Make WebAuthnAuthenticationTokenRequest Serializable

[jzheaux]

WebAuthAuthenticationTokenRequest should be serializable. It isn't, however, since some of its components aren't serializable. Either they should also be serializable or marked as transient.

[franticticktick]

Hi @jzheaux, could you assign this ticket to me please?

[jzheaux]

Sure thing, @franticticktick. Will you please add it on the 6.4.x branch, please?

[franticticktick]

@jzheaux there seems to be some confusion here. WebAuthnAuthenticationRequestToken contains RelyingPartyAuthenticationRequest, and it already contains PublicKeyCredentialRequestOptions.
This issue should be solved here, and I see that this ticket is still in progress. Besides, it was not introduced as a bug, which means the changes will be merged into main. Therefore, we need to decide which branch to add these changes to.

[jzheaux]

My concern here is that WebAuthnAuthenticationRequestToken already implements Serializable and is thus at risk of having that ID change should any of its internals change in 6.5. It would mean that folks using Java serialization for this component would break when moving from 6.4 to 6.5. I'd rather mitigate that risk by adding an ID in 6.4.x. I double-checked with @rwinch and we are on the same page.

As such the work in #16431 will need to be repeated in 6.4.x as part of this ticket.

So, let's please continue with the plan to target 6.4.x for this fix.

[franticticktick]

@jzheaux thanks for the explanation :) I can make serializable WebAuthnAuthenticationRequestToken and its related classes like RelyingPartyAuthenticationRequest, PublicKeyCredential, AuthenticatorAssertionResponse etc. PublicKeyCredentialRequestOptions will remain as is, since it will be made serializable via #16431. But we must remember that some classes are already serializable and are located in the main branch, for example, Bytes. We need to make a backport to 6.4.x. And this should be taken into account now in #16431