
+public class ImmutableAuthenticationExtensionsClientInput<T> implements AuthenticationExtensionsClientInput<T>, Serializable {
+
+	@Serial
+	private static final long serialVersionUID = -4728475902609231330L;
 
 	/**
 	 * https://www.w3.org/TR/webauthn-3/#sctn-authenticator-credential-properties-extension
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInputs.java b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInputs.java
index cef29f378a5..1a625670ea4 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInputs.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInputs.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
 import java.util.Arrays;
 import java.util.List;
 
@@ -25,7 +27,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public class ImmutableAuthenticationExtensionsClientInputs implements AuthenticationExtensionsClientInputs {
+public class ImmutableAuthenticationExtensionsClientInputs implements AuthenticationExtensionsClientInputs, Serializable {
+
+	@Serial
+	private static final long serialVersionUID = -4836558379344450438L;
 
 	private final List<AuthenticationExtensionsClientInput> inputs;
 
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutablePublicKeyCredentialUserEntity.java b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutablePublicKeyCredentialUserEntity.java
index 7374f8fd6e9..c89db2ed1f0 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutablePublicKeyCredentialUserEntity.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutablePublicKeyCredentialUserEntity.java
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * <a href=
  * "https://www.w3.org/TR/webauthn-3/#dictdef-publickeycredentialuserentity">PublicKeyCredentialUserEntity</a>
@@ -26,7 +29,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class ImmutablePublicKeyCredentialUserEntity implements PublicKeyCredentialUserEntity {
+public final class ImmutablePublicKeyCredentialUserEntity implements PublicKeyCredentialUserEntity, Serializable {
+
+	@Serial
+	private static final long serialVersionUID = -3487418268223398299L;
 
 	/**
 	 * When inherited by PublicKeyCredentialUserEntity, it is a human-palatable identifier
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialCreationOptions.java b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialCreationOptions.java
index 2bbdcb9b2b0..1ad47bdee27 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialCreationOptions.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialCreationOptions.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
 import java.time.Duration;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -32,7 +34,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class PublicKeyCredentialCreationOptions {
+public final class PublicKeyCredentialCreationOptions implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = -8805501645775760774L;
 
 	private final PublicKeyCredentialRpEntity rp;
 
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialDescriptor.java b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialDescriptor.java
index ad454814b0f..d4bb1a87dcf 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialDescriptor.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialDescriptor.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
 import java.util.Set;
 
 /**
@@ -29,7 +31,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class PublicKeyCredentialDescriptor {
+public final class PublicKeyCredentialDescriptor implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = 8793385059692676240L;
 
 	private final PublicKeyCredentialType type;
 
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialParameters.java b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialParameters.java
index abb8c028330..8e7f3241ad0 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialParameters.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialParameters.java
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * The <a href=
  * "https://www.w3.org/TR/webauthn-3/#dictdef-publickeycredentialparameters">PublicKeyCredentialParameters</a>
@@ -25,7 +28,10 @@
  * @since 6.4
  * @see PublicKeyCredentialCreationOptions#getPubKeyCredParams()
  */
-public final class PublicKeyCredentialParameters {
+public final class PublicKeyCredentialParameters implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = 8471974877710173696L;
 
 	public static final PublicKeyCredentialParameters EdDSA = new PublicKeyCredentialParameters(
 			COSEAlgorithmIdentifier.EdDSA);
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialRpEntity.java b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialRpEntity.java
index d8e7de80141..65723385163 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialRpEntity.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialRpEntity.java
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * The <a href=
  * "https://www.w3.org/TR/webauthn-3/#dictdef-publickeycredentialrpentity">PublicKeyCredentialRpEntity</a>
@@ -25,7 +28,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class PublicKeyCredentialRpEntity {
+public final class PublicKeyCredentialRpEntity implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = -5219081524858472915L;
 
 	private final String name;
 
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialType.java b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialType.java
index 57f1c6ec463..1efcb45254d 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialType.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialType.java
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * The <a href=
  * "https://www.w3.org/TR/webauthn-3/#enum-credentialType">PublicKeyCredentialType</a>
@@ -24,7 +27,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class PublicKeyCredentialType {
+public final class PublicKeyCredentialType implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = 7025333122210061679L;
 
