Changelog

All notable changes to this project will be documented in this file.

⚠️ The different IdsvrHaapi packages are versioned together for simplicity. Some packages may not change in a given version. For additional information refer to the changes in IdsvrHaapiDriver and IdsvrHaapiUIKit.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[4.7.0] - 2025-06-16

Fixed

• Custom properties in Action now support types String, Bool, Integer and Double for content values. [HSI-387]
• The applicationBundle was not set when falling to the DCR configuration. [HSI-403]
• Regression where the public properties visibility for the Metadata model were made internal. [HSI-402]

[4.6.1] - 2025-05-16

Fixed

• Regression where some special characters in input values sent to the server were not being encoded correctly. [HSI-391]

[4.6.0] - 2025-05-05

Added

• HaapiAccessorBuilder's attestation validation keyName can be configured. [HSI-379]
• DCRConfiguration can be configured with a Storage. [HSI-378]

Fixed

• HaapiAccessorBuilder attestation validation. [HSI-379]
  • The attestation validation reuses the state related to the key pair generation and attestation requests. Performance is improved.
  • The keyName value is fixed, allowing better key management and handling when the attestation state is reused.

[4.5.0] - 2025-03-24

Fixed

• HaapiAccessorBuilder accessor creation use case where DCR would trigger incorrectly and cause the OAuthTokenManager to use an incorrect configuration when trying to refresh tokens. [HSI-374]

[4.4.1] - 2025-01-24

Added

• IdsvrHaapiSdkTestUtils are added to the internal package to expose a way to help developers create conditions that allow testing the framework's behaviour and its integration with client applications. [HSI-351]
• RawJsonRepresentable protocol conformance is added to HaapiRepresentation and ProblemRepresentation models to provide a consistent JSON representation across platforms. [HSI-343]

[4.4.0] - 2024-12-16

Added

• A Client Authentication Method can be provided to the framework configuration, adding on security options enforcement. [HSI-321]
• A DCR fallback configuration can be provided to allow the framework to gracefully fallback when attestation errors occur or when the device doesn't support it. [HSI-324]
• HaapiAccessorBuilder can be used to configure and instantiate HaapiManager and OAuthTokenManager instances. [HSI-324]
  • An HaapiManagerAccessor wrapper object containing the configured managers is returned.
  • HaapiAccessorBuilder is the recommended way of creating instances of the managers (HaapiManager and OAuthTokenManager) to interact with Curity Identity Server.
• Adds support for Risk Assessment data collection (ex: BankID's risk assessment functionality) by providing application context to the framework. [HSI-349]
  • It requires a version of the Curity Identity Server that accepts the risk assessment information (starting from 9.7.0).

Changed

• Depending on the provided configurations for Attestation and DCR, the framework can gracefully handle attestation errors and fallback to use Dynamic Client Registration. [HSI-324]

[4.3.0] - 2024-10-14

Added

• Support for Discoverable Credentials mode when enabled in the server PassKeys authenticator. [HSI-281]
  • Full support for Passkeys functionality requires iOS 16 and iCloud Keychain enabled on the devices.
  • It requires a version of the Curity Identity Server that supports PassKeys Discoverable Credentials (starting from 9.3.0).
• More logs related to revocation in OAuthTokenManager and when storing the DPoP. [HSI-327]

Changed

• BoundedTokenConfiguration and UnboundedTokenConfiguration are final. [HSI-330]
  • When OAuthTokenManager uses UnboundedTokenConfiguration and OAuthTokenManager.fetchAccessToken is invoked with a DPoP object from HaapiManager.dpop then a HaapiError.invalidConfiguration is returned. It can be fixed by aligning the configuration between the server/client or not providing a DPoP object. [HSI-330]
  • When OAuthTokenManager uses BoundedTokenConfiguration and OAuthTokenManager.fetchAccessToken is invoked without a DPoP object then the server returns an error. It can be fixed by aligning the configuration between the server/client or providing the missing DPoP object. [HSI-330]

Fixed

• On a successful request with OAuthTokenManager, it is unnecessary to override the DPoP in the storage. [HSI-327]
• When OAuthTokenManager.refreshToken is invoked and the DPoP is missing, the request is not blocked. [HSI-330]

[4.2.1] - 2024-08-12

Added

• OAuthTokenManager can take an optional dictionary of parameters to be added to the request body when invoking fetchAccessToken or refreshAccessToken. [HSI-286]
• OAuthTokenManager.TokenEndpointResponseListener can be configured in HaapiConfiguration to listen to the token endpoint in OAuthTokenManager. [HSI-287]

[4.2.0] 2024-08-05

Fixed

• The version metadata exposed by the frameworks.

[4.2.0-rc.1] 2024-07-24

Added

• HaapiConfiguration can be configured with TokenBoundConfiguration. [HSI-301]
• Dpop related errors that happen in OAuthTokenManager usage are exposed to the client application in HaapiError.dpopProofFailure. [HSI-301]

Changed

• OAuthTokenManager supports the server configuration issue-token-bound-authorization-code by using TokenBoundConfiguration. [HSI-301]
  • When using the server configuration issue-token-bound-authorization-code, the TokenBoundConfiguration is required in HaapiConfiguration for HaapiManager and OAuthTokenManager. See README for more details.

[4.1.4] - 2024-06-28

Fixed

• Error that would cause the framework to crash when receiving an OAuth Token error representation from the server with "Expose Detailed Error Messages" disabled in the Token Profile. [HSI-290]

[4.1.3] - 2024-06-13

No changes.