 	/**
 	 * The only credential type that currently exists.
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialUserEntity.java b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialUserEntity.java
index f5da998fd83..cade3a009c8 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialUserEntity.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialUserEntity.java
@@ -19,6 +19,8 @@
 import org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest;
 import org.springframework.security.web.webauthn.management.WebAuthnRelyingPartyOperations;
 
+import java.io.Serializable;
+
 /**
  * <a href=
  * "https://www.w3.org/TR/webauthn-3/#dictdef-publickeycredentialuserentity">PublicKeyCredentialUserEntity</a>
@@ -30,7 +32,7 @@
  * @since 6.4
  * @see WebAuthnRelyingPartyOperations#authenticate(RelyingPartyAuthenticationRequest)
  */
-public interface PublicKeyCredentialUserEntity {
+public interface PublicKeyCredentialUserEntity extends Serializable {
 
 	/**
 	 * The <a href=
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/ResidentKeyRequirement.java b/web/src/main/java/org/springframework/security/web/webauthn/api/ResidentKeyRequirement.java
index 082df8c675e..259f65f0afb 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/ResidentKeyRequirement.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/ResidentKeyRequirement.java
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * The <a href=
  * "https://www.w3.org/TR/webauthn-3/#enumdef-residentkeyrequirement">ResidentKeyRequirement</a>
@@ -24,7 +27,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class ResidentKeyRequirement {
+public final class ResidentKeyRequirement implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = 2047716518193458797L;
 
 	/**
 	 * The <a href=
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/UserVerificationRequirement.java b/web/src/main/java/org/springframework/security/web/webauthn/api/UserVerificationRequirement.java
index adc915015b5..fa0c6740723 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/UserVerificationRequirement.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/UserVerificationRequirement.java
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * <a href=
  * "https://www.w3.org/TR/webauthn-3/#enumdef-userverificationrequirement">UserVerificationRequirement</a>
@@ -24,7 +27,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class UserVerificationRequirement {
+public final class UserVerificationRequirement implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = -2801001231345540040L;
 
 	/**
 	 * The <a href=
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputsSerializer.java b/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputsSerializer.java
index 8009f0f16f6..1f2823f98aa 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputsSerializer.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputsSerializer.java
@@ -17,6 +17,7 @@
 package org.springframework.security.web.webauthn.jackson;
 
 import java.io.IOException;
+import java.io.Serial;
 
 import com.fasterxml.jackson.core.JsonGenerator;
 import com.fasterxml.jackson.databind.SerializerProvider;
@@ -33,6 +34,9 @@
  */
 class AuthenticationExtensionsClientInputsSerializer extends StdSerializer<AuthenticationExtensionsClientInputs> {
 
+	@Serial
+	private static final long serialVersionUID = -5579815774497047153L;
+
 	/**
 	 * Creates a new instance.
 	 */

From 2a63705685cc06fc594490aa0e092940ce905a47 Mon Sep 17 00:00:00 2001
From: Loeiz TANGUY <loeiz.tanguy@gmail.com>
Date: Mon, 21 Jul 2025 14:17:24 +0200
Subject: [PATCH 3/5] Add test

Signed-off-by: Loeiz TANGUY <loeiz.tanguy@gmail.com>
---
 ...Webauthn4jRelyingPartyOperationsTests.java | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/web/src/test/java/org/springframework/security/web/webauthn/management/Webauthn4jRelyingPartyOperationsTests.java b/web/src/test/java/org/springframework/security/web/webauthn/management/Webauthn4jRelyingPartyOperationsTests.java
index dc597918354..27f5b54906a 100644
--- a/web/src/test/java/org/springframework/security/web/webauthn/management/Webauthn4jRelyingPartyOperationsTests.java
+++ b/web/src/test/java/org/springframework/security/web/webauthn/management/Webauthn4jRelyingPartyOperationsTests.java
@@ -16,6 +16,10 @@
 
 package org.springframework.security.web.webauthn.management;
 
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
 import java.nio.charset.StandardCharsets;
 import java.time.Duration;
 import java.util.Arrays;
@@ -60,6 +64,7 @@
 import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialCreationOptions;
 import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialUserEntity;
 import org.springframework.security.web.webauthn.api.UserVerificationRequirement;
+import org.springframework.util.SerializationUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
@@ -494,6 +499,30 @@ void createCredentialRequestOptionsThenUserVerificationSameAsCreation() {
 			.isEqualTo(creationOptions.getAuthenticatorSelection().getUserVerification());
 	}
 
+	@Test
+	void convertParamToWebauthn4jPublicKeyComparison() throws Exception {
+
+		PublicKeyCredentialCreationOptions options = TestPublicKeyCredentialCreationOptions
+				.createPublicKeyCredentialCreationOptions()
+				.build();
+
+		// Simulate storage into external session storage: serialize/deserialize of the creation options
+		ByteArrayOutputStream bo = new ByteArrayOutputStream();
+		ObjectOutputStream oos =  new ObjectOutputStream(bo);
+		oos.writeObject(options);
+
+		ObjectInputStream ois =  new ObjectInputStream(new ByteArrayInputStream(bo.toByteArray()));
+		PublicKeyCredentialCreationOptions copiedOptions = (PublicKeyCredentialCreationOptions)ois.readObject() ;
+
+		// Check that the deep copied options are still valid
+		PublicKeyCredential publicKey = TestPublicKeyCredential.createPublicKeyCredential().build();
+		ImmutableRelyingPartyRegistrationRequest registrationRequest = new ImmutableRelyingPartyRegistrationRequest(
+				copiedOptions, new RelyingPartyPublicKey(publicKey, this.label));
+
+		var test = this.rpOperations.registerCredential(registrationRequest);
+
+	}
+
 	private static AuthenticatorAttestationResponse setFlag(byte... flags) throws Exception {
 		AuthenticatorAttestationResponseBuilder authAttResponseBldr = TestAuthenticatorAttestationResponse
 			.createAuthenticatorAttestationResponse();

From 32a3f41931de425c30b1d0fa649e682143fe07b3 Mon Sep 17 00:00:00 2001
From: Loeiz TANGUY <loeiz.tanguy@gmail.com>
Date: Mon, 21 Jul 2025 15:54:21 +0200
Subject: [PATCH 4/5] Align serial version UID with main

Signed-off-by: Loeiz TANGUY <loeiz.tanguy@gmail.com>
---
 .../web/webauthn/api/AttestationConveyancePreference.java    | 4 ++++
 .../org/springframework/security/web/webauthn/api/Bytes.java | 2 +-
 .../api/CredProtectAuthenticationExtensionsClientInput.java  | 4 ++--
 .../api/ImmutableAuthenticationExtensionsClientInput.java    | 5 ++---
 .../api/ImmutableAuthenticationExtensionsClientInputs.java   | 5 ++---
 .../webauthn/api/ImmutablePublicKeyCredentialUserEntity.java | 5 ++---
 6 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AttestationConveyancePreference.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AttestationConveyancePreference.java
index 3960b40a3f4..fa65ae1dced 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/AttestationConveyancePreference.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AttestationConveyancePreference.java
@@ -16,6 +16,7 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
 import java.io.Serializable;
 
 /**
@@ -30,6 +31,9 @@
  */
 public final class AttestationConveyancePreference implements Serializable {
 
+	@Serial
+	private static final long serialVersionUID = -746545182023303673L;
+
 	/**
 	 * The <a href=
 	 * "https://www.w3.org/TR/webauthn-3/#dom-attestationconveyancepreference-none">none</a>
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java b/web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java
index 816c0ce2ea4..b8270577e46 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java
@@ -33,7 +33,7 @@
 public final class Bytes implements Serializable {
 
 	@Serial
-	private static final long serialVersionUID = -7420539646106189663L;
+	private static final long serialVersionUID = -3278138671365709777L;
 
 	private static final SecureRandom RANDOM = new SecureRandom();
 
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/CredProtectAuthenticationExtensionsClientInput.java b/web/src/main/java/org/springframework/security/web/webauthn/api/CredProtectAuthenticationExtensionsClientInput.java
index 1342bf5f145..d315281ab6a 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/CredProtectAuthenticationExtensionsClientInput.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/CredProtectAuthenticationExtensionsClientInput.java
@@ -28,10 +28,10 @@
  * @since 6.4
  */
 public class CredProtectAuthenticationExtensionsClientInput
-		implements AuthenticationExtensionsClientInput<CredProtectAuthenticationExtensionsClientInput.CredProtect>, Serializable {
+		implements AuthenticationExtensionsClientInput<CredProtectAuthenticationExtensionsClientInput.CredProtect> {
 
 	@Serial
-	private static final long serialVersionUID = 1594370832009118794L;
+	private static final long serialVersionUID = -6418175591005843455L;
 
 	private final CredProtect input;
 