[4.1.2] - 2024-06-10

Fixed

• ClientOperationActionModel has a new parameter: arguments. This parameter is present in the following subclasses: ExternalBrowserClientOperationActionModel, BankIdClientOperationActionModel, EncapAutoActivationClientOperationActionModel, WebAuthnRegistrationClientOperationActionModel, WebAuthnAuthenticationClientOperationActionModel and GenericClientOperationActionModel. [HSI-275]
• Aligning encoding format for Action, FormField and AuthenticatorSelctorStep with Android counterpart. [HSI-275]
• When using HaapiManager, Content-Type headers are omitted when the requests don't contain payload content (RFC9110). [HSI-279]

[4.1.1] - 2024-03-25

No changes.

[4.1.0] - 2024-02-27

Changed

• Framework now provides a utility HaapiModel that exposes a model factory API to create model instances for testing purposes. [HSI-268]
• Framework models now conform to Codable to facilitate testing. [HSI-111]

[4.0.0] - 2024-02-12

No changes.

[3.2.0] - 2023-12-18

Added

• HaapiManager can return a Dpop to support this configuration issue-token-bound-authorization-code. [HSI-244]
  • It requires a version of the Curity Identity Server that supports token binding (starting from 8.7.0).

Changed

• OAuthTokenManager can take a Dpop to fetch an access token when using this configuration on the Identity Server: issue-token-bound-authorization-code. [HSI-244]

Fixed

• The model parsing for properties in Step and Action. [HSI-243]

[3.1.0] - 2023-11-06

Fixed

• The BankId url parameters duplication that causes the BankId app to trigger incorrectly. [HSI-243]

Changed

• Added parameter in withQuery helper method implementation for URL parameterization to allow overriding query parameters. [HSI-243]

[3.0.0] - 2023-08-14

Added

• HaapiConfiguration now provides a property attestationConfiguration to configure DeviceCheck attestation on physical devices. [HSI-195] [HSI-182]
  • A configuration property useAttestation to enable/disable DeviceCheck attestation. [HSI-195]
  • A configuration property attestationMaxRetries to configure retry mechanism. [HSI-182]
• Problem type to represent an error when there's a mismatch between the session and access token. [HSI-158]

Changed

• The logger provides contextual information. [HSI-151]
• OAuthAuthorizationParameters are now configured in HaapiConfiguration via authorizationParametersProvider property. [HSI-160]
  • Previous configuration has been removed from the parameters for the start method in HaapiManager.
• HttpHeadersProvider is now configured in HaapiConfiguration in httpHeadersProvider property. [HSI-161]
  • Previous configuration has been removed from the parameters of the HaapiManager constructor.
• HaapiManager's APIs support the new concurrency models: async/await. [HSI-162]
• When instantiating HaapiManager, it can throw exceptions. [HSI-138]
• HttpCookies are removed when HaapiManager.start() is invoked. [HSI-201]
• HaapiLogger has new configurations and logs output is improved. [HSI-153]

Fixed

• Fixed isEqualTo method implementation for UsernameFormField. [HSI-219]

[2.5.0] - 2023-02-13

Added

• HaapiClientOperation models are added to support native WebAuthn Authorization. [HSI-105]
  • It requires a version of the Curity Identity Server that includes HAAPI support for the WebAuthn authenticator.

[2.4.0] - 2022-12-19

Added

• HTTP headers provider in HaapiManager. [HSI-134]

Fixed

• Invalid decoding for representation that has SelectFormField.Option.selected. [HSI-133]

[2.3.0] - 2022-11-07

Fixed

• Invalid escaping value for client operations. [HSI-119]
• Error is thrown when HaapiManager.start() was invoked more than once per app run. HaapiManager.start() can now be invoked multiple times during the application lifetime. [HSI-126]
• Apple rejection when Bitcode is enabled in the application. [HSI-129]

Changed

• HaapiManager.submitForm() can now be supplied with parameters of type Dictionary<String, Any> instead of a Dictionary<String, String>. [HSI-130]

[2.2.2] - 2022-09-01

Changed

• SKIP_INSTALL to false in the build settings. [HSI-118]

[2.2.1] - 2022-07-25

Changed

• Build settings to generate a valid XCFramework that can be reviewed or placed on the App Store. [HSI-114]

Fixed

• Bug related with the generated XCFramework and developer could not output debug information. [HSI-112]

[2.2.0] - 2022-06-20

Added

• The Haapi SDK now provides Token Revocation functionality. [HSI-93]
• OAuthTokenManager now provides a token revocation interface for access and refresh tokens.

Fixed

• Bug when serializing acr_values into request's query parameters. [HSI-95]

[2.1.1] - 2022-05-25

Added

• Changelogs for driver and sdk. [HSI-84]

• The framework can be imported and linked in projects targeting deployment versions below iOS 14 when using SPM and drag-and-drop import. [HSI-82]

• Now provides compile time availability check information for OS version

Fixed

• Crash when running on devices with iOS version below 14 [HSI-82]

[2.1.0] - 2022-05-12

Added

• Nonce and at_hash support for DPoP messages. [HSI-83]
• The HAAPI Driver and HAAPI SDK frameworks can now support the new DPoP processing algorithm that was introduced in Curity Identity Server 7.1.0.

Changed

• Improvement to the documentation. [HSI-85]
• Small improvements to generated documentation including documentation on DPoP 401.

[2.0.0] - 2022-02-10

Added

• The HAAPI SDK is now providing HAAPI models. [HSI-76]

Changed

• HAAPI SDK version 1.0.7 is moved to HAAPI Driver project. [HSI-77]