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInput.java b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInput.java
index b337660364c..0a28258703f 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInput.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInput.java
@@ -17,7 +17,6 @@
 package org.springframework.security.web.webauthn.api;
 
 import java.io.Serial;
-import java.io.Serializable;
 
 /**
  * An immutable {@link AuthenticationExtensionsClientInput}.
@@ -27,10 +26,10 @@
  * @since 6.4
  * @see AuthenticationExtensionsClientInputs
  */
-public class ImmutableAuthenticationExtensionsClientInput<T> implements AuthenticationExtensionsClientInput<T>, Serializable {
+public class ImmutableAuthenticationExtensionsClientInput<T> implements AuthenticationExtensionsClientInput<T> {
 
 	@Serial
-	private static final long serialVersionUID = -4728475902609231330L;
+	private static final long serialVersionUID = -1738152485672656808L;
 
 	/**
 	 * https://www.w3.org/TR/webauthn-3/#sctn-authenticator-credential-properties-extension
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInputs.java b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInputs.java
index 1a625670ea4..1482beee579 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInputs.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInputs.java
@@ -17,7 +17,6 @@
 package org.springframework.security.web.webauthn.api;
 
 import java.io.Serial;
-import java.io.Serializable;
 import java.util.Arrays;
 import java.util.List;
 
@@ -27,10 +26,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public class ImmutableAuthenticationExtensionsClientInputs implements AuthenticationExtensionsClientInputs, Serializable {
+public class ImmutableAuthenticationExtensionsClientInputs implements AuthenticationExtensionsClientInputs {
 
 	@Serial
-	private static final long serialVersionUID = -4836558379344450438L;
+	private static final long serialVersionUID = 4277817521578485720L;
 
 	private final List<AuthenticationExtensionsClientInput> inputs;
 
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutablePublicKeyCredentialUserEntity.java b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutablePublicKeyCredentialUserEntity.java
index c89db2ed1f0..c5ffdbcbd00 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutablePublicKeyCredentialUserEntity.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutablePublicKeyCredentialUserEntity.java
@@ -17,7 +17,6 @@
 package org.springframework.security.web.webauthn.api;
 
 import java.io.Serial;
-import java.io.Serializable;
 
 /**
  * <a href=
@@ -29,10 +28,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class ImmutablePublicKeyCredentialUserEntity implements PublicKeyCredentialUserEntity, Serializable {
+public final class ImmutablePublicKeyCredentialUserEntity implements PublicKeyCredentialUserEntity {
 
 	@Serial
-	private static final long serialVersionUID = -3487418268223398299L;
+	private static final long serialVersionUID = -3438693960347279759L;
 
 	/**
 	 * When inherited by PublicKeyCredentialUserEntity, it is a human-palatable identifier

From 030ccbcbb6930c3b847d63d58d2d06cd4c20336a Mon Sep 17 00:00:00 2001
From: Loeiz TANGUY <loeiz.tanguy@gmail.com>
Date: Mon, 21 Jul 2025 19:16:34 +0200
Subject: [PATCH 5/5] Test clean up

Signed-off-by: Loeiz TANGUY <loeiz.tanguy@gmail.com>
---
 .../management/Webauthn4jRelyingPartyOperationsTests.java     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/web/src/test/java/org/springframework/security/web/webauthn/management/Webauthn4jRelyingPartyOperationsTests.java b/web/src/test/java/org/springframework/security/web/webauthn/management/Webauthn4jRelyingPartyOperationsTests.java
index 27f5b54906a..25f6aa2a111 100644
--- a/web/src/test/java/org/springframework/security/web/webauthn/management/Webauthn4jRelyingPartyOperationsTests.java
+++ b/web/src/test/java/org/springframework/security/web/webauthn/management/Webauthn4jRelyingPartyOperationsTests.java
@@ -519,8 +519,8 @@ void convertParamToWebauthn4jPublicKeyComparison() throws Exception {
 		ImmutableRelyingPartyRegistrationRequest registrationRequest = new ImmutableRelyingPartyRegistrationRequest(
 				copiedOptions, new RelyingPartyPublicKey(publicKey, this.label));
 
-		var test = this.rpOperations.registerCredential(registrationRequest);
-
+		// Should not throw an exception
+		this.rpOperations.registerCredential(registrationRequest);
 	}
 
 	private static AuthenticatorAttestationResponse setFlag(byte... flags) throws Exception {